From: Andy Lutomirski <luto@amacapital.net>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Jann Horn <jannh@google.com>, Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
the arch/x86 maintainers <x86@kernel.org>,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
Andy Lutomirski <luto@kernel.org>
Subject: Re: [RFC PATCH 1/2] x86: WARN() when uaccess helpers fault on kernel addresses
Date: Tue, 7 Aug 2018 07:02:10 -0700 [thread overview]
Message-ID: <80A71AAC-89B0-448A-8FF6-FFF1B68270A2@amacapital.net> (raw)
In-Reply-To: <CACT4Y+YJzeTEOASJ8xu5uW_VFYqtoeBpywEC+x0nmFiac_=hJw@mail.gmail.com>
> On Aug 7, 2018, at 4:04 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>
>> On Tue, Aug 7, 2018 at 3:22 AM, Jann Horn <jannh@google.com> wrote:
>> There have been multiple kernel vulnerabilities that permitted userspace to
>> pass completely unchecked pointers through to userspace accessors:
>>
>> - the waitid() bug - commit 96ca579a1ecc ("waitid(): Add missing
>> access_ok() checks")
>> - the sg/bsg read/write APIs
>> - the infiniband read/write APIs
>>
>> These don't happen all that often, but when they do happen, it is hard to
>> test for them properly; and it is probably also hard to discover them with
>> fuzzing. Even when an unmapped kernel address is supplied to such buggy
>> code, it just returns -EFAULT instead of doing a proper BUG() or at least
>> WARN().
>>
>> This patch attempts to make such misbehaving code a bit more visible by
>> WARN()ing in the pagefault handler code when a userspace accessor causes
>> #PF on a kernel address and the current context isn't whitelisted.
>
> This is not triggerable unless there is a kernel bug, right? I mean
> this won't be a DoS vector? And any case is something to report to
> kernel developers?
Yes. I expect it to help fuzzers, since it will make a uaccess at a bad address much more likely to oops.
My old series found one bug when the automated fuzzers fuzzed it. That bug is fixed now.
prev parent reply other threads:[~2018-08-07 14:02 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-07 1:22 [RFC PATCH 1/2] x86: WARN() when uaccess helpers fault on kernel addresses Jann Horn
2018-08-07 1:22 ` [RFC PATCH 2/2] lkdtm: test copy_to_user() on bad kernel pointer under KERNEL_DS Jann Horn
2018-08-07 2:36 ` [RFC PATCH 1/2] x86: WARN() when uaccess helpers fault on kernel addresses Kees Cook
2018-08-07 2:55 ` Andy Lutomirski
2018-08-07 10:03 ` Ingo Molnar
2018-08-07 21:17 ` Jann Horn
2018-08-07 22:28 ` Andy Lutomirski
2018-08-22 23:53 ` Jann Horn
2018-08-23 0:28 ` Andy Lutomirski
2018-08-23 0:55 ` Jann Horn
2018-08-23 1:36 ` Andy Lutomirski
2018-08-07 11:04 ` Dmitry Vyukov
2018-08-07 14:02 ` Andy Lutomirski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80A71AAC-89B0-448A-8FF6-FFF1B68270A2@amacapital.net \
--to=luto@amacapital.net \
--cc=dvyukov@google.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).