Re: [PATCH 0/7] x86: uaccess hardening, easy part

From: Kees Cook
Date: Wed May 25 2016 - 13:32:06 EST


On Tue, May 24, 2016 at 3:48 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
> This series hardens x86's uaccess code a bit. It adds warnings for
> some screwups, adds an OOPS for a major exploitable screwup, and it
> improves debuggability a bit by indicating non-default fs in oopses.
>
> It shouldn't cause any new OOPSes except in the particularly
> dangerous case where the kernel faults on a kernel address under
> USER_DS, which indicates that an access_ok is missing and is likely
> to be easily exploitable -- OOPSing will make it harder to exploit.
>
> I have some draft patches to force OOPSes on user address accesses
> under KERNEL_DS (which is a big no-no), but I'd rather make those
> warn instead of OOPSing, and I don't have a good implementation of
> that yet. Those patches aren't part of this series.
>
> Andy Lutomirski (7):
> x86/xen: Simplify set_aliased_prot
> x86/extable: Pass error_code and an extra unsigned long to exhandlers
> x86/uaccess: Give uaccess faults their own handler
> x86/dumpstack: If addr_limit is non-default, display it
> x86/uaccess: Warn on uaccess faults other than #PF
> x86/uaccess: Don't fix up USER_DS uaccess faults to kernel addresses
> x86/uaccess: OOPS or warn on a fault with KERNEL_DS and
> !pagefault_disabled()

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

I'm going to see what this does to lib/test_user_copy.c ... I might
have to move it into lkdtm.c if there is an added Oops condition.

-Kees

--
Kees Cook
Chrome OS & Brillo Security