| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Feb 2019 18:14:21 -0800
From: Andy Lutomirski <luto@...capital.net>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
stable <stable@...r.kernel.org>,
Changbin Du <changbin.du@...il.com>,
Jann Horn <jannh@...gle.com>,
Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...nel.org>
Subject: Re: [PATCH 1/2 v2] kprobe: Do not use uaccess functions to access kernel memory that can fault
> On Feb 15, 2019, at 6:08 PM, Steven Rostedt <rostedt@...dmis.org> wrote:
>
> On Fri, 15 Feb 2019 17:32:55 -0800
> Andy Lutomirski <luto@...capital.net> wrote:
>
>>> I added you just because I wanted help getting the change log correct,
>>> as that's what Linus was complaining about. I kept using "kernel
>>> address" when the sample bug used for the patch was really a
>>> non-canonical address (as Linus said, it's just garbage. Neither kernel
>>> or user space). But I pointed out that this can also bug if the
>>> address is canonical and in the kernel address space. The old code
>>> didn't complain about non-canonical or kernel address faulting before
>>> commit 9da3f2b7405, which only talks about kernel address space
>>> faulting (which is why I only mentioned that in my messages).
>>>
>>> Would changing all the mention of "kernel address" to "non user space"
>>> be accurate?
>>>
>>
>> I think “kernel address” is right. It’s illegal to access anything that isn’t known to be a valid kernel address while in KERNEL_DS.
>
> But an non-canonical address is not a "kernel address", and that will
> cause a bug too.
Indeed. A non-canonical address is not known to be a valid kernel address. I stand by my slightly pedantic statement :)
> This patch came about because it was changed that if
> we do a uaccess on something other than a user space address and take a
> fault (either because it was a non-canonical address, or a kernel
> address), we BUG! Where before that one patch, it would just return a
> fault.
>
>>
>> The old __copy seems likely to have always been a bit bogus.
>>
>> BTW, what is this probe_mem_read() thing? Some minimal inspection suggests it’s a buggy reimplementation of probe_kernel_read(). Can you delete it and just use probe_kernel_read() directly?
>
> Well, the issue is that we have trace_probe_tmpl.h in that same
> directory, which does the work for kprobes and uprobes. The
> trace_kprobes.c defines all the functions for handling kprobes, and
> trace_uprobes.c does all the handling of uprobes, then they include
> trace_probe_tmpl.h which does the bulk of the work.
>
> In the uprobes case, we have:
>
> static nokprobe_inline int
> probe_mem_read(void *dest, void *src, size_t size)
> {
> void __user *vaddr = (void __force __user *)src;
>
> return copy_from_user(dest, vaddr, size) ? -EFAULT : 0;
> }
>
> Because that is adding probes on userspace code.
>
>
Can the kprobe case call probe_kernel_read? Maybe it does already?
Powered by blists - more mailing lists