From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Arnd Bergmann <arnd@arndb.de>,
linux-kernel@vger.kernel.org,
syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>,
Eric Biggers <ebiggers@kernel.org>,
Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH] /dev/mem: Bail out upon SIGKILL when reading memory.
Date: Thu, 22 Aug 2019 09:42:49 -0700 [thread overview]
Message-ID: <20190822164249.GA12551@kroah.com> (raw)
In-Reply-To: <e8d3ce30-8c61-048e-2606-f8a4e8f08d87@i-love.sakura.ne.jp>
On Thu, Aug 22, 2019 at 11:00:59PM +0900, Tetsuo Handa wrote:
> On 2019/08/22 22:35, Greg Kroah-Hartman wrote:
> > On Thu, Aug 22, 2019 at 06:59:25PM +0900, Tetsuo Handa wrote:
> >> Tetsuo Handa wrote:
> >>> Greg Kroah-Hartman wrote:
> >>>> Oh, nice! This shouldn't break anything that is assuming that the read
> >>>> will complete before a signal is delivered, right?
> >>>>
> >>>> I know userspace handling of "short" reads is almost always not there...
> >>>
> >>> Since this check will give up upon SIGKILL, userspace won't be able to see
> >>> the return value from read(). Thus, returning 0 upon SIGKILL will be safe. ;-)
> >>> Maybe we also want to add cond_resched()...
> >>>
> >>> By the way, do we want similar check on write_mem() side?
> >>> If aborting "write to /dev/mem" upon SIGKILL (results in partial write) is
> >>> unexpected, we might want to ignore SIGKILL for write_mem() case.
> >>> But copying data from killed threads (especially when killed by OOM killer
> >>> and userspace memory is reclaimed by OOM reaper before write_mem() returns)
> >>> would be after all unexpected. Then, it might be preferable to check SIGKILL
> >>> on write_mem() side...
> >>>
> >>
> >> Ha, ha. syzbot reported the same problem using write_mem().
> >> https://syzkaller.appspot.com/text?tag=CrashLog&x=1018055a600000
> >> We want fatal_signal_pending() check on both sides.
> >
> > Ok, want to send a patch for that?
>
> Yes. But before sending a patch, I'm trying to dump values using debug printk().
>
> >
> > And does anything use /dev/mem anymore? I think X stopped using it a
> > long time ago.
> >
> >> By the way, write_mem() worries me whether there is possibility of replacing
> >> kernel code/data with user-defined memory data supplied from userspace.
> >> If write_mem() were by chance replaced with code that does
> >>
> >> while (1);
> >>
> >> we won't be able to return from write_mem() even if we added fatal_signal_pending() check.
> >> Ditto for replacing local variables with unexpected values...
> >
> > I'm sorry, I don't really understand what you mean here, but I haven't
> > had my morning coffee... Any hints as to an example?
>
> Probably similar idea: "lockdown: Restrict /dev/{mem,kmem,port} when the kernel is locked down"
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/drivers/char/mem.c?h=next-20190822&id=9b9d8dda1ed72e9bd560ab0ca93d322a9440510e
>
> Then, syzbot might want to blacklist writing to /dev/mem .
syzbot should probably blacklist that now, you can do a lot of bad
things writing to that device node :(
next prev parent reply other threads:[~2019-08-22 16:42 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-20 22:06 [PATCH] /dev/mem: Bail out upon SIGKILL when reading memory Tetsuo Handa
2019-08-20 22:24 ` Greg Kroah-Hartman
2019-08-21 0:07 ` Tetsuo Handa
2019-08-22 9:59 ` Tetsuo Handa
2019-08-22 13:35 ` Greg Kroah-Hartman
2019-08-22 14:00 ` Tetsuo Handa
2019-08-22 16:42 ` Greg Kroah-Hartman [this message]
2019-08-22 17:11 ` Dmitry Vyukov
2019-08-22 21:17 ` Tetsuo Handa
2019-08-22 23:59 ` Dmitry Vyukov
2019-08-23 8:17 ` Tetsuo Handa
2019-08-23 16:47 ` Dmitry Vyukov
2019-10-08 9:57 ` Kernel config for fuzz testing Tetsuo Handa
2019-08-22 21:29 ` [PATCH] /dev/mem: Bail out upon SIGKILL when reading memory Linus Torvalds
2019-08-22 22:08 ` Linus Torvalds
2019-08-23 9:16 ` Ingo Molnar
2019-08-23 16:39 ` Linus Torvalds
2019-08-24 16:14 ` Ingo Molnar
2019-08-24 17:40 ` Linus Torvalds
2019-08-24 20:22 ` Ingo Molnar
2019-08-24 20:56 ` Linus Torvalds
2019-08-30 9:56 ` David Laight
2019-08-25 5:49 ` Tetsuo Handa
2019-08-25 9:59 ` Ingo Molnar
2019-08-25 10:35 ` Tetsuo Handa
2019-08-25 10:48 ` Ingo Molnar
2019-08-25 16:54 ` Linus Torvalds
2019-08-26 10:40 ` Tetsuo Handa
2019-08-26 11:19 ` Ingo Molnar
2019-08-26 15:02 ` Rewriting read_kmem()/write_kmem() ? Tetsuo Handa
2019-08-23 11:46 ` [PATCH] /dev/mem: Bail out upon SIGKILL when reading memory Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190822164249.GA12551@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.