lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1618282651-14507-1-git-send-email-yangtiezhu@loongson.cn>
Date:   Tue, 13 Apr 2021 10:57:31 +0800
From:   Tiezhu Yang <yangtiezhu@...ngson.cn>
To:     Jessica Yu <jeyu@...nel.org>,
        Thomas Bogendoerfer <tsbogend@...ha.franken.de>
Cc:     linux-mips@...r.kernel.org, linux-kernel@...r.kernel.org,
        Xuefeng Li <lixuefeng@...ngson.cn>
Subject: [PATCH RFC] module: Use ARG_MAX as second argument of strndup_user() in load_module()

When update kernel with the latest mips-next, we can not login through a
graphical interface, this is because drm radeon GPU driver does not work,
we can not see the boot message "[drm] radeon kernel modesetting enabled."
through the serial console.

drivers/gpu/drm/radeon/radeon_drv.c
static int __init radeon_module_init(void)
{
	[...]
	DRM_INFO("radeon kernel modesetting enabled.\n");
	[...]
}

I use git bisect to find out the commit 04324f44cb69 ("MIPS: Remove
get_fs/set_fs") is the first bad commit.

I analysis and test the changes in the above first bad commit and then
find out the following obvious difference which leads to the login issue.

arch/mips/include/asm/uaccess.h
static inline long strnlen_user(const char __user *s, long n)
{
	[...]
	if (!access_ok(s, n))
		return -0;
	[...]
}

I use dump_stack() to find out the following call trace:
load_module()
	strndup_user()
		strnlen_user()

load_module() failed in the following error path, we can see that the
second argument of strndup_user() is very big.

static int load_module(struct load_info *info, const char __user *uargs,
		       int flags)
{
	[...]
	mod->args = strndup_user(uargs, ~0UL >> 1);
	if (IS_ERR(mod->args)) {
		err = PTR_ERR(mod->args);
		goto free_arch_cleanup;
	}
	[...]
}

As discussed earlier [1], it seems that just modify the exception check
condition in strnlen_user() to fix load_module() failure, like this:

diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
index 9e9e3aa..f4fb8ca 100644
--- a/arch/mips/include/asm/uaccess.h
+++ b/arch/mips/include/asm/uaccess.h
@@ -612,8 +612,8 @@ static inline long strnlen_user(const char __user *s, long n)
 {
 	long res;

-	if (!access_ok(s, n))
-		return -0;
+	if (!access_ok(s, 1))
+		return 0;

 	might_fault();
 	__asm__ __volatile__(

At the other hand, I search strndup_user() in the kernel tree, the second
argument of them are almost a macro or a fixed value which is relatively
small, such as PAGE_SIZE, PATH_MAX. So I think maybe we can use ARG_MAX as
second argument of strndup_user() in load_module().

With this patch, the load_module() failure disappered and we can login
normally through a graphical interface.

[1] https://lore.kernel.org/patchwork/patch/1411214/

Signed-off-by: Tiezhu Yang <yangtiezhu@...ngson.cn>
---
 kernel/module.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/module.c b/kernel/module.c
index 3047935..30d320b 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3998,7 +3998,7 @@ static int load_module(struct load_info *info, const char __user *uargs,
 	flush_module_icache(mod);
 
 	/* Now copy in args */
-	mod->args = strndup_user(uargs, ~0UL >> 1);
+	mod->args = strndup_user(uargs, ARG_MAX);
 	if (IS_ERR(mod->args)) {
 		err = PTR_ERR(mod->args);
 		goto free_arch_cleanup;
-- 
2.1.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ