Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170512225755.GU390@ZenIV.linux.org.uk>
Date: Fri, 12 May 2017 23:57:55 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Rik van Riel <riel@...hat.com>
Cc: Kees Cook <keescook@...omium.org>,
	Russell King - ARM Linux <linux@...linux.org.uk>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Mark Rutland <mark.rutland@....com>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Greg KH <greg@...ah.com>,
	Heiko Carstens <heiko.carstens@...ibm.com>,
	LKML <linux-kernel@...r.kernel.org>,
	David Howells <dhowells@...hat.com>,
	Dave Hansen <dave.hansen@...el.com>,
	"H . Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...nel.org>,
	Pavel Tikhomirov <ptikhomirov@...tuozzo.com>,
	linux-s390 <linux-s390@...r.kernel.org>,
	the arch/x86 maintainers <x86@...nel.org>,
	Will Deacon <will.deacon@....com>,
	Christian Borntraeger <borntraeger@...ibm.com>,
	René Nyffenegger <mail@...enyffenegger.ch>,
	Catalin Marinas <catalin.marinas@....com>,
	"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Arnd Bergmann <arnd@...db.de>, Brian Gerst <brgerst@...il.com>,
	Borislav Petkov <bp@...en8.de>, Andy Lutomirski <luto@...nel.org>,
	Josh Poimboeuf <jpoimboe@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>,
	Linux API <linux-api@...r.kernel.org>,
	Oleg Nesterov <oleg@...hat.com>,
	Daniel Micay <danielmicay@...il.com>,
	James Morse <james.morse@....com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Martin Schwidefsky <schwidefsky@...ibm.com>,
	Paolo Bonzini <pbonzini@...hat.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Thomas Garnier <thgarnie@...gle.com>,
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>
Subject: Re: Re: [PATCH v9 1/4] syscalls: Verify address
 limit before returning to user-mode

On Fri, May 12, 2017 at 05:47:55PM -0400, Rik van Riel wrote:

> > Seriously, look at these beasts.  Overwriting ->addr_limit is nowhere
> > near
> > the top threat.  If attacker can overwrite thread_info, you have
> > lost.
> 
> That is why THREAD_INFO_IN_TASK exists. It moves
> the struct thread_info to a location away from the
> stack, which means a stack overflow will not overwrite
> the thread_info.

... in which case such attacks on ->addr_limit also become a non-issue.

AFAICS, we are mixing several unrelated issues here:
	* amount of places where set_fs() is called.  Sure, reducing it
is a good idea and we want to move to primitives like kernel_write() et.al.
Fewer users => lower odds of screwing it up.
	* making sure that remaining callers are properly paired.  Ditto.
	* switching to ->read_iter()/->write_iter() where it makes sense.
Again, no problem with that.
	* providing sane environment for places like perf/oprofile.  Again,
a good idea, and set_fs(USER_DS) is only a part of what's needed there.
	* switching _everything_ to ->read_iter()/->write_iter().  Flat-out
insane and AFAICS nobody is signing up for that.
	* getting rid of set_fs() entirely.  I'm afraid that it's not feasible
without the previous one and frankly, I don't see much point.
	* sanity-checking on return to userland.  Maybe useful, maybe not.
	* taking thread_info out of the way of stack overflows.  Reasonable,
but has very little to do with the rest of that.
	* protecting against Lovecraftian horrors slithering in from the outer
space only to commit unspeakable acts against ->addr_limit and ignoring much
tastier targets next to it, but then what do you expect from degenerate
spawn of Great Old Ones - sanity?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.