lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202106101656.C79AEC493@keescook>
Date:   Thu, 10 Jun 2021 16:56:39 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Vineet Gupta <Vineet.Gupta1@...opsys.com>
Cc:     "linux-snps-arc@...ts.infradead.org" 
        <linux-snps-arc@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Evgeniy Didin <Evgeniy.Didin@...opsys.com>
Subject: Re: [PATCH] ARC: fix CONFIG_HARDENED_USERCOPY

On Thu, Jun 10, 2021 at 06:56:48PM +0000, Vineet Gupta wrote:
> On 6/10/21 10:02 AM, Kees Cook wrote:
> > On Wed, Jun 09, 2021 at 03:12:11PM -0700, Vineet Gupta wrote:
> >> Currently enabling this triggers a warning
> >>
> >> | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)!
> >> | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()!
> >> |
> >> |gcc generated __builtin_trap
> >> |Path: /bin/busybox
> >> |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22
> >> |
> >> |[ECR ]: 0x00090005 => gcc generated __builtin_trap
> >> |[EFA ]: 0x9024fcaa
> >> |[BLINK ]: usercopy_abort+0x8a/0x8c
> >> |[ERET ]: memfd_fcntl+0x0/0x470
> >> |[STAT32]: 0x80080802 : IE K
> >> |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950
> >> |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000
> >> |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000
> >> |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000
> >> |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00
> >> |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572
> >> |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b
> >> |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000
> >> |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001
> >> |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1
> >> |r24: 0xbe196c00 r25: 0xbf0ed280
> >> |
> >> |Stack Trace:
> >> | memfd_fcntl+0x0/0x470
> >> | usercopy_abort+0x8a/0x8c
> >> | __check_object_size+0x10e/0x138
> >> | copy_strings+0x1f4/0x38c
> >> | __do_execve_file+0x352/0x848
> >> | EV_Trap+0xcc/0xd0
> > What was the root cause here? Was it that the init section gets freed
> > and reused for kmalloc?
> 
> Right. ARC _stext was encompassing the init section (to cover the init 
> code) so when init gets freed and used by kmalloc, 
> check_kernel_text_object() trips as it thinks the allocated pointer is 
> in kernel .text. Actually I should have added this to changelog.

Great! Yeah, if you respin it with that added, please consider it:

Reviewed-by: Kees Cook <keescook@...omium.org>

Thanks!

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ