lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20221108195211.214025-1-flaniel@linux.microsoft.com>
Date:   Tue,  8 Nov 2022 20:52:05 +0100
From:   Francis Laniel <flaniel@...ux.microsoft.com>
To:     linux-kernel@...r.kernel.org
Cc:     Alban Crequy <alban.crequy@...il.com>,
        Francis Laniel <flaniel@...ux.microsoft.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Andrii Nakryiko <andrii@...nel.org>,
        Mykola Lysenko <mykolal@...com>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Martin KaFai Lau <martin.lau@...ux.dev>,
        Song Liu <song@...nel.org>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        Stanislav Fomichev <sdf@...gle.com>,
        Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>,
        Shuah Khan <shuah@...nel.org>,
        Alban Crequy <albancrequy@...rosoft.com>, linux-mm@...ck.org,
        bpf@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: [RFC PATCH v1 0/2] Fix offset when fault occurs in strncpy_from_kernel_nofault()

Hi.


First of all, I hope you are fine and the same for your relatives.

This contribution fixes a bug where the byte before the destination address can
be reset when a page fault occurs in strncpy_from_kernel_nofault() while copying
the first byte from the source address.

This bug leaded to kernel panic if a pointer containing the modified address is
dereferenced as the pointer does not contain a correct addresss.

To fix this bug, we simply reset the current destination byte in a case of a
page fault.
The proposed fix was tested and validated inside a VM:
root@...amd64:~# ./share/linux/tools/testing/selftests/bpf/test_progs --name varlen
...
#222     varlen:OK
Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
Without the patch, the test will fail:
root@...amd64:~# ./share/linux/tools/testing/selftests/bpf/test_progs --name varlen
...
#222     varlen:FAIL
Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED

If you see any way to improve this contribution, feel free to share.

Alban Crequy (2):
  maccess: fix writing offset in case of fault in
    strncpy_from_kernel_nofault()
  selftests: bpf: add a test when bpf_probe_read_kernel_str() returns
    EFAULT

 mm/maccess.c                                    | 2 +-
 tools/testing/selftests/bpf/prog_tests/varlen.c | 7 +++++++
 tools/testing/selftests/bpf/progs/test_varlen.c | 5 +++++
 3 files changed, 13 insertions(+), 1 deletion(-)


Best regards and thank you in advance.
--
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ