Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support

From: Kees Cook
Date: Sat Jul 09 2016 - 13:07:45 EST

Next message: Mario Kleiner: "Re: [PATCH 2/2] drm/vc4: Squash commit for Mario's precise vblank timestamping."
Previous message: arvind Yadav: "Re: [v1] ErrHandling:Make IS_ERR_VALUE_U32 as generic API to avoid IS_ERR_VALUE abuses."
In reply to: Valdis . Kletnieks: "Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support"
Next in thread: Joonsoo Kim: "Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 8, 2016 at 11:17 PM, <Valdis.Kletnieks@xxxxxx> wrote:
> Yeah, 'ping' dies with a similar traceback going to rawv6_setsockopt(),
> and 'trinity' dies a horrid death during initialization because it creates
> some sctp sockets to fool around with. The problem in all these cases is that
> setsockopt uses copy_from_user() to pull in the option value, and the allocation
> isn't tagged with USERCOPY to whitelist it.

Just a note to clear up confusion: this series doesn't include the
whitelist protection, so this appears to be either bugs in the slub
checker or bugs in the code using the cfq_io_cq cache. I suspect the
former. :)

-Kees

--
Kees Cook
Chrome OS & Brillo Security

Next message: Mario Kleiner: "Re: [PATCH 2/2] drm/vc4: Squash commit for Mario's precise vblank timestamping."
Previous message: arvind Yadav: "Re: [v1] ErrHandling:Make IS_ERR_VALUE_U32 as generic API to avoid IS_ERR_VALUE abuses."
In reply to: Valdis . Kletnieks: "Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support"
Next in thread: Joonsoo Kim: "Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]