| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 May 2019 16:50:11 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Alan Stern <stern@...land.harvard.edu>
Cc: linux-usb@...r.kernel.org,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Oliver Neukum <oneukum@...e.com>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] signal/usb: Replace kill_pid_info_as_cred with kill_pid_usb_asyncio
Alan Stern <stern@...land.harvard.edu> writes:
> On Tue, 21 May 2019, Eric W. Biederman wrote:
>
>> The usb support for asyncio encoded one of it's values in the wrong
>> field. It should have used si_value but instead used si_addr which is
>> not present in the _rt union member of struct siginfo.
>>
>> The practical result of this is that on a 64bit big endian kernel
>> when delivering a signal to a 32bit process the si_addr field
>> is set to NULL, instead of the expected pointer value.
>>
>> This issue can not be fixed in copy_siginfo_to_user32 as the usb
>> usage of the the _sigfault (aka si_addr) member of the siginfo
>> union when SI_ASYNCIO is set is incompatible with the POSIX and
>> glibc usage of the _rt member of the siginfo union.
>>
>> Therefore replace kill_pid_info_as_cred with kill_pid_usb_asyncio a
>> dedicated function for this one specific case. There are no other
>> users of kill_pid_info_as_cred so this specialization should have no
>> impact on the amount of code in the kernel. Have kill_pid_usb_asyncio
>> take instead of a siginfo_t which is difficult and error prone, 3
>> arguments, a signal number, an errno value, and an address enconded as
>> a sigval_t. The encoding of the address as a sigval_t allows the
>> code that reads the userspace request for a signal to handle this
>> compat issue along with all of the other compat issues.
>>
>> Add BUILD_BUG_ONs in kernel/signal.c to ensure that we can now place
>> the pointer value at the in si_pid (instead of si_addr). That is the
>> code now verifies that si_pid and si_addr always occur at the same
>> location. Further the code veries that for native structures a value
>> placed in si_pid and spilling into si_uid will appear in userspace in
>> si_addr (on a byte by byte copy of siginfo or a field by field copy of
>> siginfo). The code also verifies that for a 64bit kernel and a 32bit
>> userspace the 32bit pointer will fit in si_pid.
>
> Okay, I have gone through this. Although I still don't really
> understand the detailed issues concerning the layout of the data fields
> (probably hopeless without seeing a diagram), the USB portions of the
> patch look good and do what the patch description says.
>
> Acked-by: Alan Stern <stern@...land.harvard.edu>
>
> Alan Stern
Thanks.
Perhaps this will work as a diagram. I don't know if there is a better
way to say it in my patch description. In struct siginfo there are 3
fields in fixed positions:
int si_signo;
int si_errno;
int si_code;
After that there is a union. The si_signo and si_code fields are
examined to see which union member is valid (see siginfo_layout).
In every other case a si_code of SI_ASYNCIO corresponds to
the the _rt union member which has the fields:
int si_pid;
int si_uid;
sigval_t si_sigval;
However when usb started using SI_ASYNCIO the _sigfault union member
that (except for special exceptions) only has the field:
void __user *si_addr;
Or in short the relevant piece of the union looks like:
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| si_pid | si_uid |
+---+---+---+---+---+---+---+---+
| si_addr | (64bit)
+---+---+---+---+---+---+---+---+
| si_addr | (32bit)
+---+---+---+---+
Which means if siginfo is copied field by field on 32bit everything
works because si_pid and si_addr are in the same location.
Similarly if siginfo is copied field by field on 64bit everything
works because there is no padding between si_pid and si_uid. So
copying both of those fields results in the entire si_addr being
copied.
It is the compat case that gets tricky. Half of the bits are
zero. If those zero bits show up in bytes 4-7 and the data
shows up in bytes 0-3 (aka little endian) everything works.
If those zero bits show in in bytes 0-3 (aka big endian) userspace sees
a NULL pointer instead of the value it passed.
Fixing this while maintaining some modicum of sanity is the tricky bit.
The interface is made to kill_pid_usb_asyncio is made a sigval_t so the
standard signal compat tricks can be used. sigval_t is a union of:
int sival_int;
void __user *sival_ptr;
0 1 2 3 4 5 6 7
+---+---+---+---+---+---+---+---+
| sival_ptr | (64bit)
+---+---+---+---+---+---+---+---+
| sival_ptr | (32bit)
+---+---+---+---+
| sival_int |
+---+---+---+---+
The signal code solves the compat issues for sigval_t by storing the
32bit pointers in sival_int. So they meaningful bits are guaranteed to
be in the low 32bits, just like the 32bit sival_ptr.
After a bunch of build BUG_ONs to verify my reasonable assumptions
of but the siginfo layout are actually true, the code that generates
the siginfo just copies a sigval_t to si_pid. And assumes the code
in the usb stack placed the pointer in the proper part of the sigval_t
when it read the information from userspace.
I don't know if that helps make it easy to understand but I figured I
would give it a shot.
Eric
Powered by blists - more mailing lists