From: David Miller <davem@davemloft.net>
To: james.hogan@imgtec.com
Cc: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
keescook@chromium.org, akpm@linux-foundation.org,
monstr@monstr.eu, lftan@altera.com, jonas@southpole.se,
chris@zankel.net, jcmvbkbc@gmail.com,
nios2-dev@lists.rocketboards.org, linux@lists.openrisc.net,
linux-xtensa@linux-xtensa.org
Subject: Re: [PATCH v2 00/11] test_user_copy improvements
Date: Tue, 11 Aug 2015 10:32:28 -0700 (PDT) [thread overview]
Message-ID: <20150811.103228.1155026747582145108.davem@davemloft.net> (raw)
In-Reply-To: <55C9D768.7060409@imgtec.com>
From: James Hogan <james.hogan@imgtec.com>
Date: Tue, 11 Aug 2015 12:07:20 +0100
> Out of interest, is the zeroing a strict requirement for correct use, or
> a safety precaution to prevent data leakage in case of bad error checking?
>
> (A quick look reveals that for copy_from_user() when access_ok() fails,
> only arm, arm64, frv, m32r, m68k, sparc, tile, x86, and xtensa do this).
It is required, otherwise the kernel buffer is left partially initialized
which can lead to security bugs.
> That's a good point. The reversed tests aren't really safe in that case.
> With MIPS EVA the user address is very likely to be a valid
> non-TLB-mapped address to kernel mode, and will zero arbitrary memory.
> They could also potentially crash the kernel if user memory isn't
> normally kernel accessible and the arch doesn't fix up faults for the
> kernel accesses (not EVA, but maybe sparc64?).
Sparc64 would fault on an invalid kernel address, but the problem here
is that the addresses are actually valid kernel ones.
> It is also possible (though less likely) that the kernel address will
> have a valid user mapping at the same address, so the reversed
> copy_to_user test may well leak arbitrary kernel memory to user memory
> without faulting.
Yes, this is also a problem.
>> Also, I think the tests you added and protected with MIPS ifdefs could
>> equally be enabled on sparc64.
>
> Yes, it sounds like it. I'll try the ARCH_SPLIT_VA_SPACE idea.
Great!
prev parent reply other threads:[~2015-08-11 17:32 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-07 15:21 [PATCH v2 00/11] test_user_copy improvements James Hogan
2015-08-07 15:21 ` [PATCH v2 01/11] microblaze: Export __strnlen_user to modules James Hogan
2015-08-07 15:21 ` [PATCH v2 02/11] nios2: Export strncpy_from_user / strnlen_user " James Hogan
2015-08-10 8:10 ` Ley Foon Tan
2015-08-07 15:21 ` [PATCH v2 03/11] openrisc: Export __clear_user " James Hogan
2015-08-07 15:21 ` [PATCH v2 04/11] xtensa: Export __strnlen_user " James Hogan
2015-08-07 15:21 ` [PATCH v2 05/11] test_user_copy: Check legit kernel accesses James Hogan
2015-08-07 15:21 ` [PATCH v2 06/11] test_user_copy: Check unchecked accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 07/11] test_user_copy: Check __copy_{to,from}_user_inatomic() James Hogan
2015-08-07 15:22 ` [PATCH v2 08/11] test_user_copy: Check __clear_user()/clear_user() James Hogan
2015-08-07 15:22 ` [PATCH v2 09/11] test_user_copy: Check user string accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 10/11] test_user_copy: Check user compatibility accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 11/11] test_user_copy: Check user checksum functions James Hogan
2015-08-07 23:51 ` [PATCH v2 00/11] test_user_copy improvements Kees Cook
2015-08-10 22:29 ` David Miller
2015-08-11 4:08 ` David Miller
2015-08-11 11:20 ` Geert Uytterhoeven
2015-08-12 21:34 ` David Miller
2015-08-11 11:07 ` James Hogan
2015-08-11 17:32 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150811.103228.1155026747582145108.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=akpm@linux-foundation.org \
--cc=chris@zankel.net \
--cc=james.hogan@imgtec.com \
--cc=jcmvbkbc@gmail.com \
--cc=jonas@southpole.se \
--cc=keescook@chromium.org \
--cc=lftan@altera.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=linux@lists.openrisc.net \
--cc=monstr@monstr.eu \
--cc=nios2-dev@lists.rocketboards.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).