Thread (89 messages) 89 messages, 18 authors, 2017-05-13

Re: [kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode

From: Ingo Molnar <hidden>
Date: 2017-05-09 06:56:27
Also in: linux-arm-kernel, linux-s390, lkml 

* Kees Cook [off-list ref] wrote:
quoted
There's the option of using GCC plugins now that the infrastructure was 
upstreamed from grsecurity. It can be used as part of the regular build 
process and as long as the analysis is pretty simple it shouldn't hurt compile 
time much.
Well, and that the situation may arise due to memory corruption, not from 
poorly-matched set_fs() calls, which static analysis won't help solve. We need 
to catch this bad kernel state because it is a very bad state to run in.
If memory corruption corrupted the task state into having addr_limit set to 
KERNEL_DS then there's already a fair chance that it's game over: it could also 
have set *uid to 0, or changed a sensitive PF_ flag, or a number of other 
things...

Furthermore, think about it: there's literally an infinite amount of corrupted 
task states that could be a security problem and that could be checked after every 
system call. Do we want to check every one of them?

Thanks,

	Ingo
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help