lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 31 Oct 2021 12:14:33 +0100
From:   Björn Töpel <bjorn.topel@...il.com>
To:     "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     Liao Chang <liaochang1@...wei.com>,
        Paul Walmsley <paul.walmsley@...ive.com>,
        Palmer Dabbelt <palmer@...belt.com>,
        Albert Ou <aou@...s.berkeley.edu>,
        Nick Kossifidis <mick@....forth.gr>, jszhang@...nel.org,
        guoren@...ux.alibaba.com, Pekka Enberg <penberg@...nel.org>,
        sunnanyong@...wei.com, wangkefeng.wang@...wei.com,
        changbin.du@...el.com, Alex Ghiti <alex@...ti.fr>,
        linux-riscv <linux-riscv@...ts.infradead.org>,
        LKML <linux-kernel@...r.kernel.org>, kexec@...ts.infradead.org
Subject: Re: [PATCH 2/3] RISC-V: use memcpy for kexec_file mode

On Sat, 30 Oct 2021 at 05:51, Eric W. Biederman <ebiederm@...ssion.com> wrote:
>
> Liao Chang <liaochang1@...wei.com> writes:
>
> > The pointer to buffer loading kernel binaries is in kernel space for
> > kexec_fil mode, When copy_from_user copies data from pointer to a block
> > of memory, it checkes that the pointer is in the user space range, on
> > RISCV-V that is:
> >
> > static inline bool __access_ok(unsigned long addr, unsigned long size)
> > {
> >       return size <= TASK_SIZE && addr <= TASK_SIZE - size;
> > }
> >
> > and TASK_SIZE is 0x4000000000 for 64-bits, which now causes
> > copy_from_user to reject the access of the field 'buf' of struct
> > kexec_segment that is in range [CONFIG_PAGE_OFFSET - VMALLOC_SIZE,
> > CONFIG_PAGE_OFFSET), is invalid user space pointer.
> >
> > This patch fixes this issue by skipping access_ok(), use mempcy() instead.
>
> I am a bit confused.
>
> Why is machine_kexec ever calling copy_from_user?  That seems wrong in
> all cases.
>

It's not machine_kexec -- it's machine_kexec_prepare, which pulls out
the FDT from the image. It looks like MIPS does it similarly.

(Caveat: I might be confused as well! ;-))


Björn

Powered by blists - more mailing lists