• Kees Cook's avatar
    mm: Tighten x86 /dev/mem with zeroing reads · 3cbd86d2
    Kees Cook authored
    commit a4866aa8 upstream.
    
    Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
    disallowed. However, on x86, the first 1MB was always allowed for BIOS
    and similar things, regardless of it actually being System RAM. It was
    possible for heap to end up getting allocated in low 1MB RAM, and then
    read by things like x86info or dd, which would trip hardened usercopy:
    
    usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
    
    This changes the x86 exception for the low 1MB by reading back zeros for
    System RAM areas instead of blindly allowing them. More work is needed to
    extend this to mmap, but currently mmap doesn't go through usercopy, so
    hardened usercopy won't Oops the kernel.
    Reported-by: default avatarTommi Rantala <tommi.t.rantala@nokia.com>
    Tested-by: default avatarTommi Rantala <tommi.t.rantala@nokia.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    [bwh: Backported to 3.16: adjust context]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    3cbd86d2
init.c 19.1 KB