Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAGXu5jL6PeQmmdxh5h--fgrMK8DW_XZYpNfDOvvv_o9E3-Kxdw@mail.gmail.com>
Date: Tue, 9 May 2017 16:31:00 -0700
From: Kees Cook <keescook@...omium.org>
To: Andy Lutomirski <luto@...capital.net>
Cc: Christoph Hellwig <hch@...radead.org>, Andy Lutomirski <luto@...nel.org>, 
	Mark Rutland <mark.rutland@....com>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, Greg KH <greg@...ah.com>, 
	Heiko Carstens <heiko.carstens@...ibm.com>, LKML <linux-kernel@...r.kernel.org>, 
	David Howells <dhowells@...hat.com>, Dave Hansen <dave.hansen@...el.com>, 
	"H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...nel.org>, 
	Pavel Tikhomirov <ptikhomirov@...tuozzo.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, 
	linux-s390 <linux-s390@...r.kernel.org>, "the arch/x86 maintainers" <x86@...nel.org>, 
	Russell King <linux@...linux.org.uk>, Will Deacon <will.deacon@....com>, 
	Christian Borntraeger <borntraeger@...ibm.com>, René Nyffenegger <mail@...enyffenegger.ch>, 
	Catalin Marinas <catalin.marinas@....com>, "Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>, 
	Rik van Riel <riel@...hat.com>, Arnd Bergmann <arnd@...db.de>, Brian Gerst <brgerst@...il.com>, 
	Borislav Petkov <bp@...en8.de>, Josh Poimboeuf <jpoimboe@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, 
	Ingo Molnar <mingo@...hat.com>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	Linux API <linux-api@...r.kernel.org>, Oleg Nesterov <oleg@...hat.com>, 
	James Morse <james.morse@....com>, "Eric W . Biederman" <ebiederm@...ssion.com>, 
	Martin Schwidefsky <schwidefsky@...ibm.com>, Paolo Bonzini <pbonzini@...hat.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Linus Torvalds <torvalds@...ux-foundation.org>, 
	Thomas Garnier <thgarnie@...gle.com>, 
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>
Subject: Re: Re: [PATCH v9 1/4] syscalls: Verify address
 limit before returning to user-mode

On Tue, May 9, 2017 at 3:52 PM, Andy Lutomirski <luto@...capital.net> wrote:
> On Tue, May 9, 2017 at 9:50 AM, Kees Cook <keescook@...omium.org> wrote:
>> On Tue, May 9, 2017 at 9:03 AM, Christoph Hellwig <hch@...radead.org> wrote:
>>> On Tue, May 09, 2017 at 06:02:50AM -0700, Christoph Hellwig wrote:
>>>> On Tue, May 09, 2017 at 06:00:01AM -0700, Andy Lutomirski wrote:
>>>> > fs/splice.c has some, ahem, interesting uses that have been the source
>>>> > of nasty exploits in the past.  Converting them to use iov_iter
>>>> > properly would be really, really nice.  Christoph, I don't suppose
>>>> > you'd like to do that?
>>>>
>>>> I can take care of all the fs code including this one.
>>>
>>> I spent the afternoon hacking up where I'd like this to head.  It's
>>> completely untested as of now:
>>>
>>>         http://git.infradead.org/users/hch/vfs.git/shortlog/refs/heads/setfs-elimination
>>
>> Ooooh yes! Nice work.
>>
>> I love this:
>> http://git.infradead.org/users/hch/vfs.git/commitdiff/51e83f50f824ca23f5584c172138e6b7c2ff786d
>> but I wonder what it'll cause out-of-tree code to do. I mean, I'd
>> rather nothing out-of-tree be calling these, but I'd hate 3rd party
>> hacks even more.
>>
>> http://git.infradead.org/users/hch/vfs.git/commitdiff/018e0e9030777121fe87e89d43066691e7366587
>> This accidentally(?) removes the kernel-doc comments.
>>
>> http://git.infradead.org/users/hch/vfs.git/commitdiff/78b62c730254fc39fa888cdbdca08fde6e09a798
>> Could this be made defensive? (Return 0 if ret wraps, for example?) I
>> see what the comment says, but not everyone will read that. :(
>>
>> http://git.infradead.org/users/hch/vfs.git/commitdiff/a106276ca0294be054bc89ce97219933fe543df1
>> Perhaps unconditionally set USER_DS on exit instead of retaining
>> whatever was there?
>
> I don't like silent fixups.  If we want to do this, we should BUG or
> at least WARN, not just change the addr limit.  But I'm also not
> convinced it's indicative of an actual bug here.

Nothing should enter that function with KERNEL_DS set, right?

BUG_ON(get_fs() != USER_DS);
set_fs(KERNEL_DS);
...
set_fs(USER_DS);

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.