| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Mar 2023 01:37:40 -0400
From: Gregory Price <gregory.price@...verge.com>
To: Oleg Nesterov <oleg@...hat.com>
Cc: Arnd Bergmann <arnd@...db.de>,
Gregory Price <gourry.memverge@...il.com>,
linux-kernel@...r.kernel.org, linux-doc@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
Linux-Arch <linux-arch@...r.kernel.org>, avagin@...il.com,
Peter Zijlstra <peterz@...radead.org>,
Andy Lutomirski <luto@...nel.org>, krisman@...labora.com,
Thomas Gleixner <tglx@...utronix.de>,
Jonathan Corbet <corbet@....net>, shuah <shuah@...nel.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Mark Rutland <mark.rutland@....com>, tongtiangen@...wei.com,
Robin Murphy <robin.murphy@....com>
Subject: Re: [PATCH v14 1/4] asm-generic,arm64: create task variant of
access_ok
On Wed, Mar 29, 2023 at 07:13:22PM +0200, Oleg Nesterov wrote:
> On 03/28, Gregory Price wrote:
> >
> > Not sure how I should proceed here,
>
> Can't we just kill this access_ok() in set_syscall_user_dispatch() ?
> I don't think it buys too much.
>
> Oleg.
>
> diff --git a/kernel/entry/syscall_user_dispatch.c b/kernel/entry/syscall_user_dispatch.c
> index 0b6379adff6b..d2e516ece52b 100644
> --- a/kernel/entry/syscall_user_dispatch.c
> +++ b/kernel/entry/syscall_user_dispatch.c
> @@ -43,11 +43,7 @@ bool syscall_user_dispatch(struct pt_regs *regs)
> return false;
>
> if (likely(sd->selector)) {
> - /*
> - * access_ok() is performed once, at prctl time, when
> - * the selector is loaded by userspace.
> - */
> - if (unlikely(__get_user(state, sd->selector))) {
> + if (unlikely(get_user(state, sd->selector))) {
> force_exit_sig(SIGSEGV);
> return true;
> }
> @@ -86,9 +82,6 @@ int set_syscall_user_dispatch(unsigned long mode, unsigned long offset,
> if (offset && offset + len <= offset)
> return -EINVAL;
>
> - if (selector && !access_ok(selector, sizeof(*selector)))
> - return -EFAULT;
> -
> break;
> default:
> return -EINVAL;
>
The result of this would be either a task calling via prctl or a tracer
calling via ptrace would be capable of setting selector to a bad pointer
and producing a SIGSEGV on the next system call.
It's a pretty small footgun, but maybe that's reasonable?
>From a user perspective, debugging this behavior would be nightmarish.
Your call to prctl/ptrace would succeed and the process would continue
to execute until the next syscall - at which point you incur a SIGSEGV,
and depending on the syscall that could mean anything?
Everything feels bad here lol.
~Gregory
Powered by blists - more mailing lists