RE: [PATCH v3 02/11] mm: Hardened usercopy
From: Michael Ellerman
Date: Mon Jul 25 2016 - 22:09:24 EST
David Laight <David.Laight@xxxxxxxxxx> writes:
> From: Josh Poimboeuf
>> Sent: 22 July 2016 18:46
>> >
>> > e.g. then if the pointer was in the thread_info, the second test would
>> > fail, triggering the protection.
>>
>> FWIW, this won't work right on x86 after Andy's
>> CONFIG_THREAD_INFO_IN_TASK patches get merged.
>
> What ends up in the 'thread_info' area?
It depends on the arch.
> If it contains the fp save area then programs like gdb may end up requesting
> copy_in/out directly from that area.
On the arches I've seen thread_info doesn't usually contain register save areas,
but if it did then it would be up to the arch helper to allow that copy to go
through.
However given thread_info generally contains lots of low level flags that would
be a good target for an attacker, the best way to cope with ptrace wanting to
copy to/from it would be to use a temporary, and prohibit copying directly
to/from thread_info - IMHO.
cheers