From mboxrd@z Thu Jan 1 00:00:00 1970 From: riel@redhat.com (Rik van Riel) Date: Fri, 12 May 2017 17:47:55 -0400 Subject: [kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode In-Reply-To: <20170512214144.GT390@ZenIV.linux.org.uk> References: <20170512072802.5a686f23@mschwideX1> <20170512075458.09a3a1ce@mschwideX1> <20170512202106.GO22219@n2100.armlinux.org.uk> <20170512210645.GS390@ZenIV.linux.org.uk> <20170512214144.GT390@ZenIV.linux.org.uk> Message-ID: <1494625675.29205.21.camel@redhat.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Fri, 2017-05-12 at 22:41 +0100, Al Viro wrote: > On Fri, May 12, 2017 at 02:17:19PM -0700, Kees Cook wrote: > > > Two things are at risk from stack exhaustion: thread_info (mainly > > addr_limit) when on the stack (fixed by THREAD_INFO_IN_TASK), and > > Really???Let's take a look at arm, for example: > > struct thread_info { > ????????unsigned long???????????flags;??????????/* low level flags */ > ????????int?????????????????????preempt_count;??/* 0 => preemptable, > <0 => bug */ > ????????mm_segment_t????????????addr_limit;?????/* address limit */ > ????????struct task_struct??????*task;??????????/* main task > structure */ > > and current() is defined as current_thread_info()->task. > > Seriously, look at these beasts.??Overwriting ->addr_limit is nowhere > near > the top threat.??If attacker can overwrite thread_info, you have > lost. That is why THREAD_INFO_IN_TASK exists. It moves the struct thread_info to a location away from the stack, which means a stack overflow will not overwrite the thread_info.