diff for duplicates of <20160709075539.GA27852@gmail.com> diff --git a/a/content_digest b/N1/content_digest index e760da7..4d63d89 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,7 +2,7 @@ "ref\0b113b487-acc6-24b8-d58c-425d3c884f4c@redhat.com\0" "ref\01468032243.13253.59.camel@redhat.com\0" "From\0Ingo Molnar <mingo@kernel.org>\0" - "Subject\0[kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy\0" + "Subject\0Re: [PATCH 0/9] mm: Hardened usercopy\0" "Date\0Sat, 9 Jul 2016 09:55:40 +0200\0" "To\0Rik van Riel <riel@redhat.com>\0" "Cc\0Laura Abbott <labbott@redhat.com>" @@ -28,19 +28,7 @@ Andrew Morton <akpm@linux-foundation.org> Andy Lutomirski <luto@kernel.org> Borislav Petkov <bp@suse.de> - Mathias Krause <minipli@googlemail.com> - Jan Kara <jack@suse.cz> - Vitaly Wool <vitalywool@gmail.com> - Andrea Arcangeli <aarcange@redhat.com> - Dmitry Vyukov <dvyukov@google.com> - Laura Abbott <labbott@fedoraproject.org> - linux-arm-kernel@lists.infradead.org - linux-ia64@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - sparclinux@vger.kernel.org - linux-arch@vger.kernel.org - linux-mm@kvack.org - " kernel-hardening@lists.openwall.com\0" + " Mathias Krause <minipli@googlemail.>\0" "\00:1\0" "b\0" "\n" @@ -121,4 +109,4 @@ "\n" "\tIngo" -17e8b4459d291e2b10a935531c733538b6e6db3d6d6cff5b77baa5eea442abc7 +99420a2c695f8c7e1cf1c209b9eb9852cd7e59f51e7bb51352067faa2587c751
diff --git a/a/content_digest b/N2/content_digest index e760da7..20d6eb0 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -2,7 +2,7 @@ "ref\0b113b487-acc6-24b8-d58c-425d3c884f4c@redhat.com\0" "ref\01468032243.13253.59.camel@redhat.com\0" "From\0Ingo Molnar <mingo@kernel.org>\0" - "Subject\0[kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy\0" + "Subject\0Re: [PATCH 0/9] mm: Hardened usercopy\0" "Date\0Sat, 9 Jul 2016 09:55:40 +0200\0" "To\0Rik van Riel <riel@redhat.com>\0" "Cc\0Laura Abbott <labbott@redhat.com>" @@ -121,4 +121,4 @@ "\n" "\tIngo" -17e8b4459d291e2b10a935531c733538b6e6db3d6d6cff5b77baa5eea442abc7 +b1d1d791ac9f67532fefe16a762ae38b2db338ba7029487122b5b8add2bd68e3
diff --git a/a/content_digest b/N3/content_digest index e760da7..8f52526 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -2,8 +2,8 @@ "ref\0b113b487-acc6-24b8-d58c-425d3c884f4c@redhat.com\0" "ref\01468032243.13253.59.camel@redhat.com\0" "From\0Ingo Molnar <mingo@kernel.org>\0" - "Subject\0[kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy\0" - "Date\0Sat, 9 Jul 2016 09:55:40 +0200\0" + "Subject\0Re: [PATCH 0/9] mm: Hardened usercopy\0" + "Date\0Sat, 09 Jul 2016 07:55:40 +0000\0" "To\0Rik van Riel <riel@redhat.com>\0" "Cc\0Laura Abbott <labbott@redhat.com>" Kees Cook <keescook@chromium.org> @@ -121,4 +121,4 @@ "\n" "\tIngo" -17e8b4459d291e2b10a935531c733538b6e6db3d6d6cff5b77baa5eea442abc7 +f51d98f0bfcf27a6aadafc46c8945b33950cb075f689907d32041712a75a319a
diff --git a/a/1.txt b/N4/1.txt index afba158..903c568 100644 --- a/a/1.txt +++ b/N4/1.txt @@ -2,30 +2,30 @@ * Rik van Riel <riel@redhat.com> wrote: > On Fri, 2016-07-08 at 19:22 -0700, Laura Abbott wrote: -> > +> >? > > Even with the SLUB fixup I'm still seeing this blow up on my arm64 > > system. This is a > > Fedora rawhide kernel + the patches > > -> > [ 0.666700] usercopy: kernel memory exposure attempt detected from +> > [????0.666700] usercopy: kernel memory exposure attempt detected from > > fffffc0008b4dd58 (<kernel text>) (8 bytes) -> > [ 0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted: -> > G W 4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1 -> > [ 0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS +> > [????0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted: +> > G????????W???????4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1 +> > [????0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS > > 1.1.0 Nov 24 2015 -> > [ 0.666744] Call trace: -> > [ 0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8 -> > [ 0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30 -> > [ 0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0 -> > [ 0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230 -> > [ 0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420 -> > [ 0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70 -> > [ 0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240 -> > [ 0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950 -> > [ 0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50 -> > [ 0.666841] [<fffffc00080e3720>] +> > [????0.666744] Call trace: +> > [????0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8 +> > [????0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30 +> > [????0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0 +> > [????0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230 +> > [????0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420 +> > [????0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70 +> > [????0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240 +> > [????0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950 +> > [????0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50 +> > [????0.666841] [<fffffc00080e3720>] > > call_usermodehelper_exec_async+0xe8/0x148 -> > [ 0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50 +> > [????0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50 > > > > This happens on every call to execve. This seems to be the first > > copy_to_user in @@ -39,19 +39,19 @@ > > from fs/binfmt_elf.c > -> const char *k_platform = ELF_PLATFORM; +> ? ? ? ? const char *k_platform = ELF_PLATFORM; > > ... -> size_t len = strlen(k_platform) + 1; +> ? ? ? ? ? ? ? ? size_t len = strlen(k_platform) + 1; > -> u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); -> if (__copy_to_user(u_platform, k_platform, len)) -> return -EFAULT; +> ? ? ? ? ? ? ? ? u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); +> ????????????????if (__copy_to_user(u_platform, k_platform, len)) +> ????????????????????????return -EFAULT; > > from arch/arm/include/asm/elf.h: > > #define ELF_PLATFORM_SIZE 8 -> #define ELF_PLATFORM (elf_platform) +> #define ELF_PLATFORM????(elf_platform) > > extern char elf_platform[]; > @@ -62,8 +62,8 @@ > > ... > -> snprintf(elf_platform, ELF_PLATFORM_SIZE, "%s%c", -> list->elf_name, ENDIANNESS); +> ????????snprintf(elf_platform, ELF_PLATFORM_SIZE, "%s%c", +> ?????????????????list->elf_name, ENDIANNESS); > > How does that end up in the .text section of the > image, instead of in one of the various data sections? diff --git a/a/content_digest b/N4/content_digest index e760da7..a88255a 100644 --- a/a/content_digest +++ b/N4/content_digest @@ -1,76 +1,40 @@ "ref\01467843928-29351-1-git-send-email-keescook@chromium.org\0" "ref\0b113b487-acc6-24b8-d58c-425d3c884f4c@redhat.com\0" "ref\01468032243.13253.59.camel@redhat.com\0" - "From\0Ingo Molnar <mingo@kernel.org>\0" - "Subject\0[kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy\0" + "From\0mingo@kernel.org (Ingo Molnar)\0" + "Subject\0[PATCH 0/9] mm: Hardened usercopy\0" "Date\0Sat, 9 Jul 2016 09:55:40 +0200\0" - "To\0Rik van Riel <riel@redhat.com>\0" - "Cc\0Laura Abbott <labbott@redhat.com>" - Kees Cook <keescook@chromium.org> - linux-kernel@vger.kernel.org - Casey Schaufler <casey@schaufler-ca.com> - PaX Team <pageexec@freemail.hu> - Brad Spengler <spender@grsecurity.net> - Russell King <linux@armlinux.org.uk> - Catalin Marinas <catalin.marinas@arm.com> - Will Deacon <will.deacon@arm.com> - Ard Biesheuvel <ard.biesheuvel@linaro.org> - Benjamin Herrenschmidt <benh@kernel.crashing.org> - Michael Ellerman <mpe@ellerman.id.au> - Tony Luck <tony.luck@intel.com> - Fenghua Yu <fenghua.yu@intel.com> - David S. Miller <davem@davemloft.net> - x86@kernel.org - Christoph Lameter <cl@linux.com> - Pekka Enberg <penberg@kernel.org> - David Rientjes <rientjes@google.com> - Joonsoo Kim <iamjoonsoo.kim@lge.com> - Andrew Morton <akpm@linux-foundation.org> - Andy Lutomirski <luto@kernel.org> - Borislav Petkov <bp@suse.de> - Mathias Krause <minipli@googlemail.com> - Jan Kara <jack@suse.cz> - Vitaly Wool <vitalywool@gmail.com> - Andrea Arcangeli <aarcange@redhat.com> - Dmitry Vyukov <dvyukov@google.com> - Laura Abbott <labbott@fedoraproject.org> - linux-arm-kernel@lists.infradead.org - linux-ia64@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - sparclinux@vger.kernel.org - linux-arch@vger.kernel.org - linux-mm@kvack.org - " kernel-hardening@lists.openwall.com\0" + "To\0linux-arm-kernel@lists.infradead.org\0" "\00:1\0" "b\0" "\n" "* Rik van Riel <riel@redhat.com> wrote:\n" "\n" "> On Fri, 2016-07-08 at 19:22 -0700, Laura Abbott wrote:\n" - "> >\302\240\n" + "> >?\n" "> > Even with the SLUB fixup I'm still seeing this blow up on my arm64\n" "> > system. This is a\n" "> > Fedora rawhide kernel + the patches\n" "> > \n" - "> > [\302\240\302\240\302\240\302\2400.666700] usercopy: kernel memory exposure attempt detected from\n" + "> > [????0.666700] usercopy: kernel memory exposure attempt detected from\n" "> > fffffc0008b4dd58 (<kernel text>) (8 bytes)\n" - "> > [\302\240\302\240\302\240\302\2400.666720] CPU: 2 PID: 79 Comm: modprobe Tainted:\n" - "> > G\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240W\302\240\302\240\302\240\302\240\302\240\302\240\302\2404.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1\n" - "> > [\302\240\302\240\302\240\302\2400.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS\n" + "> > [????0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted:\n" + "> > G????????W???????4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1\n" + "> > [????0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS\n" "> > 1.1.0 Nov 24 2015\n" - "> > [\302\240\302\240\302\240\302\2400.666744] Call trace:\n" - "> > [\302\240\302\240\302\240\302\2400.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8\n" - "> > [\302\240\302\240\302\240\302\2400.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30\n" - "> > [\302\240\302\240\302\240\302\2400.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0\n" - "> > [\302\240\302\240\302\240\302\2400.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230\n" - "> > [\302\240\302\240\302\240\302\2400.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420\n" - "> > [\302\240\302\240\302\240\302\2400.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70\n" - "> > [\302\240\302\240\302\240\302\2400.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240\n" - "> > [\302\240\302\240\302\240\302\2400.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950\n" - "> > [\302\240\302\240\302\240\302\2400.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50\n" - "> > [\302\240\302\240\302\240\302\2400.666841] [<fffffc00080e3720>]\n" + "> > [????0.666744] Call trace:\n" + "> > [????0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8\n" + "> > [????0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30\n" + "> > [????0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0\n" + "> > [????0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230\n" + "> > [????0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420\n" + "> > [????0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70\n" + "> > [????0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240\n" + "> > [????0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950\n" + "> > [????0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50\n" + "> > [????0.666841] [<fffffc00080e3720>]\n" "> > call_usermodehelper_exec_async+0xe8/0x148\n" - "> > [\302\240\302\240\302\240\302\2400.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50\n" + "> > [????0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50\n" "> > \n" "> > This happens on every call to execve. This seems to be the first\n" "> > copy_to_user in\n" @@ -84,19 +48,19 @@ "> \n" "> from fs/binfmt_elf.c\n" "> \n" - "> \302\240 \302\240 \302\240 \302\240 const char *k_platform = ELF_PLATFORM;\n" + "> ? ? ? ? const char *k_platform = ELF_PLATFORM;\n" "> \n" "> ...\n" - "> \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 size_t len = strlen(k_platform) + 1;\n" + "> ? ? ? ? ? ? ? ? size_t len = strlen(k_platform) + 1;\n" "> \t\t\n" - "> \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240if (__copy_to_user(u_platform, k_platform, len))\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240return -EFAULT;\n" + "> ? ? ? ? ? ? ? ? u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);\n" + "> ????????????????if (__copy_to_user(u_platform, k_platform, len))\n" + "> ????????????????????????return -EFAULT;\n" "> \n" "> from arch/arm/include/asm/elf.h:\n" "> \n" "> #define ELF_PLATFORM_SIZE 8\n" - "> #define ELF_PLATFORM\302\240\302\240\302\240\302\240(elf_platform)\n" + "> #define ELF_PLATFORM????(elf_platform)\n" "> \n" "> extern char elf_platform[];\n" "> \n" @@ -107,8 +71,8 @@ "> \n" "> ...\n" "> \n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240snprintf(elf_platform, ELF_PLATFORM_SIZE, \"%s%c\",\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240list->elf_name, ENDIANNESS);\n" + "> ????????snprintf(elf_platform, ELF_PLATFORM_SIZE, \"%s%c\",\n" + "> ?????????????????list->elf_name, ENDIANNESS);\n" "> \n" "> How does that end up in the .text section of the\n" "> image, instead of in one of the various data sections?\n" @@ -121,4 +85,4 @@ "\n" "\tIngo" -17e8b4459d291e2b10a935531c733538b6e6db3d6d6cff5b77baa5eea442abc7 +bf9fa736e08de0fc2badd237903d55a1e1b94fa9c814f860f6da90e36bff9c33
diff --git a/a/1.txt b/N5/1.txt index afba158..830dbc8 100644 --- a/a/1.txt +++ b/N5/1.txt @@ -2,30 +2,30 @@ * Rik van Riel <riel@redhat.com> wrote: > On Fri, 2016-07-08 at 19:22 -0700, Laura Abbott wrote: -> > +> > > > Even with the SLUB fixup I'm still seeing this blow up on my arm64 > > system. This is a > > Fedora rawhide kernel + the patches > > -> > [ 0.666700] usercopy: kernel memory exposure attempt detected from +> > [ 0.666700] usercopy: kernel memory exposure attempt detected from > > fffffc0008b4dd58 (<kernel text>) (8 bytes) -> > [ 0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted: -> > G W 4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1 -> > [ 0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS +> > [ 0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted: +> > G W 4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1 +> > [ 0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS > > 1.1.0 Nov 24 2015 -> > [ 0.666744] Call trace: -> > [ 0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8 -> > [ 0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30 -> > [ 0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0 -> > [ 0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230 -> > [ 0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420 -> > [ 0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70 -> > [ 0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240 -> > [ 0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950 -> > [ 0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50 -> > [ 0.666841] [<fffffc00080e3720>] +> > [ 0.666744] Call trace: +> > [ 0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8 +> > [ 0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30 +> > [ 0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0 +> > [ 0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230 +> > [ 0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420 +> > [ 0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70 +> > [ 0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240 +> > [ 0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950 +> > [ 0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50 +> > [ 0.666841] [<fffffc00080e3720>] > > call_usermodehelper_exec_async+0xe8/0x148 -> > [ 0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50 +> > [ 0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50 > > > > This happens on every call to execve. This seems to be the first > > copy_to_user in @@ -39,19 +39,19 @@ > > from fs/binfmt_elf.c > -> const char *k_platform = ELF_PLATFORM; +> const char *k_platform = ELF_PLATFORM; > > ... -> size_t len = strlen(k_platform) + 1; +> size_t len = strlen(k_platform) + 1; > -> u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); -> if (__copy_to_user(u_platform, k_platform, len)) -> return -EFAULT; +> u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len); +> if (__copy_to_user(u_platform, k_platform, len)) +> return -EFAULT; > > from arch/arm/include/asm/elf.h: > > #define ELF_PLATFORM_SIZE 8 -> #define ELF_PLATFORM (elf_platform) +> #define ELF_PLATFORM (elf_platform) > > extern char elf_platform[]; > @@ -62,8 +62,8 @@ > > ... > -> snprintf(elf_platform, ELF_PLATFORM_SIZE, "%s%c", -> list->elf_name, ENDIANNESS); +> snprintf(elf_platform, ELF_PLATFORM_SIZE, "%s%c", +> list->elf_name, ENDIANNESS); > > How does that end up in the .text section of the > image, instead of in one of the various data sections? @@ -75,3 +75,9 @@ I think the crash happened on ARM64, not ARM. Thanks, Ingo + +-- +To unsubscribe, send a message with 'unsubscribe linux-mm' in +the body to majordomo@kvack.org. For more info on Linux MM, +see: http://www.linux-mm.org/ . +Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> diff --git a/a/content_digest b/N5/content_digest index e760da7..b793a0f 100644 --- a/a/content_digest +++ b/N5/content_digest @@ -2,7 +2,7 @@ "ref\0b113b487-acc6-24b8-d58c-425d3c884f4c@redhat.com\0" "ref\01468032243.13253.59.camel@redhat.com\0" "From\0Ingo Molnar <mingo@kernel.org>\0" - "Subject\0[kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy\0" + "Subject\0Re: [PATCH 0/9] mm: Hardened usercopy\0" "Date\0Sat, 9 Jul 2016 09:55:40 +0200\0" "To\0Rik van Riel <riel@redhat.com>\0" "Cc\0Laura Abbott <labbott@redhat.com>" @@ -47,30 +47,30 @@ "* Rik van Riel <riel@redhat.com> wrote:\n" "\n" "> On Fri, 2016-07-08 at 19:22 -0700, Laura Abbott wrote:\n" - "> >\302\240\n" + "> > \n" "> > Even with the SLUB fixup I'm still seeing this blow up on my arm64\n" "> > system. This is a\n" "> > Fedora rawhide kernel + the patches\n" "> > \n" - "> > [\302\240\302\240\302\240\302\2400.666700] usercopy: kernel memory exposure attempt detected from\n" + "> > [ 0.666700] usercopy: kernel memory exposure attempt detected from\n" "> > fffffc0008b4dd58 (<kernel text>) (8 bytes)\n" - "> > [\302\240\302\240\302\240\302\2400.666720] CPU: 2 PID: 79 Comm: modprobe Tainted:\n" - "> > G\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240W\302\240\302\240\302\240\302\240\302\240\302\240\302\2404.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1\n" - "> > [\302\240\302\240\302\240\302\2400.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS\n" + "> > [ 0.666720] CPU: 2 PID: 79 Comm: modprobe Tainted:\n" + "> > G W 4.7.0-0.rc6.git1.1.hardenedusercopy.fc25.aarch64 #1\n" + "> > [ 0.666733] Hardware name: AppliedMicro Mustang/Mustang, BIOS\n" "> > 1.1.0 Nov 24 2015\n" - "> > [\302\240\302\240\302\240\302\2400.666744] Call trace:\n" - "> > [\302\240\302\240\302\240\302\2400.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8\n" - "> > [\302\240\302\240\302\240\302\2400.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30\n" - "> > [\302\240\302\240\302\240\302\2400.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0\n" - "> > [\302\240\302\240\302\240\302\2400.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230\n" - "> > [\302\240\302\240\302\240\302\2400.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420\n" - "> > [\302\240\302\240\302\240\302\2400.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70\n" - "> > [\302\240\302\240\302\240\302\2400.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240\n" - "> > [\302\240\302\240\302\240\302\2400.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950\n" - "> > [\302\240\302\240\302\240\302\2400.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50\n" - "> > [\302\240\302\240\302\240\302\2400.666841] [<fffffc00080e3720>]\n" + "> > [ 0.666744] Call trace:\n" + "> > [ 0.666756] [<fffffc0008088a20>] dump_backtrace+0x0/0x1e8\n" + "> > [ 0.666765] [<fffffc0008088c2c>] show_stack+0x24/0x30\n" + "> > [ 0.666775] [<fffffc0008455344>] dump_stack+0xa4/0xe0\n" + "> > [ 0.666785] [<fffffc000828d874>] __check_object_size+0x6c/0x230\n" + "> > [ 0.666795] [<fffffc00083a5748>] create_elf_tables+0x74/0x420\n" + "> > [ 0.666805] [<fffffc00082fb1f0>] load_elf_binary+0x828/0xb70\n" + "> > [ 0.666814] [<fffffc0008298b4c>] search_binary_handler+0xb4/0x240\n" + "> > [ 0.666823] [<fffffc0008299864>] do_execveat_common+0x63c/0x950\n" + "> > [ 0.666832] [<fffffc0008299bb4>] do_execve+0x3c/0x50\n" + "> > [ 0.666841] [<fffffc00080e3720>]\n" "> > call_usermodehelper_exec_async+0xe8/0x148\n" - "> > [\302\240\302\240\302\240\302\2400.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50\n" + "> > [ 0.666850] [<fffffc0008084a80>] ret_from_fork+0x10/0x50\n" "> > \n" "> > This happens on every call to execve. This seems to be the first\n" "> > copy_to_user in\n" @@ -84,19 +84,19 @@ "> \n" "> from fs/binfmt_elf.c\n" "> \n" - "> \302\240 \302\240 \302\240 \302\240 const char *k_platform = ELF_PLATFORM;\n" + "> const char *k_platform = ELF_PLATFORM;\n" "> \n" "> ...\n" - "> \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 size_t len = strlen(k_platform) + 1;\n" + "> size_t len = strlen(k_platform) + 1;\n" "> \t\t\n" - "> \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 \302\240 u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240if (__copy_to_user(u_platform, k_platform, len))\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240return -EFAULT;\n" + "> u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);\n" + "> if (__copy_to_user(u_platform, k_platform, len))\n" + "> return -EFAULT;\n" "> \n" "> from arch/arm/include/asm/elf.h:\n" "> \n" "> #define ELF_PLATFORM_SIZE 8\n" - "> #define ELF_PLATFORM\302\240\302\240\302\240\302\240(elf_platform)\n" + "> #define ELF_PLATFORM (elf_platform)\n" "> \n" "> extern char elf_platform[];\n" "> \n" @@ -107,8 +107,8 @@ "> \n" "> ...\n" "> \n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240snprintf(elf_platform, ELF_PLATFORM_SIZE, \"%s%c\",\n" - "> \302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240list->elf_name, ENDIANNESS);\n" + "> snprintf(elf_platform, ELF_PLATFORM_SIZE, \"%s%c\",\n" + "> list->elf_name, ENDIANNESS);\n" "> \n" "> How does that end up in the .text section of the\n" "> image, instead of in one of the various data sections?\n" @@ -119,6 +119,12 @@ "\n" "Thanks,\n" "\n" - "\tIngo" + "\tIngo\n" + "\n" + "--\n" + "To unsubscribe, send a message with 'unsubscribe linux-mm' in\n" + "the body to majordomo@kvack.org. For more info on Linux MM,\n" + "see: http://www.linux-mm.org/ .\n" + "Don't email: <a href=mailto:\"dont@kvack.org\"> email@kvack.org </a>" -17e8b4459d291e2b10a935531c733538b6e6db3d6d6cff5b77baa5eea442abc7 +ed0c2a4ca250ee994c17c2bab7a65bc9642b94d83043e7055e349e65305e01c4
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.