lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20221110085614.111213-2-albancrequy@linux.microsoft.com>
Date:   Thu, 10 Nov 2022 09:56:13 +0100
From:   Alban Crequy <albancrequy@...ux.microsoft.com>
To:     bpf@...r.kernel.org
Cc:     stable@...r.kernel.org, albancrequy@...ux.microsoft.com,
        flaniel@...ux.microsoft.com, akpm@...ux-foundation.org,
        andrii@...nel.org, ast@...nel.org, daniel@...earbox.net,
        haoluo@...gle.com, john.fastabend@...il.com, jolsa@...nel.org,
        kpsingh@...nel.org, linux-kernel@...r.kernel.org,
        linux-kselftest@...r.kernel.org, linux-mm@...ck.org,
        martin.lau@...ux.dev, mykolal@...com, sdf@...gle.com,
        shuah@...nel.org, song@...nel.org, yhs@...com
Subject: [PATCH bpf v2 1/2] maccess: fix writing offset in case of fault in strncpy_from_kernel_nofault()

If a page fault occurs while copying the first byte, this function resets one
byte before dst.
As a consequence, an address could be modified and leaded to kernel crashes if
case the modified address was accessed later.

Fixes: b58294ead14c ("maccess: allow architectures to provide kernel probing directly")
Cc: <stable@...r.kernel.org> [5.8]
Signed-off-by: Alban Crequy <albancrequy@...ux.microsoft.com>
Tested-by: Francis Laniel <flaniel@...ux.microsoft.com>
Reviewed-by: Andrew Morton <akpm@...ux-foundation.org>

---

Changes v1 to v2:
- add 'cc:stable', 'Fixes:' and review tag
- fix my email
- rebase on bpf tree and tag for bpf tree
---
 mm/maccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/maccess.c b/mm/maccess.c
index 5f4d240f67ec..074f6b086671 100644
--- a/mm/maccess.c
+++ b/mm/maccess.c
@@ -97,7 +97,7 @@ long strncpy_from_kernel_nofault(char *dst, const void *unsafe_addr, long count)
 	return src - unsafe_addr;
 Efault:
 	pagefault_enable();
-	dst[-1] = '\0';
+	dst[0] = '\0';
 	return -EFAULT;
 }
 
-- 
2.36.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ