lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250106172722.5b6032e5@gandalf.local.home>
Date: Mon, 6 Jan 2025 17:27:22 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: LKML <linux-kernel@...r.kernel.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Andrew Morton
 <akpm@...ux-foundation.org>, Petr Mladek <pmladek@...e.com>, Andy
 Shevchenko <andriy.shevchenko@...ux.intel.com>, Rasmus Villemoes
 <linux@...musvillemoes.dk>, Sergey Senozhatsky <senozhatsky@...omium.org>,
 Kees Cook <keescook@...omium.org>
Subject: [RFC][PATCH] printf: Harden accessing pointer dereference in
 vsprintf()

From: Steven Rostedt <rostedt@...dmis.org>

For extra safety from crashing the kernel, add a
copy_from_kernel_nofault() in check_pointer_msg(). If it fails to read the
memory, then return "(efault)".

This isn't full proof, as the length of the pointer being read could
possibly go into bad memory, but this should catch the majority of errors.

Linus had suggested adding this kind of check[1]. This is a bit different
than Linus's solution as it utilizes copy_from_kernel_nofault() and doesn't
require calls to pagefault_disable() and extra labels.

[1] https://lore.kernel.org/all/CAHk-=wh3cUC2a=yJv42HTjDLCp6VM+GTky+q65vV_Q33BeoxAg@mail.gmail.com/

Signed-off-by: Steven Rostedt (Google) <rostedt@...dmis.org>
---
 lib/vsprintf.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 9d3dac38a3f4..1a533f1174f0 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -695,12 +695,18 @@ static char *error_string(char *buf, char *end, const char *s,
  */
 static const char *check_pointer_msg(const void *ptr)
 {
+	char ch;
+
 	if (!ptr)
 		return "(null)";
 
 	if ((unsigned long)ptr < PAGE_SIZE || IS_ERR_VALUE(ptr))
 		return "(efault)";
 
+	/* Just test a single byte */
+	if (copy_from_kernel_nofault(&ch, ptr, 1) < 0)
+		return "(efault)";
+
 	return NULL;
 }
 
-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ