[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5j+Gfvj9G6s_UQTw6hE11gJb1edt3BXzpbDQdc_dpcHgag@mail.gmail.com>
Date: Wed, 10 Apr 2019 14:57:46 -0700
From: Kees Cook <keescook@...omium.org>
To: Eric Biggers <ebiggers@...nel.org>
Cc: Geert Uytterhoeven <geert@...ux-m68k.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
linux-security-module <linux-security-module@...r.kernel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Laura Abbott <labbott@...hat.com>,
Rik van Riel <riel@...riel.com>
Subject: Re: crypto: Kernel memory overwrite attempt detected to spans
multiple pages
On Wed, Apr 10, 2019 at 12:07 PM Eric Biggers <ebiggers@...nel.org> wrote:
> That didn't answer my question. My question is what is the purpose of this? If
> there was actual buffer overflow when __GFP_COMP isn't specified that would make
> perfect sense, but AFAICS there isn't. So why does hardened usercopy consider
> it broken when __GFP_COMP isn't specified?
The goal of CONFIG_HARDENED_USERCOPY_PAGESPAN was to detect copies
across page boundaries in memory allocated by the page allocator.
There appear to be enough cases of allocations that span pages but do
not mark them with __GFP_COMP, so this logic hasn't proven useful in
the real world (which is why no one should use the ..._PAGESPAN config
in production). I'd like to get the kernel to the point where hardened
usercopy can correctly do these checks (right now it's mainly only
useful at checking for overflows in slub and slab), but it'll take
time/focus for a while. No one has had time yet to track all of these
down and fix them. (I defer to Laura and Rik on the design of the
pagespan checks; they did the bulk of the work there.)
Does that help explain it, or am I still missing your question?
--
Kees Cook
Powered by blists - more mailing lists