• Kees Cook's avatar
    mm: Tighten x86 /dev/mem with zeroing reads · be63d158
    Kees Cook authored
    commit a4866aa8 upstream.
    
    Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
    disallowed. However, on x86, the first 1MB was always allowed for BIOS
    and similar things, regardless of it actually being System RAM. It was
    possible for heap to end up getting allocated in low 1MB RAM, and then
    read by things like x86info or dd, which would trip hardened usercopy:
    
    usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)
    
    This changes the x86 exception for the low 1MB by reading back zeros for
    System RAM areas instead of blindly allowing them. More work is needed to
    extend this to mmap, but currently mmap doesn't go through usercopy, so
    hardened usercopy won't Oops the kernel.
    Reported-by: default avatarTommi Rantala <tommi.t.rantala@nokia.com>
    Tested-by: default avatarTommi Rantala <tommi.t.rantala@nokia.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Brad Spengler <spender@grsecurity.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    be63d158
init.c 19.6 KB