Re: [Linux-stable-mirror] [PATCH 4.4 07/40] arm64: ensure __dump_instr() checks addr_limit
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
Ben.
On Mon, Nov 13, 2017 at 07:05:12PM +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
I agree. In 4.4 dump_instr() doesn't do any checks, just set_fs(KERNEL_DS) and __get_user(). While commit c5cea06b was added to fix 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override"; merged in 4.6), it also makes sense on its own as a security improvement for 4.4.
Mark is currently on holiday but he'll follow up next week if any patches need back-porting.
On Tue, Nov 14, 2017 at 01:52:14PM +0000, Catalin Marinas wrote:
On Mon, Nov 13, 2017 at 07:05:12PM +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
I agree. In 4.4 dump_instr() doesn't do any checks, just set_fs(KERNEL_DS) and __get_user(). While commit c5cea06b was added to fix 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override"; merged in 4.6), it also makes sense on its own as a security improvement for 4.4.
Mark is currently on holiday but he'll follow up next week if any patches need back-porting.
I accidentally glanced at my gmail filter this morning; so I can reply today. ;)
I agree that we need both patches. On its own (in the absence of PAN/UAO), 57f4959bad0a154a wouldn't have any effect, but it is critical to ensure that we can dump kernel instructions when we intend to, with 7a7003b1da010d2b backported.
Backporting 57f4959bad0a154a as a prerequisite makes sense to me.
I hadn't realised you could list prerequisites in a stable Cc -- I'll try to do that in future.
Thanks, Mark.
On Tue, Nov 14, 2017 at 04:18:23PM +0000, Mark Rutland wrote:
On Tue, Nov 14, 2017 at 01:52:14PM +0000, Catalin Marinas wrote:
On Mon, Nov 13, 2017 at 07:05:12PM +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
I agree. In 4.4 dump_instr() doesn't do any checks, just set_fs(KERNEL_DS) and __get_user(). While commit c5cea06b was added to fix 57f4959bad0a154a ("arm64: kernel: Add support for User Access Override"; merged in 4.6), it also makes sense on its own as a security improvement for 4.4.
Mark is currently on holiday but he'll follow up next week if any patches need back-porting.
I accidentally glanced at my gmail filter this morning; so I can reply today. ;)
I agree that we need both patches. On its own (in the absence of PAN/UAO), 57f4959bad0a154a wouldn't have any effect, but it is critical to ensure that we can dump kernel instructions when we intend to, with 7a7003b1da010d2b backported.
Backporting 57f4959bad0a154a as a prerequisite makes sense to me.
But that is a "new feature", are you sure about this?
So, just apply that one patch and we are all ok? Nothing else?
confused,
greg k-h
On Sun, Nov 19, 2017 at 11:29:35AM +0100, Greg Kroah-Hartman wrote:
On Tue, Nov 14, 2017 at 04:18:23PM +0000, Mark Rutland wrote:
I agree that we need both patches. On its own (in the absence of PAN/UAO), 57f4959bad0a154a wouldn't have any effect, but it is critical to ensure that we can dump kernel instructions when we intend to, with 7a7003b1da010d2b backported.
Backporting 57f4959bad0a154a as a prerequisite makes sense to me.
But that is a "new feature", are you sure about this?
Sorry, I copied the wrong commit ID when replying. I meant to say that we should backport commit:
c5cea06be060f38e ("arm64: fix dump_instr when PAN and UAO are in use")
... which on its own does nothing, but will prevent 7a7003b1da010d2b from breaking kernel dumps.
We should *not* backport commit:
57f4959bad0a154a ("arm64: kernel: Add support for User Access Override")
So, just apply that one patch and we are all ok? Nothing else?
Just apply c5cea06be060f38e as a prerequisite for 7a7003b1da010d2b, and I think we're good. I'm not aware of anything else we need.
confused,
Sorry about that. Hopefully the above clarified things?
Thanks, Mark.
On Mon, Nov 20, 2017 at 11:26:20AM +0000, Mark Rutland wrote:
On Sun, Nov 19, 2017 at 11:29:35AM +0100, Greg Kroah-Hartman wrote:
On Tue, Nov 14, 2017 at 04:18:23PM +0000, Mark Rutland wrote:
I agree that we need both patches. On its own (in the absence of PAN/UAO), 57f4959bad0a154a wouldn't have any effect, but it is critical to ensure that we can dump kernel instructions when we intend to, with 7a7003b1da010d2b backported.
Backporting 57f4959bad0a154a as a prerequisite makes sense to me.
But that is a "new feature", are you sure about this?
Sorry, I copied the wrong commit ID when replying. I meant to say that we should backport commit:
c5cea06be060f38e ("arm64: fix dump_instr when PAN and UAO are in use")
... which on its own does nothing, but will prevent 7a7003b1da010d2b from breaking kernel dumps.
We should *not* backport commit:
57f4959bad0a154a ("arm64: kernel: Add support for User Access Override")
So, just apply that one patch and we are all ok? Nothing else?
Just apply c5cea06be060f38e as a prerequisite for 7a7003b1da010d2b, and I think we're good. I'm not aware of anything else we need.
confused,
Sorry about that. Hopefully the above clarified things?
Yes, it did, thanks, I think I've queued up the right patches now, if not, please let me know :)
greg k-h
On Mon, 2017-11-13 at 19:05 +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
Oops, now I see you already have that as patch #36.
Ben.
On Wed, 2017-11-15 at 13:28 +0000, Ben Hutchings wrote:
On Mon, 2017-11-13 at 19:05 +0000, Ben Hutchings wrote:
On Mon, 2017-11-06 at 10:44 +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Mark Rutland mark.rutland@arm.com
commit 7a7003b1da010d2b0d1dc8bf21c10f5c73b389f1 upstream.
It's possible for a user to deliberately trigger __dump_instr with a chosen kernel address.
Let's avoid problems resulting from this by using get_user() rather than __get_user(), ensuring that we don't erroneously access kernel memory.
Where we use __dump_instr() on kernel text, we already switch to KERNEL_DS, so this shouldn't adversely affect those cases.
Fixes: 60ffc30d5652810d ("arm64: Exception handling")
[...]
This seems harmless, but I don't think it will fix the bug in 4.4 unless you also cherry-pick:
commit c5cea06be060f38e5400d796e61cfc8c36e52924 Author: Mark Rutland mark.rutland@arm.com Date: Mon Jun 13 11:15:14 2016 +0100
arm64: fix dump_instr when PAN and UAO are in use
Oops, now I see you already have that as patch #36.
Only not, because I'm confusing arm and arm64.
Ben.
linux-stable-mirror@lists.linaro.org
-
Ben Hutchings -
Catalin Marinas -
Greg Kroah-Hartman -
Mark Rutland