Date: Tue, 7 Aug 2018 07:02:10 -0700 From: Andy Lutomirski <luto@...capital.net> To: Dmitry Vyukov <dvyukov@...gle.com> Cc: Jann Horn <jannh@...gle.com>, Kees Cook <keescook@...omium.org>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "H. Peter Anvin" <hpa@...or.com>, the arch/x86 maintainers <x86@...nel.org>, kernel-hardening@...ts.openwall.com, LKML <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...nel.org> Subject: Re: [RFC PATCH 1/2] x86: WARN() when uaccess helpers fault on kernel addresses > On Aug 7, 2018, at 4:04 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote: > >> On Tue, Aug 7, 2018 at 3:22 AM, Jann Horn <jannh@...gle.com> wrote: >> There have been multiple kernel vulnerabilities that permitted userspace to >> pass completely unchecked pointers through to userspace accessors: >> >> - the waitid() bug - commit 96ca579a1ecc ("waitid(): Add missing >> access_ok() checks") >> - the sg/bsg read/write APIs >> - the infiniband read/write APIs >> >> These don't happen all that often, but when they do happen, it is hard to >> test for them properly; and it is probably also hard to discover them with >> fuzzing. Even when an unmapped kernel address is supplied to such buggy >> code, it just returns -EFAULT instead of doing a proper BUG() or at least >> WARN(). >> >> This patch attempts to make such misbehaving code a bit more visible by >> WARN()ing in the pagefault handler code when a userspace accessor causes >> #PF on a kernel address and the current context isn't whitelisted. > > This is not triggerable unless there is a kernel bug, right? I mean > this won't be a DoS vector? And any case is something to report to > kernel developers? Yes. I expect it to help fuzzers, since it will make a uaccess at a bad address much more likely to oops. My old series found one bug when the automated fuzzers fuzzed it. That bug is fixed now.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ