Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 5 Jul 2014 23:35:37 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-4699: Linux ptrace bug

Andy, all -

On Sat, Jul 05, 2014 at 10:25:47PM +0400, Solar Designer wrote:
> "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
[...]
> "CVE-2014-4699 Kernel: x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX"

BTW, I'm not convinced it's such a good idea to allow setting RIP to
exactly TASK_SIZE_MAX just because user code could run to that address
(this was Andy's rationale).  Imagine that TASK_SIZE_MAX is ever set
such that it's the very first non-canonical address.  If user code
simply runs to that address, it gets a user mode fault.  However, if the
kernel tries to set user RIP to that address via SYSRET, it'll get #GP
while still in kernel mode - exactly the problem we're trying to fix.

So when fixing the problem in this way, or when including this as a
hardening measure along with forcing the IRET path as well, I'd prefer
to allow only "< TASK_SIZE_MAX", not "<= TASK_SIZE_MAX".

I think currently TASK_SIZE_MAX is below the first non-canonical
address, so we're fine, but there's little reason to take the risk of
possible (valid) future changes to TASK_SIZE_MAX.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.