lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210223164259.GA166727@agluck-desk2.amr.corp.intel.com>
Date:   Tue, 23 Feb 2021 08:42:59 -0800
From:   "Luck, Tony" <tony.luck@...el.com>
To:     Andy Lutomirski <luto@...capital.net>
Cc:     Aili Yao <yaoaili@...gsoft.com>,
        HORIGUCHI NAOYA(堀口 直也) 
        <naoya.horiguchi@....com>, dave.hansen@...ux.intel.com,
        luto@...nel.org, peterz@...radead.org, tglx@...utronix.de,
        mingo@...hat.com, bp@...en8.de, hpa@...or.com, x86@...nel.org,
        yangfeng1@...gsoft.com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] x86/fault: Send a SIGBUS to user process always for
 hwpoison page access.

On Tue, Feb 23, 2021 at 07:33:46AM -0800, Andy Lutomirski wrote:
> 
> > On Feb 23, 2021, at 4:44 AM, Aili Yao <yaoaili@...gsoft.com> wrote:
> > 
> > On Fri, 5 Feb 2021 17:01:35 +0800
> > Aili Yao <yaoaili@...gsoft.com> wrote:
> > 
> >> When one page is already hwpoisoned by MCE AO action, processes may not
> >> be killed, processes mapping this page may make a syscall include this
> >> page and result to trigger a VM_FAULT_HWPOISON fault, as it's in kernel
> >> mode it may be fixed by fixup_exception, current code will just return
> >> error code to user code.
> >> 
> >> This is not sufficient, we should send a SIGBUS to the process and log
> >> the info to console, as we can't trust the process will handle the error
> >> correctly.
> >> 
> >> Suggested-by: Feng Yang <yangfeng1@...gsoft.com>
> >> Signed-off-by: Aili Yao <yaoaili@...gsoft.com>
> >> ---
> >> arch/x86/mm/fault.c | 62 +++++++++++++++++++++++++++++----------------
> >> 1 file changed, 40 insertions(+), 22 deletions(-)
> >> 
> > Hi luto;
> >  Is there any feedback?
> 
> At the very least, this needs a clear explanation of why your proposed behavior is better than the existing behavior.

The explanation is buried in that "can't trust the process" line.

E.g. user space isn't good about checking for failed write(2) syscalls.
So if the poison was in a user buffer passed to write(fd, buffer, count)
sending a SIGBUS would be the action if they read the poison directly,
so it seems reasonable to send the same signal if the kernel read their
poison for them.

It would avoid users that didn't check the return value merrily proceeding
as if everything was ok.

-Tony

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ