From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Kees Cook <keescook@chromium.org>, Jiri Olsa <jolsa@kernel.org>,
Al Viro <viro@ZenIV.linux.org.uk>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs/proc/kcore.c: use probe_kernel_read() instead of memcpy()
Date: Thu, 7 Dec 2017 09:41:53 +0100 [thread overview]
Message-ID: <20171207084153.GA3106@osiris> (raw)
In-Reply-To: <20171206164350.2bec38f46c1fdf84285f862c@linux-foundation.org>
On Wed, Dec 06, 2017 at 04:43:50PM -0800, Andrew Morton wrote:
> On Sat, 2 Dec 2017 14:27:39 +0100 Heiko Carstens <heiko.carstens@de.ibm.com> wrote:
>
> > git commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext
> > data") added a bounce buffer to avoid hardened usercopy
> > checks. Copying to the bounce buffer was implemented with a simple
> > memcpy() assuming that it is always valid to read from kernel memory
> > iff the kern_addr_valid() check passed.
> >
> > A simple, but pointless, test case like "dd if=/proc/kcore
> > of=/dev/null" now can easily crash the kernel, since the former
> > execption handling on invalid kernel addresses now doesn't work
> > anymore.
> >
> > Also adding a kern_addr_valid() implementation wouldn't help
> > here. Most architectures simply return 1 here, while a couple
> > implemented a page table walk to figure out if something is mapped at
> > the address in question.
> > With DEBUG_PAGEALLOC active mappings are established and removed all
> > the time, so that relying on the result of kern_addr_valid() before
> > executing the memcpy() also doesn't work.
> >
> > Therefore simply use probe_kernel_read() to copy to the bounce
> > buffer. This also allows to simplify read_kcore().
> >
> > At least on s390 this fixes the observed crashes and doesn't introduce
> > warnings that were removed with df04abfd181a ("fs/proc/kcore.c: Add
> > bounce buffer for ktext data"), even though the generic
> > probe_kernel_read() implementation uses uaccess functions.
> >
> > While looking into this I'm also wondering if kern_addr_valid() could
> > be completely removed...(?)
> >
> > Fixes: df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")
> > Fixes: f5509cc18daa ("mm: Hardened usercopy")
>
> It's a privileged operation, but oopsing root's kernel is still a bit
> rude. So I'll add cc:stable. And let it bake until 4.16-rc1, since
> the bug has been there for a year or more. Sound OK?
Yes, that sounds ok to me. Thank you!
prev parent reply other threads:[~2017-12-07 8:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-02 13:27 [PATCH] fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() Heiko Carstens
2017-12-02 20:59 ` Kees Cook
2017-12-07 0:43 ` Andrew Morton
2017-12-07 8:41 ` Heiko Carstens [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171207084153.GA3106@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=jolsa@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox