From: Mark Rutland <mark.rutland@arm.com>
To: kernel-hardening@lists.openwall.com
Cc: Vaishali Thakkar <vaishali.thakkar@oracle.com>
Subject: Re: [kernel-hardening] [RFC PATCH] lib: Harden csum_partial_copy_from_user
Date: Wed, 2 Nov 2016 20:44:54 +0000 [thread overview]
Message-ID: <20161102204453.GA18842@remoulade> (raw)
In-Reply-To: <1478106169-25770-1-git-send-email-vaishali.thakkar@oracle.com>
Hi,
On Wed, Nov 02, 2016 at 10:32:49PM +0530, Vaishali Thakkar wrote:
> The routine csum_partial_copy_from_user is same as csum_partial_copy
> but it copies from user space for the checksumming. In other respects
> it is identical, and can be used to copy an arbitrarily large buffer
> from userspace into the kernel. Conceptually this exposes a similar
> attack surface like copy_from_user. So, to validate the given address
> we should call check_object_size here.
Thanks for looking at this! I agree that we should be trying lock down these
homebrew/specialised copy_{to,from}_user routines.
However...
> @@ -158,6 +159,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len,
> {
> int missing;
>
> + check_object_size(dst, len, false);
> missing = __copy_from_user(dst, src, len);
... here we're just calling into the architecture-specific __copy_from_user(),
and I know that both arm64 and x86 have a check_object_size() call in their
__copy_from_user() implementations.
Is that missing on some architectures?
I think we need to figure out where check_object_size() and other checks (e.g.
kasan_check_size) are expected to live in the hierarchy of uaccess copy
primitives (and/or if they should also live in {get,put)_user()).
I had a plan to try to refactor the generic uaccess code so that we could put
those checks in one place, but I put that on hold as Al Viro was doing some
overlapping refactoring of all the uaccess primitives (and I got busy with some
other work).
Thanks,
Mark.
next prev parent reply other threads:[~2016-11-02 20:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-02 17:02 [kernel-hardening] [RFC PATCH] lib: Harden csum_partial_copy_from_user Vaishali Thakkar
2016-11-02 20:44 ` Mark Rutland [this message]
2016-11-02 21:59 ` Kees Cook
2016-11-03 2:14 ` Vaishali Thakkar
2016-11-03 4:23 ` Mark Rutland
2016-11-03 4:56 ` Vaishali Thakkar
2016-11-03 18:05 ` Mark Rutland
2016-11-04 10:03 ` Vaishali Thakkar
2016-11-03 5:03 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161102204453.GA18842@remoulade \
--to=mark.rutland@arm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=vaishali.thakkar@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.