3ddc5b46a8
I found the following pattern that leads in to interesting findings: grep -r "ret.*|=.*__put_user" * grep -r "ret.*|=.*__get_user" * grep -r "ret.*|=.*__copy" * The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat, since those appear in compat code, we could probably expect the kernel addresses not to be reachable in the lower 32-bit range, so I think they might not be exploitable. For the "__get_user" cases, I don't think those are exploitable: the worse that can happen is that the kernel will copy kernel memory into in-kernel buffers, and will fail immediately afterward. The alpha csum_partial_copy_from_user() seems to be missing the access_ok() check entirely. The fix is inspired from x86. This could lead to information leak on alpha. I also noticed that many architectures map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I wonder if the latter is performing the access checks on every architectures. Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Cc: Matt Turner <mattst88@gmail.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
---|---|---|
.. | ||
partitions | ||
blk-cgroup.c | ||
blk-cgroup.h | ||
blk-core.c | ||
blk-exec.c | ||
blk-flush.c | ||
blk-integrity.c | ||
blk-ioc.c | ||
blk-iopoll.c | ||
blk-lib.c | ||
blk-map.c | ||
blk-merge.c | ||
blk-settings.c | ||
blk-softirq.c | ||
blk-sysfs.c | ||
blk-tag.c | ||
blk-throttle.c | ||
blk-timeout.c | ||
blk.h | ||
bsg-lib.c | ||
bsg.c | ||
cfq-iosched.c | ||
cmdline-parser.c | ||
compat_ioctl.c | ||
deadline-iosched.c | ||
elevator.c | ||
genhd.c | ||
ioctl.c | ||
Kconfig | ||
Kconfig.iosched | ||
Makefile | ||
noop-iosched.c | ||
partition-generic.c | ||
scsi_ioctl.c |