Re: [PATCH v4 1/4] syscalls: Restore address limit after a syscall

From: Andy Lutomirski
Date: Wed Mar 22 2017 - 16:45:42 EST

Next message: Ming Lin: "Re: [Nbd] [RFC PATCH 1/1] nbd: replace kill_bdev() with __invalidate_device()"
Previous message: Greg KH: "Re: [RESEND PATCH 00/11] staging:speakup: Multiple Checkpatch issues."
In reply to: Thomas Garnier: "[PATCH v4 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state"
Next in thread: Thomas Garnier: "Re: [PATCH v4 1/4] syscalls: Restore address limit after a syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 22, 2017 at 1:38 PM, Thomas Garnier <thgarnie@xxxxxxxxxx> wrote:
> This patch ensures a syscall does not return to user-mode with a kernel
> address limit. If that happened, a process can corrupt kernel-mode
> memory and elevate privileges.
>
> For example, it would mitigation this bug:
>
> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>
> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect
> state will result in a BUG_ON.

I'm a bit confused about this choice of configurability. I can see
two sensible choices:

1. Enable this hardening feature: BUG if there's an exploitable bug.

2. Don't enable it at all.

While it's possible that silently papering over the bug is slightly
faster than BUGging, it will allow bugs to continue to exist
undetected.

--Andy

Next message: Ming Lin: "Re: [Nbd] [RFC PATCH 1/1] nbd: replace kill_bdev() with __invalidate_device()"
Previous message: Greg KH: "Re: [RESEND PATCH 00/11] staging:speakup: Multiple Checkpatch issues."
In reply to: Thomas Garnier: "[PATCH v4 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state"
Next in thread: Thomas Garnier: "Re: [PATCH v4 1/4] syscalls: Restore address limit after a syscall"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]