|
Message-ID: <20161102204453.GA18842@remoulade> Date: Wed, 2 Nov 2016 20:44:54 +0000 From: Mark Rutland <mark.rutland@....com> To: kernel-hardening@...ts.openwall.com Cc: Vaishali Thakkar <vaishali.thakkar@...cle.com> Subject: Re: [RFC PATCH] lib: Harden csum_partial_copy_from_user Hi, On Wed, Nov 02, 2016 at 10:32:49PM +0530, Vaishali Thakkar wrote: > The routine csum_partial_copy_from_user is same as csum_partial_copy > but it copies from user space for the checksumming. In other respects > it is identical, and can be used to copy an arbitrarily large buffer > from userspace into the kernel. Conceptually this exposes a similar > attack surface like copy_from_user. So, to validate the given address > we should call check_object_size here. Thanks for looking at this! I agree that we should be trying lock down these homebrew/specialised copy_{to,from}_user routines. However... > @@ -158,6 +159,7 @@ csum_partial_copy_from_user(const void __user *src, void *dst, int len, > { > int missing; > > + check_object_size(dst, len, false); > missing = __copy_from_user(dst, src, len); ... here we're just calling into the architecture-specific __copy_from_user(), and I know that both arm64 and x86 have a check_object_size() call in their __copy_from_user() implementations. Is that missing on some architectures? I think we need to figure out where check_object_size() and other checks (e.g. kasan_check_size) are expected to live in the hierarchy of uaccess copy primitives (and/or if they should also live in {get,put)_user()). I had a plan to try to refactor the generic uaccess code so that we could put those checks in one place, but I put that on hold as Al Viro was doing some overlapping refactoring of all the uaccess primitives (and I got busy with some other work). Thanks, Mark.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.