There is some -to me at least- weird code in per_copy_attr. Which supposedly
checks that all bytes trailing a struct are zero.
It doesn't seem to get pointer arithmetic right. Since it increments
an iterating pointer by sizeof(unsigned long) rather than 1.
I believe this has an impact on the exploitability of the recent buffer overflow
in the perf_copy_attr function. I'm pretty sure I'm not the only one who noticed
this, but i couldn't find it being mentioned. For some reason people prefer
mmaping something at zero these days?
I have appended a patch locating the issue. The PTR_ALIGN stuff right above it
doesn't seem to take any boundary conditions into account which is probably not
a good thing either.
(I'm not subscribed, please add me in CC.)
signed-of-by Ian Schram <[email protected]>
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index 8cb94a5..9c7590e 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4208,7 +4208,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
end = PTR_ALIGN((void __user *)uattr + size,
sizeof(unsigned long));
- for (; addr < end; addr += sizeof(unsigned long)) {
+ for (; addr < end; ++addr) {
ret = get_user(val, addr);
if (ret)
return ret;
On Fri, 2009-09-18 at 21:26 +0200, Ian Schram wrote:
> There is some -to me at least- weird code in per_copy_attr. Which supposedly
> checks that all bytes trailing a struct are zero.
>
> It doesn't seem to get pointer arithmetic right. Since it increments
> an iterating pointer by sizeof(unsigned long) rather than 1.
>
> I believe this has an impact on the exploitability of the recent buffer overflow
> in the perf_copy_attr function. I'm pretty sure I'm not the only one who noticed
> this, but i couldn't find it being mentioned. For some reason people prefer
> mmaping something at zero these days?
>
> I have appended a patch locating the issue. The PTR_ALIGN stuff right above it
> doesn't seem to take any boundary conditions into account which is probably not
> a good thing either.
sizeof(struct perf_counter_attr) should always be a multiple of u64, and
we can indeed read beyond the tail boundary, but that should be ok,
worst that can happen is that we fail the read..
Ugh on the ptr arith, one wonders how many stupid bugs one can make in
such a piece of code... :/
> signed-of-by Ian Schram <[email protected]>
Acked-by: Peter Zijlstra <[email protected]>
> diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
> index 8cb94a5..9c7590e 100644
> --- a/kernel/perf_counter.c
> +++ b/kernel/perf_counter.c
> @@ -4208,7 +4208,7 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
> end = PTR_ALIGN((void __user *)uattr + size,
> sizeof(unsigned long));
>
> - for (; addr < end; addr += sizeof(unsigned long)) {
> + for (; addr < end; ++addr) {
> ret = get_user(val, addr);
> if (ret)
> return ret;
* Peter Zijlstra <[email protected]> wrote:
> On Fri, 2009-09-18 at 21:26 +0200, Ian Schram wrote:
> > There is some -to me at least- weird code in per_copy_attr. Which supposedly
> > checks that all bytes trailing a struct are zero.
> >
> > It doesn't seem to get pointer arithmetic right. Since it increments
> > an iterating pointer by sizeof(unsigned long) rather than 1.
> >
> > I believe this has an impact on the exploitability of the recent buffer overflow
> > in the perf_copy_attr function. I'm pretty sure I'm not the only one who noticed
> > this, but i couldn't find it being mentioned. For some reason people prefer
> > mmaping something at zero these days?
> >
> > I have appended a patch locating the issue. The PTR_ALIGN stuff right above it
> > doesn't seem to take any boundary conditions into account which is probably not
> > a good thing either.
>
> sizeof(struct perf_counter_attr) should always be a multiple of u64, and
> we can indeed read beyond the tail boundary, but that should be ok,
> worst that can happen is that we fail the read..
>
> Ugh on the ptr arith, one wonders how many stupid bugs one can make in
> such a piece of code... :/
>
> > signed-of-by Ian Schram <[email protected]>
>
> Acked-by: Peter Zijlstra <[email protected]>
Ian, you meant Signed-off-by, not signed-of-by, right?
Ingo
Ingo Molnar wrote:
> * Peter Zijlstra <[email protected]> wrote:
>
>> On Fri, 2009-09-18 at 21:26 +0200, Ian Schram wrote:
>>> There is some -to me at least- weird code in per_copy_attr. Which supposedly
>>> checks that all bytes trailing a struct are zero.
>>>
>>> It doesn't seem to get pointer arithmetic right. Since it increments
>>> an iterating pointer by sizeof(unsigned long) rather than 1.
>>>
>>> I believe this has an impact on the exploitability of the recent buffer overflow
>>> in the perf_copy_attr function. I'm pretty sure I'm not the only one who noticed
>>> this, but i couldn't find it being mentioned. For some reason people prefer
>>> mmaping something at zero these days?
>>>
>>> I have appended a patch locating the issue. The PTR_ALIGN stuff right above it
>>> doesn't seem to take any boundary conditions into account which is probably not
>>> a good thing either.
>> sizeof(struct perf_counter_attr) should always be a multiple of u64, and
I don't think this matters since the starting address is not 'forced' to be
aligned. In which case some bytes in the middle would be unchecked. All in
all seems like an undesirable situation. I'll verify this and try my hand
at fixing it properly. Unless somebody who actually understands the purpose
of these checks wants to have a go..
>> we can indeed read beyond the tail boundary, but that should be ok,
>> worst that can happen is that we fail the read..
>>
>> Ugh on the ptr arith, one wonders how many stupid bugs one can make in
>> such a piece of code... :/
>>
>>> signed-of-by Ian Schram <[email protected]>
>> Acked-by: Peter Zijlstra <[email protected]>
>
> Ian, you meant Signed-off-by, not signed-of-by, right?
>
exactly right, *shame*, apologies for the extra work for this one line
drive-by patch.
> Ingo
>
>
Commit-ID: cdf8073d6b2c6c5a3cd6ce0e6c1297157f7f99ba
Gitweb: http://git.kernel.org/tip/cdf8073d6b2c6c5a3cd6ce0e6c1297157f7f99ba
Author: Ian Schram <[email protected]>
AuthorDate: Fri, 18 Sep 2009 21:26:26 +0200
Committer: Ingo Molnar <[email protected]>
CommitDate: Sat, 19 Sep 2009 19:32:55 +0200
perf_counter: Fix perf_copy_attr() pointer arithmetic
There is still some weird code in per_copy_attr(). Which supposedly
checks that all bytes trailing a struct are zero.
It doesn't seem to get pointer arithmetic right. Since it
increments an iterating pointer by sizeof(unsigned long) rather
than 1.
Signed-off-by: Ian Schram <[email protected]>
[ v2: clean up the messy PTR_ALIGN logic as well. ]
Signed-off-by: Peter Zijlstra <[email protected]>
Cc: Mike Galbraith <[email protected]>
Cc: Paul Mackerras <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Cc: <[email protected]> # for v2.6.31.x
LKML-Reference: <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
---
kernel/perf_counter.c | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/kernel/perf_counter.c b/kernel/perf_counter.c
index d5899b6..cc768ab 100644
--- a/kernel/perf_counter.c
+++ b/kernel/perf_counter.c
@@ -4208,8 +4208,8 @@ done:
static int perf_copy_attr(struct perf_counter_attr __user *uattr,
struct perf_counter_attr *attr)
{
- int ret;
u32 size;
+ int ret;
if (!access_ok(VERIFY_WRITE, uattr, PERF_ATTR_SIZE_VER0))
return -EFAULT;
@@ -4234,19 +4234,19 @@ static int perf_copy_attr(struct perf_counter_attr __user *uattr,
/*
* If we're handed a bigger struct than we know of,
- * ensure all the unknown bits are 0.
+ * ensure all the unknown bits are 0 - i.e. new
+ * user-space does not rely on any kernel feature
+ * extensions we dont know about yet.
*/
if (size > sizeof(*attr)) {
- unsigned long val;
- unsigned long __user *addr;
- unsigned long __user *end;
+ unsigned char __user *addr;
+ unsigned char __user *end;
+ unsigned char val;
- addr = PTR_ALIGN((void __user *)uattr + sizeof(*attr),
- sizeof(unsigned long));
- end = PTR_ALIGN((void __user *)uattr + size,
- sizeof(unsigned long));
+ addr = (void __user *)uattr + sizeof(*attr);
+ end = (void __user *)uattr + size;
- for (; addr < end; addr += sizeof(unsigned long)) {
+ for (; addr < end; addr++) {
ret = get_user(val, addr);
if (ret)
return ret;