Re: [PATCH v3] vsprintf: Prevent crash when dereferencing invalid pointers

From: Steven Rostedt
Date: Thu Mar 15 2018 - 13:06:45 EST


On Wed, 14 Mar 2018 23:12:36 +0100
Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx> wrote:

> Question: probe_kernel_read seems to allow (mapped) userspace addresses.
> Is that really what we want? Sure, some %p* just format the pointed-to
> bytes directly (as an IP address or raw hex dump or whatnot), but some
> (e.g. %pD, and %pV could be particularly fun) do another dereference.
> I'm not saying it would be easy for an attacker to get a userpointer
> passed to %pV, but there's a lot of places that end up calling vsnprintf
> (not just printk and friends). Isn't there some cheap address comparison
> one can do to rule that out completely?

We allow it today right? Why should we stop it now. For debugging I
will sometimes add printk()s to write out content in userspace. Since
the kernel maps all memory in its own space, there's nothing we are
protecting by not letting the kernel read userspace but be OK letting
it read anything in kernel space.

-- Steve