Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 09 Jul 2016 02:17:17 -0400
From: Valdis.Kletnieks@...edu
To: kernel-hardening@...ts.openwall.com
Cc: Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>,
        Jan Kara <jack@...e.cz>, Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>, Linux-MM <linux-mm@...ck.org>,
        sparclinux <sparclinux@...r.kernel.org>, linux-ia64@...r.kernel.org,
        Andrea Arcangeli <aarcange@...hat.com>,
        linux-arch <linux-arch@...r.kernel.org>,
        "x86\@kernel.org" <x86@...nel.org>,
        Russell King <linux@...linux.org.uk>, PaX Team <pageexec@...email.hu>,
        Borislav Petkov <bp@...e.de>, Mathias Krause <minipli@...glemail.com>,
        Fenghua Yu <fenghua.yu@...el.com>, Rik van Riel <riel@...hat.com>,
        David Rientjes <rientjes@...gle.com>, Tony Luck <tony.luck@...el.com>,
        Andy Lutomirski <luto@...nel.org>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Laura Abbott <labbott@...oraproject.org>,
        Brad Spengler <spender@...ecurity.net>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        LKML <linux-kernel@...r.kernel.org>, Pekka Enberg <penberg@...nel.org>,
        Case y Sc hauf ler <casey@...aufler-ca.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "linuxppc-dev\@lists.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
        "David S. Miller" <davem@...emloft.net>,
        "linux-arm-kernel\@lists.infradead.org" <linux-arm-kernel@...ts.infradead.org>
Subject: Re: Re: [PATCH 9/9] mm: SLUB hardened usercopy support

On Sat, 09 Jul 2016 15:58:20 +1000, Michael Ellerman said:

> I then get two hits, which may or may not be valid:
>
> [    2.309556] usercopy: kernel memory overwrite attempt detected to d000000003510028 (kernfs_node_cache) (64 bytes)
> [    2.309995] CPU: 7 PID: 2241 Comm: wait-for-root Not tainted 4.7.0-rc3-00099-g97872fc89d41 #64
> [    2.310480] Call Trace:
> [    2.310556] [c0000001f4773bf0] [c0000000009bdbe8] dump_stack+0xb0/0xf0 (unreliable)
> [    2.311016] [c0000001f4773c30] [c00000000029cf44] __check_object_size+0x74/0x320
> [    2.311472] [c0000001f4773cb0] [c00000000005d4d0] copy_from_user+0x60/0xd4
> [    2.311873] [c0000001f4773cf0] [c0000000008b38f4] __get_filter+0x74/0x160
> [    2.312230] [c0000001f4773d30] [c0000000008b408c] sk_attach_filter+0x2c/0xc0
> [    2.312596] [c0000001f4773d60] [c000000000871c34] sock_setsockopt+0x954/0xc00
> [    2.313021] [c0000001f4773dd0] [c00000000086ac44] SyS_setsockopt+0x134/0x150
> [    2.313380] [c0000001f4773e30] [c000000000009260] system_call+0x38/0x108

Yeah, 'ping' dies with a similar traceback going to rawv6_setsockopt(),
and 'trinity' dies a horrid death during initialization because it creates
some sctp sockets to fool around with.  The problem in all these cases is that
setsockopt uses copy_from_user() to pull in the option value, and the allocation
isn't tagged with USERCOPY to whitelist it.

Unfortunately, I haven't been able to track down where in net/ the memory is
allocated, nor is there any good hint in the grsecurity patch that I can find
where they do the tagging.

And the fact that so far, I'm only had ping and trinity killed in setsockopt()
hints that *most* setsockopt() calls must be going through a code path that
does allocate suitable memory, and these two have different paths.  I can't
believe they're the only two binaries that call setsockopt().....

Just saw your second mail, now I'm wondering why *my* laptop doesn't die a
horrid death when systemd starts up.  Mine is
systemd-230-3.gitea68351.fc25.x86_64 - maybe there's something
release-dependent going on?


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.