| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YE6NIraVjV1kSfkx@grain>
Date: Mon, 15 Mar 2021 01:24:34 +0300
From: Cyrill Gorcunov <gorcunov@...il.com>
To: Linus Torvalds <torvalds@...uxfoundation.org>
Cc: Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Security Officers <security@...nel.org>
Subject: Re: [PATCH] prctl: fix PR_SET_MM_AUXV kernel stack leak
On Sun, Mar 14, 2021 at 02:40:05PM -0700, Linus Torvalds wrote:
> Applied directly, since I'm just about to tag rc3 and was just looking
> that there were no last-minute pull requests.
>
> Andrew, no need to pick it up into your queue.
>
> Side note: I think we should return -EINVAL more aggressively: right
> now we fill up potentially all of user_auxv[] and return success, but
> we will have always cleared that last auxv pointer pair.
>
> So we actually return "success" even when the user supplies us with
> more data than we then really accept.
Yes, this is somehow weird and probably we should start complaining
if last two elements in the user array is not AT_NULL but I fear
this might break backward compatibility? Dunno if someone relies
on kernel to setup last two entries unconditionally.
>
> IOW, tightening that up might be worth it (maybe actually check that
> they are valid user pointers at the same time).
>
> That's a separate issue, and I can't find it in myself to care (and
> nobody has ever complained), but I thought I'd mention it.
Powered by blists - more mailing lists