Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <24451.1468045037@turing-police.cc.vt.edu>
Date: Sat, 09 Jul 2016 02:17:17 -0400
From: Valdis.Kletnieks@...edu
To: kernel-hardening@...ts.openwall.com
Cc: Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>,
        Jan Kara <jack@...e.cz>, Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>, Linux-MM <linux-mm@...ck.org>,
        sparclinux <sparclinux@...r.kernel.org>, linux-ia64@...r.kernel.org,
        Andrea Arcangeli <aarcange@...hat.com>,
        linux-arch <linux-arch@...r.kernel.org>,
        "x86\@kernel.org" <x86@...nel.org>,
        Russell King <linux@...linux.org.uk>, PaX Team <pageexec@...email.hu>,
        Borislav Petkov <bp@...e.de>, Mathias Krause <minipli@...glemail.com>,
        Fenghua Yu <fenghua.yu@...el.com>, Rik van Riel <riel@...hat.com>,
        David Rientjes <rientjes@...gle.com>, Tony Luck <tony.luck@...el.com>,
        Andy Lutomirski <luto@...nel.org>,
        Joonsoo Kim <iamjoonsoo.kim@....com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Laura Abbott <labbott@...oraproject.org>,
        Brad Spengler <spender@...ecurity.net>,
        Ard Biesheuvel <ard.biesheuvel@...aro.org>,
        LKML <linux-kernel@...r.kernel.org>, Pekka Enberg <penberg@...nel.org>,
        Case y Sc hauf ler <casey@...aufler-ca.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        "linuxppc-dev\@lists.ozlabs.org" <linuxppc-dev@...ts.ozlabs.org>,
        "David S. Miller" <davem@...emloft.net>,
        "linux-arm-kernel\@lists.infradead.org" <linux-arm-kernel@...ts.infradead.org>
Subject: Re: Re: [PATCH 9/9] mm: SLUB hardened usercopy support

On Sat, 09 Jul 2016 15:58:20 +1000, Michael Ellerman said:

> I then get two hits, which may or may not be valid:
>
> [    2.309556] usercopy: kernel memory overwrite attempt detected to d000000003510028 (kernfs_node_cache) (64 bytes)
> [    2.309995] CPU: 7 PID: 2241 Comm: wait-for-root Not tainted 4.7.0-rc3-00099-g97872fc89d41 #64
> [    2.310480] Call Trace:
> [    2.310556] [c0000001f4773bf0] [c0000000009bdbe8] dump_stack+0xb0/0xf0 (unreliable)
> [    2.311016] [c0000001f4773c30] [c00000000029cf44] __check_object_size+0x74/0x320
> [    2.311472] [c0000001f4773cb0] [c00000000005d4d0] copy_from_user+0x60/0xd4
> [    2.311873] [c0000001f4773cf0] [c0000000008b38f4] __get_filter+0x74/0x160
> [    2.312230] [c0000001f4773d30] [c0000000008b408c] sk_attach_filter+0x2c/0xc0
> [    2.312596] [c0000001f4773d60] [c000000000871c34] sock_setsockopt+0x954/0xc00
> [    2.313021] [c0000001f4773dd0] [c00000000086ac44] SyS_setsockopt+0x134/0x150
> [    2.313380] [c0000001f4773e30] [c000000000009260] system_call+0x38/0x108

Yeah, 'ping' dies with a similar traceback going to rawv6_setsockopt(),
and 'trinity' dies a horrid death during initialization because it creates
some sctp sockets to fool around with.  The problem in all these cases is that
setsockopt uses copy_from_user() to pull in the option value, and the allocation
isn't tagged with USERCOPY to whitelist it.

Unfortunately, I haven't been able to track down where in net/ the memory is
allocated, nor is there any good hint in the grsecurity patch that I can find
where they do the tagging.

And the fact that so far, I'm only had ping and trinity killed in setsockopt()
hints that *most* setsockopt() calls must be going through a code path that
does allocate suitable memory, and these two have different paths.  I can't
believe they're the only two binaries that call setsockopt().....

Just saw your second mail, now I'm wondering why *my* laptop doesn't die a
horrid death when systemd starts up.  Mine is
systemd-230-3.gitea68351.fc25.x86_64 - maybe there's something
release-dependent going on?


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.