From: Ingo Molnar <mingo@kernel.org>
To: Kees Cook <keescook@chromium.org>
Cc: Yinghai Lu <yinghai@kernel.org>, Baoquan He <bhe@redhat.com>,
Ingo Molnar <mingo@redhat.com>,
x86@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Dmitry Vyukov <dvyukov@google.com>,
"H.J. Lu" <hjl.tools@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Borislav Petkov <bp@suse.de>, Andy Lutomirski <luto@kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/5] x86, boot: Make memcpy handle overlaps
Date: Fri, 22 Apr 2016 09:49:53 +0200 [thread overview]
Message-ID: <20160422074953.GC7352@gmail.com> (raw)
In-Reply-To: <1461185746-8017-5-git-send-email-keescook@chromium.org>
* Kees Cook <keescook@chromium.org> wrote:
> Two uses of memcpy (screen scrolling and ELF parsing) were handling
> overlapping memory areas. While there were no explicitly noticed bugs
> here (yet), it is best to fix this so that the copying will always be
> safe.
>
> Instead of making a new memmove function that might collide with other
> memmove definitions in the decompressors, this just makes the compressed
> boot's copy of memcpy overlap safe.
>
> Reported-by: Yinghai Lu <yinghai@kernel.org>
> Suggested-by: Lasse Collin <lasse.collin@tukaani.org>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/x86/boot/compressed/misc.c | 4 +---
> arch/x86/boot/compressed/string.c | 22 ++++++++++++++++++++--
> 2 files changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/string.c b/arch/x86/boot/compressed/string.c
> index 00e788be1db9..1e10e40f49dd 100644
> --- a/arch/x86/boot/compressed/string.c
> +++ b/arch/x86/boot/compressed/string.c
> @@ -1,7 +1,7 @@
> #include "../string.c"
>
> #ifdef CONFIG_X86_32
I've applied this patch, but could you please also do another patch that adds a
comment block to the top of this special version of compressed/string.c, which
explains why this file exists and what its purpose is?
Also:
+/*
+ * This memcpy is overlap safe (i.e. it is memmove without conflicting
+ * with other definitions of memmove from the various decompressors.
+ */
+void *memcpy(void *dest, const void *src, size_t n)
I'd not name it memcpy() if its semantics are not the same as the regular kernel
memcpy() - that will only cause confusion later on.
I'd try to name it memmove() and would fix the memmove() hacks in decompressors:
lib/decompress_unxz.c:#ifndef memmove
lib/decompress_unxz.c:void *memmove(void *dest, const void *src, size_t size)
lib/decompress_unxz.c: * Since we need memmove anyway, would use it as memcpy too.
lib/decompress_unxz.c:# define memcpy memmove
any strong reason this cannot be done?
Some other decompressors seem to avoid memmove() intentionally:
lib/decompress_bunzip2.c: *by 256 in any case, using memmove here would
lib/decompress_unlzo.c: * of the buffer. This way memmove() isn't needed which
lib/decompress_unlzo.c: * Use a loop to avoid memmove() dependency.
Thanks,
Ingo
next prev parent reply other threads:[~2016-04-22 7:49 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 20:55 [PATCH 0/5] x86, boot: clean up KASLR code (step 2) Kees Cook
2016-04-20 20:55 ` [PATCH 1/5] x86, KASLR: Update description for decompressor worst case size Kees Cook
2016-04-21 14:47 ` Borislav Petkov
2016-04-21 20:04 ` Kees Cook
2016-04-22 3:13 ` Baoquan He
2016-04-22 7:41 ` Ingo Molnar
2016-04-22 9:45 ` [tip:x86/boot] x86/KASLR: " tip-bot for Baoquan He
2016-04-20 20:55 ` [PATCH 2/5] x86, KASLR: Drop CONFIG_RANDOMIZE_BASE_MAX_OFFSET Kees Cook
2016-04-21 17:44 ` Borislav Petkov
2016-04-21 18:13 ` Kees Cook
2016-04-22 7:16 ` Ingo Molnar
2016-04-22 9:43 ` Borislav Petkov
2016-04-22 9:45 ` [tip:x86/boot] x86/KASLR: " tip-bot for Baoquan He
2016-04-20 20:55 ` [PATCH 3/5] x86, boot: Clean up things used by decompressors Kees Cook
2016-04-22 9:46 ` [tip:x86/boot] x86/boot: " tip-bot for Kees Cook
2016-04-20 20:55 ` [PATCH 4/5] x86, boot: Make memcpy handle overlaps Kees Cook
2016-04-22 7:49 ` Ingo Molnar [this message]
2016-04-22 22:18 ` Kees Cook
2016-04-22 7:56 ` Ingo Molnar
2016-04-22 9:46 ` [tip:x86/boot] x86/boot: Make memcpy() " tip-bot for Kees Cook
2016-04-22 21:05 ` Lasse Collin
2016-04-22 22:01 ` Kees Cook
2016-04-20 20:55 ` [PATCH 5/5] x86, KASLR: Warn when KASLR is disabled Kees Cook
2016-04-22 9:47 ` [tip:x86/boot] x86/KASLR: " tip-bot for Kees Cook
2016-04-22 7:43 ` [PATCH 0/5] x86, boot: clean up KASLR code (step 2) Ingo Molnar
2016-04-22 15:39 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160422074953.GC7352@gmail.com \
--to=mingo@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=aryabinin@virtuozzo.com \
--cc=bhe@redhat.com \
--cc=bp@suse.de \
--cc=dvyukov@google.com \
--cc=hjl.tools@gmail.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=x86@kernel.org \
--cc=yinghai@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.