|
Date: Tue, 18 Oct 2016 13:49:28 -0700 From: Kees Cook <keescook@...omium.org> To: Mark Rutland <mark.rutland@....com> Cc: "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, LKML <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: [PATCH] lib: harden strncpy_from_user On Mon, Oct 17, 2016 at 6:04 AM, Mark Rutland <mark.rutland@....com> wrote: > On Fri, Aug 26, 2016 at 02:57:58PM -0400, Kees Cook wrote: >> On Fri, Aug 26, 2016 at 10:31 AM, Mark Rutland <mark.rutland@....com> wrote: >> > The strncpy_from_user() accessor is effectively a copy_from_user() >> > specialised to copy strings, terminating early at a NUL byte if >> > possible. In other respects it is identical, and can be used to copy an >> > arbitrarily large buffer from userspace into the kernel. Conceptually, >> > it exposes a similar attack surface. >> > >> > As with copy_from_user(), we check the destination range when the kernel >> > is built with KASAN, but unlike copy_from_user() we do not check the >> > destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() >> > calls get_user() in a loop, we must call check_object_size() explicitly. >> > >> > This patch adds this instrumentation to strncpy_from_user(), per the >> > same rationale as with the regular copy_from_user(). In the absence of >> > hardened usercopy this will have no impact as the instrumentation >> > expands to an empty static inline function. > > [...] > >> Ah, yes, good catch! (And to repeat what you mentioned to me in >> passing in the hall: there appear to be other users of get_user() in a >> loop in other places in the kernel that will likely need some >> attention too.) > > I was reminded of this as it just hit mainline; is it worth dropping a > TODO on the KSPP wiki? I suspect I won't have the time to delve much > further into this in the near term, and it might be a good intro task > for someone. Ah, right. I've updated the kernserc TODO list with this (recently the csum_* routines were pointed out), and added a bunch more TODOs that were in my notes. -Kees -- Kees Cook Nexus Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.