|
Message-ID: <CAGXu5jJ=mbbKJWR7Vrce9cNm2sjRUUzB0SvhZRC8NE+7rfCg3Q@mail.gmail.com> Date: Fri, 12 May 2017 14:50:19 -0700 From: Kees Cook <keescook@...omium.org> To: Al Viro <viro@...iv.linux.org.uk> Cc: Russell King - ARM Linux <linux@...linux.org.uk>, Linus Torvalds <torvalds@...ux-foundation.org>, Mark Rutland <mark.rutland@....com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Greg KH <greg@...ah.com>, Heiko Carstens <heiko.carstens@...ibm.com>, LKML <linux-kernel@...r.kernel.org>, David Howells <dhowells@...hat.com>, Dave Hansen <dave.hansen@...el.com>, "H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...nel.org>, Pavel Tikhomirov <ptikhomirov@...tuozzo.com>, linux-s390 <linux-s390@...r.kernel.org>, "the arch/x86 maintainers" <x86@...nel.org>, Will Deacon <will.deacon@....com>, Christian Borntraeger <borntraeger@...ibm.com>, René Nyffenegger <mail@...enyffenegger.ch>, Catalin Marinas <catalin.marinas@....com>, "Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>, Rik van Riel <riel@...hat.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Arnd Bergmann <arnd@...db.de>, Brian Gerst <brgerst@...il.com>, Borislav Petkov <bp@...en8.de>, Andy Lutomirski <luto@...nel.org>, Josh Poimboeuf <jpoimboe@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, Linux API <linux-api@...r.kernel.org>, Oleg Nesterov <oleg@...hat.com>, Daniel Micay <danielmicay@...il.com>, James Morse <james.morse@....com>, "Eric W . Biederman" <ebiederm@...ssion.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Paolo Bonzini <pbonzini@...hat.com>, Andrew Morton <akpm@...ux-foundation.org>, Thomas Garnier <thgarnie@...gle.com>, "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com> Subject: Re: Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode On Fri, May 12, 2017 at 2:41 PM, Al Viro <viro@...iv.linux.org.uk> wrote: > On Fri, May 12, 2017 at 02:17:19PM -0700, Kees Cook wrote: > >> Two things are at risk from stack exhaustion: thread_info (mainly >> addr_limit) when on the stack (fixed by THREAD_INFO_IN_TASK), and > > Really? Let's take a look at arm, for example: > > struct thread_info { > unsigned long flags; /* low level flags */ > int preempt_count; /* 0 => preemptable, <0 => bug */ > mm_segment_t addr_limit; /* address limit */ > struct task_struct *task; /* main task structure */ > > and current() is defined as current_thread_info()->task. > > Seriously, look at these beasts. Overwriting ->addr_limit is nowhere near > the top threat. If attacker can overwrite thread_info, you have lost. I don't disagree, but the type of attack is different. If the attacker overwrites task_struct pointer, then they need to have built an false one, and that may be made difficult by PAN, or need to know more about kernel memory layout (rather than only stack depth), etc. Attacking addr_limit makes it very very easy to upgrade attack capabilities. I'm not say thread_info shouldn't be moved off the stack. -Kees -- Kees Cook Pixel Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.