korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-17 09:14:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
144308139c
linux/arch
History
Mathieu Desnoyers 3ddc5b46a8 kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 
I found the following pattern that leads in to interesting findings:

  grep -r "ret.*|=.*__put_user" *
  grep -r "ret.*|=.*__get_user" *
  grep -r "ret.*|=.*__copy" *

The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat,
since those appear in compat code, we could probably expect the kernel
addresses not to be reachable in the lower 32-bit range, so I think they
might not be exploitable.

For the "__get_user" cases, I don't think those are exploitable: the worse
that can happen is that the kernel will copy kernel memory into in-kernel
buffers, and will fail immediately afterward.

The alpha csum_partial_copy_from_user() seems to be missing the
access_ok() check entirely.  The fix is inspired from x86.  This could
lead to information leak on alpha.  I also noticed that many architectures
map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I
wonder if the latter is performing the access checks on every
architectures.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Matt Turner <mattst88@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-09-11 15:58:18 -07:00
..
alpha kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2013-09-11 15:58:18 -07:00
arc Device tree core updates for v3.12 2013-09-10 13:53:52 -07:00
arm mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
arm64 mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
avr32 - factor out common code from MTD tests 2013-09-09 10:33:19 -07:00
blackfin Merge branch 'cpuinit_phase2' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2013-07-18 10:50:26 -07:00
c6x of: consolidate definition of early_init_dt_alloc_memory_arch() 2013-08-28 21:18:32 +01:00
cris CRIS: drop unused Kconfig symbols 2013-09-10 17:38:07 +02:00
frv frv/PCI: Mark pcibios_fixup_bus() as non-init 2013-07-25 12:18:42 -06:00
h8300 net: rename busy poll socket op and globals 2013-07-10 17:08:27 -07:00
hexagon arch: *: Kconfig: add "kernel/Kconfig.freezer" to "arch/*/Kconfig" 2013-08-13 17:57:49 -07:00
ia64 mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
m32r m32r: delete __cpuinit usage from all m32r files 2013-07-14 19:36:55 -04:00
m68k Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu 2013-09-09 09:04:46 -07:00
metag mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
microblaze Device tree core updates for v3.12 2013-09-10 13:53:52 -07:00
mips mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
mn10300 mn10300: Fix crash just after starting userspace on !CONFIG_PREEMPT 2013-09-10 14:54:59 -07:00
openrisc Device tree core updates for v3.12 2013-09-10 13:53:52 -07:00
parisc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-09-06 09:36:28 -07:00
powerpc mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
s390 mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
score arch: *: Kconfig: add "kernel/Kconfig.freezer" to "arch/*/Kconfig" 2013-08-13 17:57:49 -07:00
sh mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
sparc kernel-wide: fix missing validations on __get/__put/__copy_to/__copy_from_user() 2013-09-11 15:58:18 -07:00
tile mm: migrate: check movability of hugepage in unmap_and_move_huge_page() 2013-09-11 15:57:49 -07:00
um um: Add irq chip um/mask handlers 2013-09-07 10:57:19 +02:00
unicore32 reboot: move arch/x86 reboot= handling to generic kernel 2013-07-09 10:33:29 -07:00
x86 mm: make sure _PAGE_SWP_SOFT_DIRTY bit is not set on present pte 2013-09-11 15:58:06 -07:00
xtensa of: Specify initrd location using 64-bit 2013-07-24 11:10:01 +01:00
.gitignore
Kconfig microblaze: fix clone syscall 2013-08-13 17:57:48 -07:00