| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ec2110b1-abae-4df5-fcd7-244620634a00@intel.com>
Date: Thu, 14 Mar 2019 09:51:42 -0700
From: Dave Hansen <dave.hansen@...el.com>
To: Michal Hocko <mhocko@...nel.org>
Cc: Richard Biener <rguenther@...e.de>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, Andrew Morton <akpm@...ux-foundation.org>,
the arch/x86 maintainers <x86@...nel.org>
Subject: Re: Kernel bug with MPX?
For those just joining the thread now, here's the background:
> https://lkml.kernel.org/r/alpine.LSU.2.20.1903060944550.7898@zhemvz.fhfr.qr
Turning on a bunch of kernel debugging found the culprit:
> /*
> * mpx unmap needs to be called with mmap_sem held for write.
> * It is safe to call it before unmap_region().
> */
> arch_unmap(mm, vma, start, end);
>
> if (downgrade)
> downgrade_write(&mm->mmap_sem);
>
> unmap_region(mm, vma, prev, start, end);
arch_unmap() can, in some cases, free 'prev'. unmap_region() uses
'prev' to calculate the page table ranges that it frees. It's probably
working on incorrect or garbage ranges at times.
I have some patches to really fix this by pre-calculating the
page-table-free ranges before arch_unmap(). They're not *too* bad, but
they do involve mucking with mm/mmap.c a bit to pass some new parameters
around.
The other option would be to just use this opportunity to start removing
MPX and apply the attached patch so this is no longer able to be triggered.
I'm inclined to opt for the patch to addle MPX rather than trying to fix
it for real.
View attachment "mpx-remove-apis.patch" of type "text/x-patch" (2168 bytes)
Powered by blists - more mailing lists