Re: [kernel-hardening] Re: [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode

From: Andy Lutomirski
Date: Fri May 12 2017 - 19:21:44 EST


On Fri, May 12, 2017 at 12:15 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:

> Folks, seriously, have you even looked through that zoo? I have, and it's
> really, really not fun. Sure, we can say "fuck 'em, no need to allow
> splice() on random crap". Would be perfectly reasonable, expect that
> it's not the only place doing kernel_write() and its ilk...

Can you clarify this? I think we really may be able to do exactly
this. From Christoph's list, there are only two things that need
kernel_read/kernel_write to user-supplied fds that may come from a
variety of sources: splice and exec. If you're execing a chardev from
a crappy driver, something is seriously wrong. And returning -EINVAL
from splice() to or from files that use ->read and ->write seems find
(and splice(2) even documents -EINVAL as meaning that the target
doesn't support splicing).

--Andy