From: Andrey Konovalov <andreyknvl@gmail.com>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: arnd@arndb.de, david@redhat.com, dvyukov@google.com,
elver@google.com, glider@google.com, hch@infradead.org,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, ryabinin.a.a@gmail.com,
vincenzo.frascino@arm.com
Subject: Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault
Date: Mon, 23 Jun 2025 01:45:27 +0200 [thread overview]
Message-ID: <CA+fCnZce9dB9WLXuw+gteoR2+Brq8H6zLo8JaLGuVg=Rfmj78w@mail.gmail.com> (raw)
In-Reply-To: <CACzwLxgSBszyEr4zRqMbnoA0PEnZQNy8_ZKTMtwm-Nkho5MePg@mail.gmail.com>
On Sun, Jun 22, 2025 at 9:09 PM Sabyrzhan Tasbolatov
<snovitoll@gmail.com> wrote:
>
> I haven't verified this, but theoretically, it's a handy
> “write-anywhere-safely” ROP gadget.
> Assume the attacker has already gained an arbitrary RW primitive
> via a UAF/OOB bug. Instead of stitching together
> prepare_kernel_cred() + commit_creds(), which is a common path
> of using exported symbols to achieve privilege escalation.
> This path needs two symbols and register juggling.
> With exported copy_to_kernel_nofault() they can do this:
>
> /* Pseudocode of exploit for a ROP stage running in kernel context */
> struct cred *cred = leaked_pointer;
> rop_call(copy_to_kernel_nofault, &cred->uid, &zero, 4)
>
> copy_to_kernel_nofault() disables page-faults around the write,
> so even if cred corupts a guard-page, the write will not crash.
Attacker can use copy_to_kernel_nofault without it being exported as well.
So I'd say this patch is more of a clean-up of exports.
next prev parent reply other threads:[~2025-06-22 23:45 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-22 5:19 [PATCH] " Sabyrzhan Tasbolatov
2025-06-22 13:00 ` Andrey Konovalov
2025-06-22 14:11 ` [PATCH v2] " Sabyrzhan Tasbolatov
2025-06-22 17:44 ` Arnd Bergmann
2025-06-22 18:20 ` Andrew Morton
2025-06-22 19:09 ` Sabyrzhan Tasbolatov
2025-06-22 23:45 ` Andrey Konovalov [this message]
2025-06-23 8:09 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+fCnZce9dB9WLXuw+gteoR2+Brq8H6zLo8JaLGuVg=Rfmj78w@mail.gmail.com' \
--to=andreyknvl@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=david@redhat.com \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=hch@infradead.org \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ryabinin.a.a@gmail.com \
--cc=snovitoll@gmail.com \
--cc=vincenzo.frascino@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox