| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Oct 2018 15:17:37 -0400 (EDT)
From: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To: Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>
Cc: Peter Zijlstra <peterz@...radead.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Boqun Feng <boqun.feng@...il.com>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-api <linux-api@...r.kernel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andy Lutomirski <luto@...capital.net>,
Dave Watson <davejwatson@...com>, Paul Turner <pjt@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Russell King <linux@....linux.org.uk>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Andi Kleen <andi@...stfloor.org>,
Chris Lameter <cl@...ux.com>, Ben Maurer <bmaurer@...com>,
rostedt <rostedt@...dmis.org>,
Josh Triplett <josh@...htriplett.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Michael Kerrisk <mtk.manpages@...il.com>,
Joel Fernandes <joelaf@...gle.com>
Subject: Re: [RFC PATCH for 4.21 06/16] cpu_opv: Provide cpu_opv system call
(v8)
----- On Oct 16, 2018, at 4:10 AM, Sergey Senozhatsky sergey.senozhatsky.work@...il.com wrote:
> Hi Mathieu,
>
> On (10/10/18 15:19), Mathieu Desnoyers wrote:
> [..]
>> +SYSCALL_DEFINE4(cpu_opv, struct cpu_op __user *, ucpuopv, int, cpuopcnt,
>> + int, cpu, int, flags)
>> +{
> [..]
>> +again:
>> + ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
>> + if (ret)
>> + goto end;
>> + ret = do_cpu_opv(cpuopv, cpuopcnt, &vaddr_ptrs, cpu);
>> + if (ret == -EAGAIN)
>> + retry = true;
>> +end:
>> + for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
>> + struct vaddr *vaddr = &vaddr_ptrs.addr[i];
>> + int j;
>> +
>> + vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
>
> A dumb question.
>
> Both vm_unmap_user_ram() and vm_map_user_ram() can BUG_ON().
> So this is
> userspace -> syscall -> cpu_opv() -> vm_unmap_user_ram() -> BUG_ON()
>
> Any chance someone can exploit it?
Hi Sergey,
Let's look at vm_unmap_user_ram() and vm_map_user_ram() separately.
If we look at the input from vm_unmap_user_ram, it's called with the
following parameters by the cpu_opv system call:
for (i = 0; i < vaddr_ptrs.nr_vaddr; i++) {
struct vaddr *vaddr = &vaddr_ptrs.addr[i];
int j;
vm_unmap_user_ram((void *)vaddr->mem, vaddr->nr_pages);
[...]
}
The vaddr_ptrs array content is filled by the call to cpu_opv_pin_pages above:
ret = cpu_opv_pin_pages(cpuopv, cpuopcnt, &vaddr_ptrs);
if (ret)
goto end;
by passing the array to cpu_op_pin_pages(), which appends a virtual address at
the end of the array (on success) and increments nr_vaddr. Those virtual
addresses are returned by vm_map_user_ram(), so they are not user-controlled.
Therefore, only an internal kernel bug between vm_map_user_ram() and
vm_unmap_user_ram() should trigger the BUG_ON(). No user input is passed
to vm_unmap_user_ram().
Now, let's look at vm_map_user_ram(). It calls alloc_vmap_area(), which returns
a vmap_area. Then if vmap_page_range failed, vm_unmap_user_ram is called on the
memory that has just been returned by vm_map_user_ram. Again, only an internal
bug between map/unmap can trigger the BUG_ON() in vm_unmap_user_ram.
Is there another scenario I missed ?
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
Powered by blists - more mailing lists