Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jJBhNRF50q562THamJY-PKm9RpFW+id9GCaRzwezQ_xZA@mail.gmail.com>
Date: Tue, 20 Sep 2016 16:01:43 -0700
From: Kees Cook <keescook@...omium.org>
To: Laura Abbott <labbott@...hat.com>
Cc: Linux-MM <linux-mm@...ck.org>, LKML <linux-kernel@...r.kernel.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH] mm: usercopy: Check for module addresses

On Tue, Sep 20, 2016 at 8:56 AM, Laura Abbott <labbott@...hat.com> wrote:
> While running a compile on arm64, I hit a memory exposure
>
> usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:75!
> Internal error: Oops - BUG: 0 [#1] SMP
> Modules linked in: ip6t_rpfilter ip6t_REJECT
> nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
> llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
> nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
> iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
> nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
> ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
> xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
> mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
> auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
> sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
> CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
> Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
> task: fffffe03df944c00 task.stack: fffffe00d128c000
> PC is at __check_object_size+0x70/0x3f0
> LR is at __check_object_size+0x70/0x3f0
> ...
> [<fffffc00082b4280>] __check_object_size+0x70/0x3f0
> [<fffffc00082cdc30>] filldir64+0x158/0x1a0
> [<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
> [<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
> [<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
> [<fffffc00082cde58>] SyS_getdents64+0x88/0x120
> [<fffffc0008082c70>] el0_svc_naked+0x24/0x28
>
> fffffc0000f3b1a8 is a module address. Modules may have compiled in
> strings which could get copied to userspace. In this instance, it
> looks like "." which matches with a size of 1 byte. Extend the
> is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
> all possible cases.
>
> Signed-off-by: Laura Abbott <labbott@...hat.com>
> ---
> Longer term, it would be good to expand the check for to regions like
> regular kernel memory.
> ---
>  mm/usercopy.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 8ebae91..d8b5bd3 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -145,8 +145,11 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
>          * Some architectures (arm64) return true for virt_addr_valid() on
>          * vmalloced addresses. Work around this by checking for vmalloc
>          * first.
> +        *
> +        * We also need to check for module addresses explicitly since we
> +        * may copy static data from modules to userspace
>          */
> -       if (is_vmalloc_addr(ptr))
> +       if (is_vmalloc_or_module_addr(ptr))
>                 return NULL;

I still don't understand why this happens on arm64 and not x86.
(Really what I don't understand is what virt_addr_valid() is actually
checking -- they seem to be checking very different things between x86
and arm64.)

Regardless, I'll get this pushed to Linus and try to make the -rc8 cut.

Thanks!

-Kees

>
>         if (!virt_addr_valid(ptr))
> --
> 2.7.4
>



-- 
Kees Cook
Nexus Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.