From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751043AbdLGImD (ORCPT ); Thu, 7 Dec 2017 03:42:03 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35192 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750869AbdLGImC (ORCPT ); Thu, 7 Dec 2017 03:42:02 -0500 Date: Thu, 7 Dec 2017 09:41:53 +0100 From: Heiko Carstens To: Andrew Morton Cc: Linus Torvalds , Kees Cook , Jiri Olsa , Al Viro , linux-kernel@vger.kernel.org Subject: Re: [PATCH] fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() References: <20171202132739.99971-1-heiko.carstens@de.ibm.com> <20171206164350.2bec38f46c1fdf84285f862c@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171206164350.2bec38f46c1fdf84285f862c@linux-foundation.org> X-TM-AS-GCONF: 00 x-cbid: 17120708-0040-0000-0000-000004174DEA X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17120708-0041-0000-0000-000020BA4BD1 Message-Id: <20171207084153.GA3106@osiris> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-12-07_02:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1712070133 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 06, 2017 at 04:43:50PM -0800, Andrew Morton wrote: > On Sat, 2 Dec 2017 14:27:39 +0100 Heiko Carstens wrote: > > > git commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext > > data") added a bounce buffer to avoid hardened usercopy > > checks. Copying to the bounce buffer was implemented with a simple > > memcpy() assuming that it is always valid to read from kernel memory > > iff the kern_addr_valid() check passed. > > > > A simple, but pointless, test case like "dd if=/proc/kcore > > of=/dev/null" now can easily crash the kernel, since the former > > execption handling on invalid kernel addresses now doesn't work > > anymore. > > > > Also adding a kern_addr_valid() implementation wouldn't help > > here. Most architectures simply return 1 here, while a couple > > implemented a page table walk to figure out if something is mapped at > > the address in question. > > With DEBUG_PAGEALLOC active mappings are established and removed all > > the time, so that relying on the result of kern_addr_valid() before > > executing the memcpy() also doesn't work. > > > > Therefore simply use probe_kernel_read() to copy to the bounce > > buffer. This also allows to simplify read_kcore(). > > > > At least on s390 this fixes the observed crashes and doesn't introduce > > warnings that were removed with df04abfd181a ("fs/proc/kcore.c: Add > > bounce buffer for ktext data"), even though the generic > > probe_kernel_read() implementation uses uaccess functions. > > > > While looking into this I'm also wondering if kern_addr_valid() could > > be completely removed...(?) > > > > Fixes: df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data") > > Fixes: f5509cc18daa ("mm: Hardened usercopy") > > It's a privileged operation, but oopsing root's kernel is still a bit > rude. So I'll add cc:stable. And let it bake until 4.16-rc1, since > the bug has been there for a year or more. Sound OK? Yes, that sounds ok to me. Thank you!