* [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read
@ 2016-09-08 7:57 Jiri Olsa
2016-09-08 7:57 ` [PATCH 2/2] fs/proc/kcore.c: Add bounce buffer for ktext data Jiri Olsa
2016-09-09 20:43 ` [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Kees Cook
0 siblings, 2 replies; 5+ messages in thread
From: Jiri Olsa @ 2016-09-08 7:57 UTC (permalink / raw)
To: lkml; +Cc: Ingo Molnar, Andi Kleen, Linus Torvalds, Kees Cook
Next patch adds bounce buffer for ktext area, so it's
convenient to have single bounce buffer for both
vmalloc/module and ktext cases.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
fs/proc/kcore.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index a939f5ed7f89..bd3ac9dca252 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -430,6 +430,7 @@ static void elf_kcore_store_hdr(char *bufp, int nphdr, int dataoff)
static ssize_t
read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
{
+ char *buf = file->private_data;
ssize_t acc = 0;
size_t size, tsz;
size_t elf_buflen;
@@ -500,18 +501,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
if (clear_user(buffer, tsz))
return -EFAULT;
} else if (is_vmalloc_or_module_addr((void *)start)) {
- char * elf_buf;
-
- elf_buf = kzalloc(tsz, GFP_KERNEL);
- if (!elf_buf)
- return -ENOMEM;
- vread(elf_buf, (char *)start, tsz);
+ vread(buf, (char *)start, tsz);
/* we have to zero-fill user buffer even if no read */
- if (copy_to_user(buffer, elf_buf, tsz)) {
- kfree(elf_buf);
+ if (copy_to_user(buffer, buf, tsz))
return -EFAULT;
- }
- kfree(elf_buf);
} else {
if (kern_addr_valid(start)) {
unsigned long n;
@@ -549,6 +542,11 @@ static int open_kcore(struct inode *inode, struct file *filp)
{
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
+
+ filp->private_data = kmalloc(PAGE_SIZE, GFP_KERNEL);
+ if (!filp->private_data)
+ return -ENOMEM;
+
if (kcore_need_update)
kcore_update_ram();
if (i_size_read(inode) != proc_root_kcore->size) {
@@ -559,10 +557,16 @@ static int open_kcore(struct inode *inode, struct file *filp)
return 0;
}
+static int release_kcore(struct inode *inode, struct file *file)
+{
+ kfree(file->private_data);
+ return 0;
+}
static const struct file_operations proc_kcore_operations = {
.read = read_kcore,
.open = open_kcore,
+ .release = release_kcore,
.llseek = default_llseek,
};
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] fs/proc/kcore.c: Add bounce buffer for ktext data
2016-09-08 7:57 [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Jiri Olsa
@ 2016-09-08 7:57 ` Jiri Olsa
2016-09-09 20:43 ` [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Kees Cook
1 sibling, 0 replies; 5+ messages in thread
From: Jiri Olsa @ 2016-09-08 7:57 UTC (permalink / raw)
To: lkml; +Cc: Ingo Molnar, Andi Kleen, Linus Torvalds, Kees Cook
We hit hardened usercopy feature check for kernel text
access by reading kcore file:
usercopy: kernel memory exposure attempt detected from ffffffff8179a01f (<kernel text>) (4065 bytes)
kernel BUG at mm/usercopy.c:75!
Bypassing this check for kcore by adding bounce buffer
for ktext data.
Reported-by: Steve Best <sbest@redhat.com>
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
fs/proc/kcore.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index bd3ac9dca252..5c89a07e3d7f 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -509,7 +509,12 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
if (kern_addr_valid(start)) {
unsigned long n;
- n = copy_to_user(buffer, (char *)start, tsz);
+ /*
+ * Using bounce buffer to bypass the
+ * hardened user copy kernel text checks.
+ */
+ memcpy(buf, (char *) start, tsz);
+ n = copy_to_user(buffer, buf, tsz);
/*
* We cannot distinguish between fault on source
* and fault on destination. When this happens
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read
2016-09-08 7:57 [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Jiri Olsa
2016-09-08 7:57 ` [PATCH 2/2] fs/proc/kcore.c: Add bounce buffer for ktext data Jiri Olsa
@ 2016-09-09 20:43 ` Kees Cook
2016-09-20 13:56 ` Jiri Olsa
1 sibling, 1 reply; 5+ messages in thread
From: Kees Cook @ 2016-09-09 20:43 UTC (permalink / raw)
To: Jiri Olsa; +Cc: lkml, Ingo Molnar, Andi Kleen, Linus Torvalds
On Thu, Sep 8, 2016 at 12:57 AM, Jiri Olsa <jolsa@kernel.org> wrote:
> Next patch adds bounce buffer for ktext area, so it's
> convenient to have single bounce buffer for both
> vmalloc/module and ktext cases.
>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>
For this and the 2/2:
Acked-by: Kees Cook <keescook@chromium.org>
Thanks!
-Kees
--
Kees Cook
Nexus Security
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read
2016-09-09 20:43 ` [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Kees Cook
@ 2016-09-20 13:56 ` Jiri Olsa
2016-09-20 20:33 ` Linus Torvalds
0 siblings, 1 reply; 5+ messages in thread
From: Jiri Olsa @ 2016-09-20 13:56 UTC (permalink / raw)
To: Kees Cook; +Cc: Jiri Olsa, lkml, Ingo Molnar, Andi Kleen, Linus Torvalds
On Fri, Sep 09, 2016 at 01:43:40PM -0700, Kees Cook wrote:
> On Thu, Sep 8, 2016 at 12:57 AM, Jiri Olsa <jolsa@kernel.org> wrote:
> > Next patch adds bounce buffer for ktext area, so it's
> > convenient to have single bounce buffer for both
> > vmalloc/module and ktext cases.
> >
> > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> > Signed-off-by: Jiri Olsa <jolsa@kernel.org>
>
> For this and the 2/2:
>
> Acked-by: Kees Cook <keescook@chromium.org>
>
> Thanks!
hi,
I still dont see those pulled in.. which tree is it going to take?
thanks,
jirka
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read
2016-09-20 13:56 ` Jiri Olsa
@ 2016-09-20 20:33 ` Linus Torvalds
0 siblings, 0 replies; 5+ messages in thread
From: Linus Torvalds @ 2016-09-20 20:33 UTC (permalink / raw)
To: Jiri Olsa; +Cc: Kees Cook, Jiri Olsa, lkml, Ingo Molnar, Andi Kleen
On Tue, Sep 20, 2016 at 6:56 AM, Jiri Olsa <jolsa@redhat.com> wrote:
>
> I still dont see those pulled in.. which tree is it going to take?
I guess I'll take them directly,
Linus
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-20 20:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-08 7:57 [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Jiri Olsa
2016-09-08 7:57 ` [PATCH 2/2] fs/proc/kcore.c: Add bounce buffer for ktext data Jiri Olsa
2016-09-09 20:43 ` [PATCH 1/2] fs/proc/kcore.c: Make bounce buffer global for read Kees Cook
2016-09-20 13:56 ` Jiri Olsa
2016-09-20 20:33 ` Linus Torvalds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.