| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG_fn=U=ti=YB553DCC-_gmbiHR6=xBG4HQbyc54R3sdGCY=LA@mail.gmail.com>
Date: Fri, 13 Mar 2020 15:10:45 +0100
From: Alexander Potapenko <glider@...gle.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: syzbot <syzbot+af962bf9e7e27bccd025@...kaller.appspotmail.com>,
len.brown@...el.com, LKML <linux-kernel@...r.kernel.org>,
Linux PM <linux-pm@...r.kernel.org>,
Pavel Machek <pavel@....cz>,
"Rafael J. Wysocki" <rjw@...ysocki.net>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KMSAN: uninit-value in snapshot_compat_ioctl
On Mon, Mar 9, 2020 at 7:11 PM Eric Biggers <ebiggers@...nel.org> wrote:
>
> On Mon, Mar 09, 2020 at 12:53:28PM +0100, 'Alexander Potapenko' via syzkaller-bugs wrote:
> > > > Looks like a KMSAN false positive? As far as I can tell, the memory is being
> > > > initialized by put_user() called under set_fs(KERNEL_DS).
> >
> > Why? put_user() doesn't write to kernel memory, instead it copies a
> > value to the userspace.
> > That's why KMSAN performs kmsan_check_memory() on it.
> > It would actually be better if KMSAN printed an kernel-infoleak warning instead.
>
> When under set_fs(KERNEL_DS), the userspace access functions like put_user() and
> copy_to_user() can write to kernel memory. It's discouraged and people have
> been trying to get rid of uses of set_fs(), but a lot still remain, since
> sometimes it's useful to allow code to operate on both user and kernel memory.
> A common example is kernel_read().
Ah, you're right. We can simply check that the target address is in
the userspace before actually reporting the error.
Powered by blists - more mailing lists