lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220113125754.0cb5273f@gandalf.local.home>
Date:   Thu, 13 Jan 2022 12:57:54 -0500
From:   Steven Rostedt <rostedt@...dmis.org>
To:     Sven Schnelle <svens@...ux.ibm.com>
Cc:     David Laight <David.Laight@...LAB.COM>,
        LKML <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Pingfan Liu <kernelfans@...il.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Tom Zanussi <zanussi@...nel.org>, hca@...ux.ibm.com,
        deller@....de
Subject: Re: [PATCH v2] tracing: Add test for user space strings when
 filtering on  string pointers

On Tue, 11 Jan 2022 21:55:53 +0100
Sven Schnelle <svens@...ux.ibm.com> wrote:

> > Isn't there also at least one architecture where you can't differentiate
> > between user and kernel pointers by looking at the address?
> > (Something like sparc ASI is used for user accesses so both user
> > and kernel get the full 4G address range. But it isn't sparc (or pdp/11))
> > ISTR it causing issues with the code for kernel_setsockopt() and
> > required a separate flag.  
> 
> On s390 TASK_SIZE is defined as -PAGE_SIZE, so with the patch above the
> kernel would always try to fetch it from user space. I think it would be
> the same for parisc.

As a work around for these cases, would something like this work?

-- Steve

diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
index 91352a64be09..06013822764c 100644
--- a/kernel/trace/trace_events_filter.c
+++ b/kernel/trace/trace_events_filter.c
@@ -676,7 +676,15 @@ static __always_inline char *test_string(char *str)
 	ubuf = this_cpu_ptr(ustring_per_cpu);
 	kstr = ubuf->buffer;
 
-	if (likely((unsigned long)str >= TASK_SIZE)) {
+	/*
+	 * Test the address of ustring_per_cpu against TASK_SIZE, as
+	 * comparing TASK_SIZE to determine kernel/user space address
+	 * is not enough on some architectures. If the address is less
+	 * than TASK_SIZE we know this is the case, in which we should
+	 * always use the from_kernel variant.
+	 */
+	if ((unsigned long)&ustring_per_cpu < (unsigned long)TASK_SIZE ||
+	    likely((unsigned long)str >= TASK_SIZE)) {
 		/* For safety, do not trust the string pointer */
 		if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE))
 			return NULL;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ