linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Miller <davem@davemloft.net>
To: james.hogan@imgtec.com
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
	keescook@chromium.org, akpm@linux-foundation.org,
	monstr@monstr.eu, lftan@altera.com, jonas@southpole.se,
	chris@zankel.net, jcmvbkbc@gmail.com,
	nios2-dev@lists.rocketboards.org, linux@lists.openrisc.net,
	linux-xtensa@linux-xtensa.org
Subject: Re: [PATCH v2 00/11] test_user_copy improvements
Date: Tue, 11 Aug 2015 10:32:28 -0700 (PDT)	[thread overview]
Message-ID: <20150811.103228.1155026747582145108.davem@davemloft.net> (raw)
In-Reply-To: <55C9D768.7060409@imgtec.com>

From: James Hogan <james.hogan@imgtec.com>
Date: Tue, 11 Aug 2015 12:07:20 +0100

> Out of interest, is the zeroing a strict requirement for correct use, or
> a safety precaution to prevent data leakage in case of bad error checking?
> 
> (A quick look reveals that for copy_from_user() when access_ok() fails,
> only arm, arm64, frv, m32r, m68k, sparc, tile, x86, and xtensa do this).

It is required, otherwise the kernel buffer is left partially initialized
which can lead to security bugs.

> That's a good point. The reversed tests aren't really safe in that case.
> With MIPS EVA the user address is very likely to be a valid
> non-TLB-mapped address to kernel mode, and will zero arbitrary memory.
> They could also potentially crash the kernel if user memory isn't
> normally kernel accessible and the arch doesn't fix up faults for the
> kernel accesses (not EVA, but maybe sparc64?).

Sparc64 would fault on an invalid kernel address, but the problem here
is that the addresses are actually valid kernel ones.

> It is also possible (though less likely) that the kernel address will
> have a valid user mapping at the same address, so the reversed
> copy_to_user test may well leak arbitrary kernel memory to user memory
> without faulting.

Yes, this is also a problem.

>> Also, I think the tests you added and protected with MIPS ifdefs could
>> equally be enabled on sparc64.
> 
> Yes, it sounds like it. I'll try the ARCH_SPLIT_VA_SPACE idea.

Great!

      reply	other threads:[~2015-08-11 17:32 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-07 15:21 [PATCH v2 00/11] test_user_copy improvements James Hogan
2015-08-07 15:21 ` [PATCH v2 01/11] microblaze: Export __strnlen_user to modules James Hogan
2015-08-07 15:21 ` [PATCH v2 02/11] nios2: Export strncpy_from_user / strnlen_user " James Hogan
2015-08-10  8:10   ` Ley Foon Tan
2015-08-07 15:21 ` [PATCH v2 03/11] openrisc: Export __clear_user " James Hogan
2015-08-07 15:21 ` [PATCH v2 04/11] xtensa: Export __strnlen_user " James Hogan
2015-08-07 15:21 ` [PATCH v2 05/11] test_user_copy: Check legit kernel accesses James Hogan
2015-08-07 15:21 ` [PATCH v2 06/11] test_user_copy: Check unchecked accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 07/11] test_user_copy: Check __copy_{to,from}_user_inatomic() James Hogan
2015-08-07 15:22 ` [PATCH v2 08/11] test_user_copy: Check __clear_user()/clear_user() James Hogan
2015-08-07 15:22 ` [PATCH v2 09/11] test_user_copy: Check user string accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 10/11] test_user_copy: Check user compatibility accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 11/11] test_user_copy: Check user checksum functions James Hogan
2015-08-07 23:51 ` [PATCH v2 00/11] test_user_copy improvements Kees Cook
2015-08-10 22:29 ` David Miller
2015-08-11  4:08   ` David Miller
2015-08-11 11:20     ` Geert Uytterhoeven
2015-08-12 21:34       ` David Miller
2015-08-11 11:07   ` James Hogan
2015-08-11 17:32     ` David Miller [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150811.103228.1155026747582145108.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=akpm@linux-foundation.org \
    --cc=chris@zankel.net \
    --cc=james.hogan@imgtec.com \
    --cc=jcmvbkbc@gmail.com \
    --cc=jonas@southpole.se \
    --cc=keescook@chromium.org \
    --cc=lftan@altera.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-xtensa@linux-xtensa.org \
    --cc=linux@lists.openrisc.net \
    --cc=monstr@monstr.eu \
    --cc=nios2-dev@lists.rocketboards.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).