• Jann Horn's avatar
    x86/fault: BUG() when uaccess helpers fault on kernel addresses · 9da3f2b7
    Jann Horn authored
    There have been multiple kernel vulnerabilities that permitted userspace to
    pass completely unchecked pointers through to userspace accessors:
    
     - the waitid() bug - commit 96ca579a ("waitid(): Add missing
       access_ok() checks")
     - the sg/bsg read/write APIs
     - the infiniband read/write APIs
    
    These don't happen all that often, but when they do happen, it is hard to
    test for them properly; and it is probably also hard to discover them with
    fuzzing. Even when an unmapped kernel address is supplied to such buggy
    code, it just returns -EFAULT instead of doing a proper BUG() or at least
    WARN().
    
    Try to make such misbehaving code a bit more visible by refusing to do a
    fixup in the pagefault handler code when a userspace accessor causes a #PF
    on a kernel address and the current context isn't whitelisted.
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Tested-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: kernel-hardening@lists.openwall.com
    Cc: dvyukov@google.com
    Cc: Masami Hiramatsu <mhiramat@kernel.org>
    Cc: "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>
    Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: linux-fsdevel@vger.kernel.org
    Cc: Borislav Petkov <bp@alien8.de>
    Link: https://lkml.kernel.org/r/20180828201421.157735-7-jannh@google.com
    9da3f2b7
maccess.c 3.27 KB