Re: [PATCH] arch/x86: fix out-of-bounds in get_wchan()

From: Thomas Gleixner
Date: Wed Sep 30 2015 - 04:09:04 EST

Next message: Jiri Kosina: "Re: [PATCH v2] HID: hid-input: allow input_configured callback return errors"
Previous message: ROBERT: "Loan Offer Apply"
In reply to: Thomas Gleixner: "Re: [PATCH v2] fs/proc: Don't expose absolute kernel addresses via wchan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 29 Sep 2015, Andy Lutomirski wrote:
> I'm be vaguely amazed if this isn't an exploitable info leak even
> without the out of bounds thing.

The info leak happens in fs/proc, where we happily print arbitrary
"IP" values, if we cant resolve a symbol.

> Can we really not find a way to do this without walking the stack?

We would have to add a 'store wait channel' mechanism to all functions
which are the primary entry points to scheduling. Not impossible, but
not pretty either.

If we want to prevent the stack changing under us, we'd need to take
p->pi_lock and do the task != RUNNING check and the walk under it. I
don't think we want to do that, unless there is a compelling reason to
do so.

Thanks,

tglx

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Kosina: "Re: [PATCH v2] HID: hid-input: allow input_configured callback return errors"
Previous message: ROBERT: "Loan Offer Apply"
In reply to: Thomas Gleixner: "Re: [PATCH v2] fs/proc: Don't expose absolute kernel addresses via wchan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]