| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Nov 2021 15:03:47 -0600
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Brian Gerst <brgerst@...il.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Oleg Nesterov <oleg@...hat.com>,
Al Viro <viro@...iv.linux.org.uk>,
Kees Cook <keescook@...omium.org>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
"the arch\/x86 maintainers" <x86@...nel.org>,
H Peter Anvin <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>
Subject: Re: [PATCH 09/20] signal/vm86_32: Replace open coded BUG_ON with an actual BUG_ON
Linus Torvalds <torvalds@...ux-foundation.org> writes:
> On Fri, Nov 12, 2021 at 11:57 AM Eric W. Biederman
> <ebiederm@...ssion.com> wrote:
>>
>> Still user space would have had to have mapped address 0 to get that
>> value set in do_sys_vm86.
>
> You have to map address 0 anyway just to get vm86 mode to work.
>
> vm86 mode fundamentally requires the low 1MB of virtual memory to be
> mapped, since there is no virtual memory offset in the vm86 model.
True.
However that also means if struct vm86plus_struct is at address 0
instead of the 16bit interrupt table something is badly wrong.
Still if we are going to check for userspace being silly that it should
be in do_sys_vm86.
I have managed to get the fuzzer that hit the problem to run and with
the test for !vm86->user_vm86 removed the BUG_ON is not being hit.
I am going to keep running it for a bit just to make certain, and
then I will put together a proper patch.
Eric
Powered by blists - more mailing lists