lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 20 Oct 2020 11:13:24 +0100
From:   Russell King - ARM Linux admin <linux@...linux.org.uk>
To:     Joel Stanley <joel@....id.au>
Cc:     Andrew Jeffery <andrew@...id.au>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        mhiramat@...nel.org, labbott@...hat.com,
        Kees Cook <keescook@...omium.org>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Luka Oreskovic <luka.oreskovic@...tura.hr>,
        Juraj Vijtiuk <juraj.vijtiuk@...tura.hr>
Subject: Re: [PATCH v2] ARM: kprobes: Avoid fortify_panic() when copying
 optprobe template

On Tue, Oct 20, 2020 at 05:32:26AM +0000, Joel Stanley wrote:
> On Fri, 9 Oct 2020 at 05:20, Joel Stanley <joel@....id.au> wrote:
> >
> > On Thu, 1 Oct 2020 at 04:30, Andrew Jeffery <andrew@...id.au> wrote:
> > >
> > > Setting both CONFIG_KPROBES=y and CONFIG_FORTIFY_SOURCE=y on ARM leads
> > > to a panic in memcpy() when injecting a kprobe despite the fixes found
> > > in commit e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with
> > > FORTIFY_SOURCE") and commit 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes:
> > > optimized kprobes illegal instruction").
> > >
> > > arch/arm/include/asm/kprobes.h effectively declares
> > > the target type of the optprobe_template_entry assembly label as a u32
> > > which leads memcpy()'s __builtin_object_size() call to determine that
> > > the pointed-to object is of size four. However, the symbol is used as a handle
> > > for the optimised probe assembly template that is at least 96 bytes in size.
> > > The symbol's use despite its type blows up the memcpy() in ARM's
> > > arch_prepare_optimized_kprobe() with a false-positive fortify_panic() when it
> > > should instead copy the optimised probe template into place:
> > >
> > > ```
> > > $ sudo perf probe -a aspeed_g6_pinctrl_probe
> > > [  158.457252] detected buffer overflow in memcpy
> > >
> > > Fixes: e46daee53bb5 ("ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE")
> > > Fixes: 0ac569bf6a79 ("ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction")
> > > Cc: Luka Oreskovic <luka.oreskovic@...tura.hr>
> > > Cc: Juraj Vijtiuk <juraj.vijtiuk@...tura.hr>
> > > Suggested-by: Kees Cook <keescook@...omium.org>
> > > Signed-off-by: Andrew Jeffery <andrew@...id.au>
> >
> > Tested-by: Joel Stanley <joel@....id.au>
> > Reviewed-by: Joel Stanley <joel@....id.au>
> >
> > Thanks Andrew.
> >
> > > ---
> > > v1 was sent some time back, in May:
> > >
> > > https://lore.kernel.org/linux-arm-kernel/20200517153959.293224-1-andrew@aj.id.au/
> 
> Russell, are you picking this fix up?

Sorry, but I don't "pick" patches off the mailing list. See my
signature.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 40Mbps down 10Mbps up. Decent connectivity at last!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ