lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250503120712.GJaBYG8A-D77MllFZ3@fat_crate.local>
Date: Sat, 3 May 2025 14:07:12 +0200
From: Borislav Petkov <bp@...en8.de>
To: Ingo Molnar <mingo@...nel.org>, Kees Cook <kees@...nel.org>,
	"Gustavo A. R. Silva" <gustavoars@...nel.org>,
	linux-hardening@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-tip-commits@...r.kernel.org,
	Andy Lutomirski <luto@...nel.org>, Brian Gerst <brgerst@...il.com>,
	"Chang S. Bae" <chang.seok.bae@...el.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>, x86@...nel.org
Subject: hardened_usercopy 32-bit (was: Re: [tip: x86/merge] x86/fpu: Make
 task_struct::thread constant size)

On Mon, Apr 14, 2025 at 07:34:48AM -0000, tip-bot2 for Ingo Molnar wrote:
> The fpu_thread_struct_whitelist() quirk to hardened usercopy can be removed,
> now that the FPU structure is not embedded in the task struct anymore, which
> reduces text footprint a bit.

Well, hardened usercopy still doesn't like it on 32-bit, see splat below:

I did some debugging printks and here's what I see:

That's the loop in copy_uabi_to_xstate(), copying the first FPU state
- XFEATURE_FP - to the kernel buffer:

[    1.752756] copy_uabi_to_xstate: i: 0 dst: 0xcab11f40, offset: 0, size: 160, kbuf: 0x00000000, ubuf: 0xbfcbca80
[    1.754600] copy_from_buffer: dst: 0xcab11f40, src: 0xbfcbca80, size: 160

hardened wants to check it:

[    1.755823] __check_heap_object: ptr: 0xcab11f40, slap_address: 0xcab10000, size: 2944
[    1.757102] __check_heap_object: offset: 2112

and figures out it is in some weird offset 2112 from *task_struct* even
though:

[    1.750149] copy_uabi_to_xstate: sizeof(task_struct): 1984

btw, the buffer is big enough too:

[    1.749077] copy_uabi_to_xstate: sizeof(&fpstate->regs.xsave): 576

but then it decides to BUG because an overwrite attempt is being done on
task_struct which is bollocks now as struct fpu is not part of it anymore.

And this is where I'm all out of ideas so lemme CC folks.

[    1.757898] __check_heap_object: will abort: offset: 2112, size: 160

[    1.758951] usercopy: Kernel memory overwrite attempt detected to SLUB object 'task_struct' (offset 2112, size 160)!
[    1.760651] ------------[ cut here ]------------
[    1.761474] kernel BUG at mm/usercopy.c:102!
[    1.762240] Oops: invalid opcode: 0000 [#1] SMP
[    1.763063] CPU: 6 UID: 0 PID: 1182 Comm: rc Not tainted 6.15.0-rc2+ #35 PREEMPT(full) 
[    1.764374] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    1.765952] EIP: usercopy_abort+0x79/0x88
[    1.768411] Code: c1 89 44 24 0c 0f 45 cb 8b 5d 0c 89 74 24 10 89 4c 24 04 c7 04 24 98 f0 c5 c1 89 5c 24 20 8b 5d 08 89 5c 24 1c e8 d3 8b e7 ff <0f> 0b ba 89 8f ce c1 89 55 f0 89 d6 eb 97 90 3e 8d 74 26 00 85 d2
[    1.771573] EAX: 00000068 EBX: 00000840 ECX: 00000000 EDX: 00000006
[    1.772638] ESI: c1cdb354 EDI: c1ce0c9a EBP: cc751d40 ESP: cc751d0c
[    1.773707] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010292
[    1.774831] CR0: 80050033 CR2: 00511860 CR3: 0cde1000 CR4: 003506d0
[    1.775921] Call Trace:
[    1.776498]  __check_heap_object+0x117/0x14c
[    1.777314]  __check_object_size+0x1af/0x250
[    1.778129]  ? vprintk+0x13/0x1c
[    1.778778]  copy_from_buffer+0xbc/0x114
[    1.779498]  copy_uabi_to_xstate+0x1b7/0x31c
[    1.780251]  copy_sigframe_from_user_to_xstate+0x27/0x34
[    1.781171]  __fpu_restore_sig+0x4ae/0x4c4
[    1.781954]  fpu__restore_sig+0x60/0xb0
[    1.784487]  ia32_restore_sigcontext+0xe4/0x108
[    1.785464]  __do_sys_sigreturn+0x66/0xac
[    1.786191]  ia32_sys_call+0x226a/0x30e0
[    1.786942]  do_int80_syscall_32+0x83/0x158
[    1.787735]  entry_INT80_32+0x108/0x108
[    1.788424] EIP: 0xb7f8b232
[    1.788989] Code: ab 01 00 05 f5 6d 02 00 83 ec 14 8d 80 44 7f ff ff 50 6a 02 e8 df f6 00 00 c7 04 24 7f 00 00 00 e8 7e 9b 01 00 66 90 90 cd 80 <c3> 8d b4 26 00 00 00 00 8d b6 00 00 00 00 8b 1c 24 c3 8d b4 26 00
[    1.792057] EAX: 000004a0 EBX: ffffffff ECX: bfcbce44 EDX: 00000000
[    1.793184] ESI: 00000000 EDI: 00000001 EBP: 005118c0 ESP: bfcbcde0
[    1.794284] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000286
[    1.795440] Modules linked in:
[    1.796088] ---[ end trace 0000000000000000 ]---
[    1.796932] EIP: usercopy_abort+0x79/0x88
[    1.797671] Code: c1 89 44 24 0c 0f 45 cb 8b 5d 0c 89 74 24 10 89 4c 24 04 c7 04 24 98 f0 c5 c1 89 5c 24 20 8b 5d 08 89 5c 24 1c e8 d3 8b e7 ff <0f> 0b ba 89 8f ce c1 89 55 f0 89 d6 eb 97 90 3e 8d 74 26 00 85 d2
[    1.803256] EAX: 00000068 EBX: 00000840 ECX: 00000000 EDX: 00000006
[    1.804604] ESI: c1cdb354 EDI: c1ce0c9a EBP: cc751d40 ESP: cc751d0c
[    1.805686] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010292
[    1.806814] CR0: 80050033 CR2: 00511860 CR3: 0cde1000 CR4: 003506d0

Thx.

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ