[kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
From: luto@amacapital.net (Andy Lutomirski)
Date: 2017-05-09 22:53:00
Also in:
linux-api, linux-s390, lkml
On Tue, May 9, 2017 at 9:50 AM, Kees Cook [off-list ref] wrote:
On Tue, May 9, 2017 at 9:03 AM, Christoph Hellwig [off-list ref] wrote:quoted
On Tue, May 09, 2017 at 06:02:50AM -0700, Christoph Hellwig wrote:quoted
On Tue, May 09, 2017 at 06:00:01AM -0700, Andy Lutomirski wrote:quoted
fs/splice.c has some, ahem, interesting uses that have been the source of nasty exploits in the past. Converting them to use iov_iter properly would be really, really nice. Christoph, I don't suppose you'd like to do that?I can take care of all the fs code including this one.I spent the afternoon hacking up where I'd like this to head. It's completely untested as of now: http://git.infradead.org/users/hch/vfs.git/shortlog/refs/heads/setfs-eliminationOoooh yes! Nice work. I love this: http://git.infradead.org/users/hch/vfs.git/commitdiff/51e83f50f824ca23f5584c172138e6b7c2ff786d but I wonder what it'll cause out-of-tree code to do. I mean, I'd rather nothing out-of-tree be calling these, but I'd hate 3rd party hacks even more. http://git.infradead.org/users/hch/vfs.git/commitdiff/018e0e9030777121fe87e89d43066691e7366587 This accidentally(?) removes the kernel-doc comments. http://git.infradead.org/users/hch/vfs.git/commitdiff/78b62c730254fc39fa888cdbdca08fde6e09a798 Could this be made defensive? (Return 0 if ret wraps, for example?) I see what the comment says, but not everyone will read that. :( http://git.infradead.org/users/hch/vfs.git/commitdiff/a106276ca0294be054bc89ce97219933fe543df1 Perhaps unconditionally set USER_DS on exit instead of retaining whatever was there?
I don't like silent fixups. If we want to do this, we should BUG or at least WARN, not just change the addr limit. But I'm also not convinced it's indicative of an actual bug here. --Andy