Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 28 Aug 2018 02:51:10 +0200
From: Jann Horn <jannh@...gle.com>
To: Kees Cook <keescook@...omium.org>, Thomas Gleixner <tglx@...utronix.de>, 
	Ingo Molnar <mingo@...hat.com>, "the arch/x86 maintainers" <x86@...nel.org>, Andy Lutomirski <luto@...nel.org>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, tony.luck@...el.com, 
	Borislav Petkov <bp@...en8.de>
Cc: kernel list <linux-kernel@...r.kernel.org>, Dmitry Vyukov <dvyukov@...gle.com>, 
	linux-edac@...r.kernel.org
Subject: Re: [PATCH v2 6/7] x86: BUG() when uaccess helpers fault on kernel addresses

On Mon, Aug 27, 2018 at 8:58 PM Jann Horn <jannh@...gle.com> wrote:
>
> There have been multiple kernel vulnerabilities that permitted userspace to
> pass completely unchecked pointers through to userspace accessors:
>
>  - the waitid() bug - commit 96ca579a1ecc ("waitid(): Add missing
>    access_ok() checks")
>  - the sg/bsg read/write APIs
>  - the infiniband read/write APIs
>
> These don't happen all that often, but when they do happen, it is hard to
> test for them properly; and it is probably also hard to discover them with
> fuzzing. Even when an unmapped kernel address is supplied to such buggy
> code, it just returns -EFAULT instead of doing a proper BUG() or at least
> WARN().
>
> This patch attempts to make such misbehaving code a bit more visible by
> refusing to do a fixup in the pagefault handler code when a userspace
> accessor causes #PF on a kernel address and the current context isn't
> whitelisted.

Kees noticed that when you have vmapped stacks on (I was testing with
KASAN, so I couldn't enable vmapped stacks), exact_copy_from_user() in
copy_mount_options() is incompatible with this patch when used on
kernel pointers. do_mount_root() and devtmpfsd() call kys_mount() with
kernel pointers. So I'll have to either add that to the whitelist
and/or refactor the mount options copy logic first (so that it uses
strncpy_from_user() as long as the data argument isn't binary data).

I've wanted to fiddle with that code anyway - silent truncation at
0xfff bytes isn't very robust, especially when suid binaries call
sys_mount() with a partly user-controlled options string...

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.