lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f5e09155580d417e9dcd07b1c20786ed@AcuMS.aculab.com>
Date:   Wed, 4 Dec 2019 11:14:08 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Paul Burton' <paulburton@...nel.org>,
        "linux-mips@...r.kernel.org" <linux-mips@...r.kernel.org>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] MIPS: Use __copy_{to,from}_user() for emulated FP
 loads/stores

From: Paul Burton
> Sent: 03 December 2019 20:50
> Our FPU emulator currently uses __get_user() & __put_user() to perform
> emulated loads & stores. This is problematic because __get_user() &
> __put_user() are only suitable for naturally aligned memory accesses,
> and the address we're accessing is entirely under the control of
> userland.
> 
> This allows userland to cause a kernel panic by simply performing an
> unaligned floating point load or store - the kernel will handle the
> address error exception by attempting to emulate the instruction, and in
> the process it may generate another address error exception itself.
> This time the exception is taken with EPC pointing at the kernels FPU
> emulation code, and we hit a die_if_kernel() in
> emulate_load_store_insn().

Won't this be true of almost all code that uses get_user() and put_user()
(with or without the leading __).

> Fix this up by using __copy_from_user() instead of __get_user() and
> __copy_to_user() instead of __put_user(). These replacements will handle
> arbitrary alignment without problems.

They'll also kill performance.....

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ