From: Mark Rutland <mark.rutland@arm.com>
To: Kees Cook <keescook@chromium.org>
Cc: Tommi Rantala <tommi.t.rantala@nokia.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Laura Abbott <labbott@redhat.com>, Ingo Molnar <mingo@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Eric Biggers <ebiggers@google.com>,
Dave Jones <davej@codemonkey.org.uk>
Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78!
Date: Thu, 30 Mar 2017 18:20:12 +0100 [thread overview]
Message-ID: <20170330171701.GA8062@leverpostej> (raw)
In-Reply-To: <CAGXu5jKo4gw=RHCmcY3v+GTiUUgteLbmvHDghd-Lrm7RprL8=Q@mail.gmail.com>
On Thu, Mar 30, 2017 at 09:45:26AM -0700, Kees Cook wrote:
> On Wed, Mar 29, 2017 at 11:44 PM, Tommi Rantala
> <tommi.t.rantala@nokia.com> wrote:
> > Hi,
> >
> > Running:
> >
> > $ sudo x86info -a
> >
> > On this HP ZBook 15 G3 laptop kills the x86info process with segfault and
> > produces the following kernel BUG.
> >
> > $ git describe
> > v4.11-rc4-40-gfe82203
> >
> > It is also reproducible with the fedora kernel: 4.9.14-200.fc25.x86_64
> >
> > Full dmesg output here: https://pastebin.com/raw/Kur2mpZq
> >
> > [ 51.418954] usercopy: kernel memory exposure attempt detected from
> > ffff880000090000 (dma-kmalloc-256) (4096 bytes)
>
> This seems like a real exposure: the copy is attempting to read 4096
> bytes from a 256 byte object.
>
> > [...]
> > [ 51.419063] Call Trace:
> > [ 51.419066] read_mem+0x70/0x120
> > [ 51.419069] __vfs_read+0x28/0x130
> > [ 51.419072] ? security_file_permission+0x9b/0xb0
> > [ 51.419075] ? rw_verify_area+0x4e/0xb0
> > [ 51.419077] vfs_read+0x96/0x130
> > [ 51.419079] SyS_read+0x46/0xb0
> > [ 51.419082] ? SyS_lseek+0x87/0xb0
> > [ 51.419085] entry_SYSCALL_64_fastpath+0x1a/0xa9
>
> I can't reproduce this myself, so I assume it's some specific /proc or
> /sys file that I don't have. Are you able to get a strace of x86info
> as it runs to see which file it is attempting to read here?
Presumably this is /dev/mem, with read_mem in drivers/char/mem.c.
I guess you may have locked that down on your system anyhow. ;)
Thanks,
Mark.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Kees Cook <keescook@chromium.org>
Cc: Tommi Rantala <tommi.t.rantala@nokia.com>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>,
Laura Abbott <labbott@redhat.com>, Ingo Molnar <mingo@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Eric Biggers <ebiggers@google.com>,
Dave Jones <davej@codemonkey.org.uk>
Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78!
Date: Thu, 30 Mar 2017 18:20:12 +0100 [thread overview]
Message-ID: <20170330171701.GA8062@leverpostej> (raw)
In-Reply-To: <CAGXu5jKo4gw=RHCmcY3v+GTiUUgteLbmvHDghd-Lrm7RprL8=Q@mail.gmail.com>
On Thu, Mar 30, 2017 at 09:45:26AM -0700, Kees Cook wrote:
> On Wed, Mar 29, 2017 at 11:44 PM, Tommi Rantala
> <tommi.t.rantala@nokia.com> wrote:
> > Hi,
> >
> > Running:
> >
> > $ sudo x86info -a
> >
> > On this HP ZBook 15 G3 laptop kills the x86info process with segfault and
> > produces the following kernel BUG.
> >
> > $ git describe
> > v4.11-rc4-40-gfe82203
> >
> > It is also reproducible with the fedora kernel: 4.9.14-200.fc25.x86_64
> >
> > Full dmesg output here: https://pastebin.com/raw/Kur2mpZq
> >
> > [ 51.418954] usercopy: kernel memory exposure attempt detected from
> > ffff880000090000 (dma-kmalloc-256) (4096 bytes)
>
> This seems like a real exposure: the copy is attempting to read 4096
> bytes from a 256 byte object.
>
> > [...]
> > [ 51.419063] Call Trace:
> > [ 51.419066] read_mem+0x70/0x120
> > [ 51.419069] __vfs_read+0x28/0x130
> > [ 51.419072] ? security_file_permission+0x9b/0xb0
> > [ 51.419075] ? rw_verify_area+0x4e/0xb0
> > [ 51.419077] vfs_read+0x96/0x130
> > [ 51.419079] SyS_read+0x46/0xb0
> > [ 51.419082] ? SyS_lseek+0x87/0xb0
> > [ 51.419085] entry_SYSCALL_64_fastpath+0x1a/0xa9
>
> I can't reproduce this myself, so I assume it's some specific /proc or
> /sys file that I don't have. Are you able to get a strace of x86info
> as it runs to see which file it is attempting to read here?
Presumably this is /dev/mem, with read_mem in drivers/char/mem.c.
I guess you may have locked that down on your system anyhow. ;)
Thanks,
Mark.
next prev parent reply other threads:[~2017-03-30 17:20 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-30 6:44 sudo x86info -a => kernel BUG at mm/usercopy.c:78! Tommi Rantala
2017-03-30 6:44 ` Tommi Rantala
2017-03-30 16:45 ` Kees Cook
2017-03-30 16:45 ` Kees Cook
2017-03-30 17:20 ` Mark Rutland [this message]
2017-03-30 17:20 ` Mark Rutland
2017-03-30 17:27 ` Laura Abbott
2017-03-30 17:27 ` Laura Abbott
2017-03-30 17:37 ` Kees Cook
2017-03-30 17:37 ` Kees Cook
2017-03-30 17:44 ` Laura Abbott
2017-03-30 17:44 ` Laura Abbott
2017-03-31 5:44 ` Tommi Rantala
2017-03-31 5:44 ` Tommi Rantala
2017-03-30 19:41 ` Dave Jones
2017-03-30 19:41 ` Dave Jones
2017-03-30 19:52 ` Kees Cook
2017-03-30 19:52 ` Kees Cook
2017-03-30 20:01 ` Dave Jones
2017-03-30 20:01 ` Dave Jones
2017-03-31 5:40 ` Tommi Rantala
2017-03-31 5:40 ` Tommi Rantala
2017-03-31 6:59 ` Tommi Rantala
2017-03-31 6:59 ` Tommi Rantala
2017-03-31 17:17 ` Dave Jones
2017-03-31 17:17 ` Dave Jones
2017-03-31 17:32 ` Kees Cook
2017-03-31 17:32 ` Kees Cook
2017-03-31 18:03 ` Dave Jones
2017-03-31 18:03 ` Dave Jones
2017-03-31 18:57 ` Andy Lutomirski
2017-03-31 18:57 ` Andy Lutomirski
2017-03-31 18:26 ` Linus Torvalds
2017-03-31 18:26 ` Linus Torvalds
2017-03-31 19:32 ` Tommi Rantala
2017-03-31 19:32 ` Tommi Rantala
2017-04-04 22:37 ` Kees Cook
2017-04-04 22:37 ` Kees Cook
2017-04-04 22:55 ` Linus Torvalds
2017-04-04 22:55 ` Linus Torvalds
2017-04-04 22:59 ` Kees Cook
2017-04-04 22:59 ` Kees Cook
2017-04-05 0:22 ` Linus Torvalds
2017-04-05 0:22 ` Linus Torvalds
2017-04-05 19:39 ` Kees Cook
2017-04-05 19:39 ` Kees Cook
2017-03-31 23:58 ` Kees Cook
2017-03-31 23:58 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170330171701.GA8062@leverpostej \
--to=mark.rutland@arm.com \
--cc=davej@codemonkey.org.uk \
--cc=ebiggers@google.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@kernel.org \
--cc=tommi.t.rantala@nokia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.