| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Oct 2022 19:31:53 +0000
From: Jane Chu <jane.chu@...cle.com>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
CC: "pmladek@...e.com" <pmladek@...e.com>,
"rostedt@...dmis.org" <rostedt@...dmis.org>,
"senozhatsky@...omium.org" <senozhatsky@...omium.org>,
"linux@...musvillemoes.dk" <linux@...musvillemoes.dk>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] vsprintf: protect kernel from panic due to non-canonical
pointer dereference
On 10/17/2022 12:25 PM, Andy Shevchenko wrote:
> On Mon, Oct 17, 2022 at 01:16:11PM -0600, Jane Chu wrote:
>> While debugging a separate issue, it was found that an invalid string
>> pointer could very well contain a non-canical address, such as
>> 0x7665645f63616465. In that case, this line of defense isn't enough
>> to protect the kernel from crashing due to general protection fault
>>
>> if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
>> return "(efault)";
>>
>> So instead, use kern_addr_valid() to validate the string pointer.
>
> How did you check that value of the (invalid string) pointer?
>
In the bug scenario, the invalid string pointer was an out-of-bound
string pointer. While the OOB referencing is fixed, the lingering issue
is that the kernel ought to be able to protect itself, as the pointer
contains a non-canonical address. That said, I realized that not all
architecture implement meaningful kern_addr_valid(), so this line
if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
is still need. I'll send v2.
thanks,
-jane
>
Powered by blists - more mailing lists