From: "Larry H." <research@subreption.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-mm@kvack.org, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Rik van Riel <riel@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Change ZERO_SIZE_PTR to point at unmapped space
Date: Sat, 30 May 2009 19:21:58 -0700 [thread overview]
Message-ID: <20090531022158.GA9033@oblivion.subreption.com> (raw)
In-Reply-To: <alpine.LFD.2.01.0905301902010.3435@localhost.localdomain>
On 19:02 Sat 30 May , Linus Torvalds wrote:
>
>
> On Sat, 30 May 2009, Larry H. wrote:
> >
> > Like I said in the reply to Peter, this is 3 extra bytes for amd64 with
> > gcc 4.3.3. I can't be bothered to check other architectures at the
> > moment.
>
> .. and I can't be bothered with applying this. I'm just not convinced.
The changes don't conflict with anything else (including ERR_PTR and
company). When I said bothered, I implied the change was obviously not
going to differ in any significant way for other architectures.
Like I said, small changes like this are done so we don't need to rely
on mmap_min_addr, which is disabled by default (albeit some
distributions enable it, normally set to 65536).
Let me provide you with a realistic scenario:
1. foo.c network protocol implementation takes a sockopt which
sets some ACME_OPTLEN value taken from userland.
2. the length is not validated properly: it can be zero or an
integer overflow / signedness issue allows it to wrap to zero.
3. kmalloc(0) ensues, and data is copied to the pointer
returned. if this is the default ZERO_SIZE_PTR*, a malicious user
can mmap a page at NULL, and read data leaked from kernel memory
everytime that setsockopt is issued.
(*: kmalloc of zero returns ZERO_SIZE_PTR)
If ZERO_SIZE_PTR points to an unmapped top memory address, this will
trigger a distinctive page fault and the user won't be able to abuse
this for elevating privileges or read kernel memory. Variations of the
scenario above have been present in the kernel, some with exploits being
made available publicly. Most recently, a SCTP sockopt issue.
> It's 3 extra bytes just for the constant. It's also another test, and
> another branch.
What's the total difference, less than 40 bytes? Do the users of this
macro get impacted? No. Who uses the macro? kzfree/kfree/do_kmalloc/etc.
A dozen users, all in SLAB.
The performance impact, if any, is completely negligible. The security
benefits of this utterly simple change well surpass the downsides.
Larry
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2009-05-31 2:24 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-30 19:28 Larry H.
2009-05-30 22:29 ` Linus Torvalds
2009-05-30 23:00 ` Larry H.
2009-05-31 2:02 ` Linus Torvalds
2009-05-31 2:21 ` Larry H. [this message]
2009-06-02 15:37 ` Christoph Lameter
2009-06-02 20:34 ` Larry H.
2009-06-03 14:50 ` Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space) Christoph Lameter
2009-06-03 15:07 ` Linus Torvalds
2009-06-03 15:23 ` Christoph Lameter
2009-06-03 15:38 ` Linus Torvalds
2009-06-03 16:14 ` Alan Cox
2009-06-03 16:19 ` Linus Torvalds
2009-06-03 16:24 ` Eric Paris
2009-06-03 16:22 ` Eric Paris
2009-06-03 16:28 ` Linus Torvalds
2009-06-03 16:32 ` Eric Paris
2009-06-03 16:44 ` Linus Torvalds
2009-06-03 15:11 ` Stephen Smalley
2009-06-03 15:41 ` Christoph Lameter
2009-06-03 16:18 ` Linus Torvalds
2009-06-03 16:28 ` Larry H.
2009-06-03 16:36 ` Rik van Riel
2009-06-03 16:47 ` Linus Torvalds
2009-06-03 17:16 ` Eric Paris
2009-06-03 17:28 ` Linus Torvalds
2009-06-03 17:31 ` Eric Paris
2009-06-03 17:24 ` Larry H.
2009-06-03 17:21 ` Larry H.
2009-06-03 22:52 ` James Morris
2009-06-03 17:29 ` Alan Cox
2009-06-03 17:35 ` Linus Torvalds
2009-06-03 18:00 ` Larry H.
2009-06-03 18:12 ` Linus Torvalds
2009-06-03 18:39 ` Larry H.
2009-06-03 18:45 ` Linus Torvalds
2009-06-03 18:50 ` Linus Torvalds
2009-06-03 18:59 ` Christoph Lameter
2009-06-03 19:11 ` Rik van Riel
2009-06-03 19:14 ` Eric Paris
2009-06-03 19:42 ` Christoph Lameter
2009-06-03 19:51 ` Eric Paris
2009-06-03 20:04 ` Christoph Lameter
2009-06-03 20:16 ` Eric Paris
2009-06-03 20:36 ` Christoph Lameter
2009-06-03 21:20 ` Linus Torvalds
2009-06-04 2:41 ` James Morris
2009-06-03 19:21 ` Alan Cox
2009-06-03 19:45 ` Christoph Lameter
2009-06-03 21:07 ` Alan Cox
2009-06-03 19:27 ` Linus Torvalds
2009-06-03 19:50 ` Christoph Lameter
2009-06-03 20:00 ` pageexec
2009-06-03 19:41 ` pageexec
2009-06-07 10:29 ` Pavel Machek
2009-05-30 22:32 ` [PATCH] Change ZERO_SIZE_PTR to point at unmapped space Peter Zijlstra
2009-05-30 22:51 ` Larry H.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090531022158.GA9033@oblivion.subreption.com \
--to=research@subreption.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=riel@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox