lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2020 14:09:09 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Al Viro' <viro@...iv.linux.org.uk> CC: 'David Miller' <davem@...emloft.net>, "hch@....de" <hch@....de>, "kuba@...nel.org" <kuba@...nel.org>, "ast@...nel.org" <ast@...nel.org>, "daniel@...earbox.net" <daniel@...earbox.net>, "kuznet@....inr.ac.ru" <kuznet@....inr.ac.ru>, "yoshfuji@...ux-ipv6.org" <yoshfuji@...ux-ipv6.org>, "edumazet@...gle.com" <edumazet@...gle.com>, "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "bpf@...r.kernel.org" <bpf@...r.kernel.org>, "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, "coreteam@...filter.org" <coreteam@...filter.org>, "linux-sctp@...r.kernel.org" <linux-sctp@...r.kernel.org>, "linux-hams@...r.kernel.org" <linux-hams@...r.kernel.org>, "linux-bluetooth@...r.kernel.org" <linux-bluetooth@...r.kernel.org>, "bridge@...ts.linux-foundation.org" <bridge@...ts.linux-foundation.org>, "linux-can@...r.kernel.org" <linux-can@...r.kernel.org>, "dccp@...r.kernel.org" <dccp@...r.kernel.org>, "linux-decnet-user@...ts.sourceforge.net" <linux-decnet-user@...ts.sourceforge.net>, "linux-wpan@...r.kernel.org" <linux-wpan@...r.kernel.org>, "linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, "mptcp@...ts.01.org" <mptcp@...ts.01.org>, "lvs-devel@...r.kernel.org" <lvs-devel@...r.kernel.org>, "rds-devel@....oracle.com" <rds-devel@....oracle.com>, "linux-afs@...ts.infradead.org" <linux-afs@...ts.infradead.org>, "tipc-discussion@...ts.sourceforge.net" <tipc-discussion@...ts.sourceforge.net>, "linux-x25@...r.kernel.org" <linux-x25@...r.kernel.org> Subject: RE: get rid of the address_space override in setsockopt v2 From: Al Viro > Sent: 27 July 2020 14:48 > > On Mon, Jul 27, 2020 at 09:51:45AM +0000, David Laight wrote: > > > I'm sure there is code that processes options in chunks. > > This probably means it is possible to put a chunk boundary > > at the end of userspace and continue processing the very start > > of kernel memory. > > > > At best this faults on the kernel copy code and crashes the system. > > Really? Care to provide some details, or is it another of your "I can't > be possibly arsed to check what I'm saying, but it stands for reason > that..." specials? I did more 'homework' than sometimes :-) Slightly difficult without a searchable net-next tree. However, as has been pointed out is a different thread this code is used to update IPv6 flow labels: > > - if (copy_from_user(fl->opt+1, optval+CMSG_ALIGN(sizeof(*freq)), olen)) > > + sockptr_advance(optval, CMSG_ALIGN(sizeof(*freq))); > > + if (copy_from_sockptr(fl->opt + 1, optval, olen)) > > goto done; and doesn't work because the advances are no longer cumulative. Now access_ok() has to take the base address and length to stop 'running into' kernel space, but the code above can advance from a valid user pointer (which won't fault) to a kernel address. If there were always an unmapped 'guard' page in the user address space the access_ok() check prior to copy_to/from_user() wouldn't need the length. So I surmise that no such guard page exists and so the above can advance from user addresses into kernel ones. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists