Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933380AbdCaTdH (ORCPT ); Fri, 31 Mar 2017 15:33:07 -0400 Received: from mail-eopbgr00096.outbound.protection.outlook.com ([40.107.0.96]:63072 "EHLO EUR02-AM5-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933202AbdCaTc7 (ORCPT ); Fri, 31 Mar 2017 15:32:59 -0400 Authentication-Results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=nokia.com; Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78! To: Linus Torvalds , Kees Cook References: <20170330194143.cbracica3w3ijrcx@codemonkey.org.uk> <20170331171724.nm22iqiellfsvj5z@codemonkey.org.uk> CC: Dave Jones , Linux-MM , LKML , Laura Abbott , Ingo Molnar , Josh Poimboeuf , Mark Rutland , Eric Biggers From: Tommi Rantala Message-ID: Date: Fri, 31 Mar 2017 22:32:53 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [2001:14ba:1efe:ec00::3] X-ClientProxiedBy: DB6PR1001CA0040.EURPRD10.PROD.OUTLOOK.COM (10.168.69.154) To DB6PR0701MB2359.eurprd07.prod.outlook.com (10.168.75.13) X-MS-Office365-Filtering-Correlation-Id: 0e1c1ebb-eef5-4793-da4f-08d4786cbb5a X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(201703131423075)(201703031133081);SRVR:DB6PR0701MB2359; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;3:Sv88CJrFUqUMppMagEjmrW0fu4lmUMZyi82V9ZrOYAl6xtww9THLjNQKopkp79Rt3tfkHMHdtSdZW0kCIgvvM91M5waZ8gsIIjdPM0FT1AMziJ8ZY2OScRhGF8vVh4+FoLajWPoE9gcNcgstgQkJJGKMpufUR/8M9k+9dsyClPmbn43L+bp31uQahkn1nrH/2gDMkEtPoCdYsVnKy+L7UX7w/+og6LMlx5urGBjZphTIBoJ401CoKlrQO18+Nu35mvyAD4T/m1cZ5PgtgNcgUFE3hPV4Jchgwfr71HexGGXw2ksdgR2VYwOWx1tHN67J94BOrfIlGs3Jxa0TeGqFKNJGBsv8IZ4De4W/WomNh2M=;25:1qDpi4bA20PndJG6H9aoftLRENbBHe9rJKwwPWeCUojq7iCs61Qx1BrQ1+CFizIbNo+TeCDTDfE4HKOtS898hfkxeCjLmbjojX+OhY2ZriGrEzeXjmLQ4kafghT7D4LSBNZhYix0jUCqp89Tfn85H0vC3uc5DCQyQKavQhBVn61qFebbThq1y2kHviPrVXYrYhBwXj4fgdQ4Ge0u9iJfauUT9i8xZcAvZKbOgMNQCnsXQrRzGCldyTQByH8GkU+IFZ8hpQecHP6Ds8crfIluKAoytPOEaB473nSCxS232nJjI++M37WHhOTdN4qdASEWSGlMMhBkxWdMia3RQ3o196L0FErMPi5SorkeX2re5Dyqf6yZtljp25lkbN0bcRdEe4Qyb0zdzqIjNhLR41MdvvIp9m2kW3QsaI/j/nQWpzDqGgZm5ozhIRYJa2zAz6roaRy5qX/PRrWFIebdzWESEA== X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;31:nVlf99j4jzzyyHuUNccYAgBG59wRFwB8yDX9vjiX2hqnH3q4b/w8LKc47DVZeTI41hiGWW14jzaFQnot/dUYERIyz9yz0hUnKAYY3mw9mgJANhbKeYuCRdu+nX62zCPf6olQQ1f3L6G+R1zJfT6j05Ourm6IohA8uYqL3BSdBY2pjFt4NxThGDAfvj0sQZh6/KhPMwfmt9ocjAqJQ64eUEj/XRIFCY303NjHXpH+TfqJyWRl/saYjsHQ3hPEUtNDvR/YwdTjVCEm8O10TPYN12Xg2siR3+KcCuGjNausz/E=;20:tZ1pfMwRFELlEOeUheX78kbx3XrX6NaOKYJntuceM1D8EoCPySS7kDX153oM+8u4wHsA0PHVxJKg2BJ3M/kp1CsqYuPTNdqGpXyeduIswKnQ1FYw/DvOEd2p+v5g2b/1/L2fOGNyo8YuzIfJIR9NkUOfGqBxuIXyE7cOC85D9K5+VXUDULszhTrOJw9s3sXwqhBqKJ+kOHTfhECXTfFLsdx4+skS+/u790He0ipKTEuT6S//EbWkD2GhOoqJmgjj6jpnyLKDnnOUO+/RO6YPgBR3Y1JfonF1ITPDzfT1Ry30B6N4KWvF2vh+g+MCkC3UFU5uEhXdyMr04W7TZbkNGbQ+ojI5UEXFmkruJtF4/5yn+J7FCKzCIJn8L7ZDkGeTURXd3LHrK4Y0ZauV6dGiE8OKO/NXVcsihxrJJl9dlLu59koVoyJjeejKGB1I/Ta8yJQCB2TWW5y3y8ON0nRNUhqxSuqIQ8q/TUAYLoK5tTHtGK94FoIHT0JF8cD+bnv5 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148);SRVR:DB6PR0701MB2359;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0701MB2359; X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;4:vZ3juKZ0T7GOmX3EICBfn02pyRY8M9+6dPMIqb2kcdzvQaeDNygwOi0hl3vnyplf0b76UGL+ZXP0H3UCkb7gKXbR6RytDF99ETk8vhioosa7iP4N7iNP3ZOLHsJdLJFvA2MlXQB3e592lH7f2Z+k1j+2V5QMmBlY0/FZJ9OFjDluTcPnjMeqdT1WLzfiJZ04z+vCkGbcb2SWk9i6fapZiXCqqCtn2ptHhHUVFRDFywAcr/L1j1wCT2cLNAEQLvRYd5V7q2q1wrbTs+J8AyfbMnGaJDABDHAt2D1EG75Ptm6arI8uz20iwKG829kUNOB8OLOBpkVIzJ7pyeTTVMxWj3vRQf8W8Ci2uNFFx0zCM73xiSPEfO0GBZk//DXuWHKFQ9+lKlYA+Pjt8SRX8peKBv71rpN33TRMkFO+Svh/iCh4kjExTZXXwREgI4AGWCWUYXbRt+CiJToWSLr+Rnx4DFNxQFhSzxOzHEQHR0C2MyDfjckz7kEFbRYOKwIZcM0C8B9FYYcz2DA/+LVUIjlIPRrD8WLo/88J4eT1+xzCAqKmpVCcqbJDOjM62kI8oiwWq8QJx6C7SEzEeLpe0fnVN4u3TYSqrVTMJp1iir9iL9InBMHvTruE7h1HgHLX2KwEtbKQP8Hj09SPIx1JLCQbs4pexLU0pcGusXWeJenJTHSQQSjdtNzenKHLCcU9oclKWnqYqz59nGslo/pkyhvV6edzk4aUU4P8TcmLhWIYi5I= X-Forefront-PRVS: 02638D901B X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6009001)(39850400002)(39400400002)(39410400002)(39450400003)(39840400002)(39860400002)(24454002)(93886004)(229853002)(65826007)(33646002)(5660300001)(2906002)(83506001)(2950100002)(53936002)(38730400002)(42186005)(31686004)(54906002)(6246003)(50466002)(86362001)(7736002)(305945005)(31696002)(6486002)(36756003)(23676002)(65806001)(230700001)(65956001)(81166006)(76176999)(8676002)(50986999)(54356999)(226693001)(25786009)(53546009)(4001350100001)(6116002)(189998001)(4326008)(47776003);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0701MB2359;H:[IPv6:2001:14ba:1efe:ec00::3];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQUjA3MDFNQjIzNTk7MjM6LzJmWUFFbW9rd3AvY3pBWS9ILzQxaVN6?= =?utf-8?B?YU9GdCt5eENHM3htamt1Y0RYeVY5cXljcTFTazNuKzdtRmdLUzVCbjJRb1NV?= =?utf-8?B?cmUrRkJ5cGJrMC8zK0hmM0JmYXBNKzJtQXJOOTVUam4wUXU0bWdWWUdaSEcv?= =?utf-8?B?M2QzQXlnUDJrcXMxSU1EVkhicjl3MmhrekY4c2pZQjhiWWpUbGJndEo5NTRU?= =?utf-8?B?RmhvQ0dQUkgrRDVhUEJ6cFovRGJ5ZDF2dksyaS9TenhyVnlHVDNEMUVjZGFE?= =?utf-8?B?QXpSUHZUTG1EUDd0cm5iUnhka250QzBuUklhQVgvbHErdTREY3lCTlkyUUYz?= =?utf-8?B?MCsxN1V4dmZKREFJRWdlOTF4UXAxVXNHdFk4SlQxaW8vWnlvclRJMnlMampZ?= =?utf-8?B?VWdkSDVmQnRjVVVFTnZIc3JxV2FUdjg5eXZpRHY4cE5HSUV6V2JaRWladld1?= =?utf-8?B?a3pXM2hKMjJ5Y2x5V2ZXSCtWMTB5Yy9BN0JWcXIrSVVQcDBGbkY1bjlsL0tI?= =?utf-8?B?UUt4d2FXeFlNVExsYXRDUGFWRHN0bHFHU2RVZ3lOSG4wbVhIVkl4bHlTRzdF?= =?utf-8?B?bzB4Qzc0MGVFMzh3bHgxZUZtVjljdW9LU1Q4Q1YrWCtQdVFLeHR3TVJTVm5M?= =?utf-8?B?dXh4MGVoLzZLaE5ZWHZRVTQwN2tqMjVFV29UcFBrbEViODFhamplTHArLzVM?= =?utf-8?B?K3AvWTBIZkdQR0NPT3lvOWdOajUyOWZLNHZYT0hVZU9mQjc2N2l4K05Jckw1?= =?utf-8?B?M2tSMkt0d2IydFM4Ny9xUTdndVl4c2wvYVRuSGRLMmt1WUo1ZFBmVXJWMWxs?= =?utf-8?B?K3k1OVI3djY2NWpSU2Q4QUYvaGNFR21yNnJXcHhvQkhBL3lyQVo3aTdkdGV1?= =?utf-8?B?RFRwRkxseEtib0ZDczkzczZweCtodjBsdzY4QTlXRTJiSUhLMm9lbDJzaDJr?= =?utf-8?B?RjFqd1h6QytGekYzSUlkQXE1djNIN21QOFN1cU5pWERHRUNNSHRCNGpoVUpa?= =?utf-8?B?MGUxWnJvUFo3RGpPYWZaZVdIWG9TMmU2aWVESHNaYzcxRXZOeUZVd0U3c0JM?= =?utf-8?B?enJMNEhmbGw2RW0rS2hMNUdMeFFJVGVmWDBWN0xieFZIcFBEU29HSGszQWhB?= =?utf-8?B?cXAwS0M1WHVMZmV4enFpODJ5cVRzNmFuNnk2UXJEOVBJanRFM0JaZ1ZDRmt6?= =?utf-8?B?bmJlV2dFNWthOURobWdzbGRscGwweEVmeEJXT0ZtempJRFdOVXMwMW1OVDE5?= =?utf-8?B?S2c5bUN4dnN2N2ZZaVZwQlJGeHlKVloyN1FlMXdBZ1RKdDVKZlRIV0NRZUFP?= =?utf-8?B?RERYSFpHMElORzM3cXZEeS9HcnZnQ0p3QlZXd09YdTZjbnR3WFkrNkVQU1B1?= =?utf-8?B?TzQycEsrL0I1NDlSMXpVcjFOdXQzbk5pRFc2WVpld3NQYWltYWExR1RSSk0r?= =?utf-8?B?bGZlWlVDZ3hlT29Yak14QjhrOUJlNTNPcE9IS1BLc0dVb09xenJLL3lkVjZD?= =?utf-8?B?YkRWa0szVzlGd1k5R2Y2NEdLdm1GZUwxNGM5N1p0TFREbmdWSTNnRTdVd1Y2?= =?utf-8?B?aStIZXZ0eklNZjhjT21MYzNtL2loZmVSdFV6dCtOL3VhU0tKemIyczJwZ0d6?= =?utf-8?Q?o=3D?= X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;6:UlOz5WgnVCz7+UUmbXFW+tfefYnRaj+BmVyMMdIOoroQ4PdPx7JXAQbuMapldVeJcbhsgNHJLuRU5bY9DB23qmDKtWnvNWG0pWZOkeMkpqb6O38mBC82f7pzDn2WBBhsCtJbPyGjndZXZgh2Su0uI2rDd6yILcuURN2FGxMzkDJ9WxTxktD1u1+d7CsTWzjfx/p6Jkw9pRpQ4bibzilu3yaCHHZI2YJwGSfWTBJdJVB7P/eQkj1OZkyEn8yoDwc1Ycw+Ce8+1IZXqftTp4byfXLIz6FW3S7UByGio3JJJDNSyK4/LnmIRvJUD70rIZN2+ZsiCSYHQ5UtKki7+uIs+cKUenyzgY0pjEKjgTh3iev3dgA/RA1KLxcZ+pg5DWM0UFAFEQ3cmi2Phxcho8afgYxj0m/OnZUQv1+lvLwYY7g=;5:YgP1pFH5T8rzDD2Fuc8vluWZdkna+HMYVTH2oOeyMoOh3uzcmkkdX5/zjU0uCXlMN1rZl+wVwq1N+P0mo7dkY1LJXrnnRmi7wy7xnWPgAlOuVNXwAaCDTKtGiiA8tsrq0xL5FZM0YqfNdN2ULt0rtkLaK94lxFE8udVyNY/foY4=;24:hlkphf+t9CfaJ0YZyZCGgcSEe/HmIv+XoA9Dbh49NaTnz0CKzkHR/W69B0QL3vjrZ2BuiXhH9jvH3M+6w1rlF1QAnaSt4zV6gX58Kg1gse0= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;7:x5lcoyOMPniMX4/0Z10GQs+KXAhuI4PvF0aVETwNRaI2jtHHGFRhnbiibiKEIaOC+ohVR6TaZvz//O0pOsrgUtk8965COltnKhdCMv9wgLLWA1emWrhxEEj9B0Xp34yVYY1Ddpq4WzMtuAeaUkc3aHe3A7cWsgllDhuyLMbsGep3eZbCZckXp3FFo2W2j+fspEuwA8I5FD0ZWeV+CBLcl+z20VAcD4Nf744zEEfM7gpOnPg+qoJKWaBpWHXenoEmRdB29sTQWoKdGpNeJvsaH/h8V/Fr1JBk4zFif5trbcoNXw81DC5pVHfD8bN9x2fJmY+Hk1I92uK4tLSI3CKcsg== X-OriginatorOrg: nokia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 19:32:55.3430 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2359 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1468 Lines: 42 On 31.03.2017 21:26, Linus Torvalds wrote: > Hmm. Thinking more about this, we do allow access to the first 1MB of > physical memory unconditionally (see devmem_is_allowed() in > arch/x86/mm/init.c). And I think we only _reserve_ the first 64kB or > something. So I guess even STRICT_DEVMEM isn't actually all that > strict. > > So this should be visible even *with* STRICT_DEVMEM. > > Does a simple > > sudo dd if=/dev/mem of=/dev/null bs=4096 count=256 > > also show the same issue? Maybe regardless of STRICT_DEVMEM? Yep, it is enough to trigger the bug. Also crashes with the fedora kernel that has STRICT_DEVMEM: $ sudo dd if=/dev/mem of=/dev/null bs=4096 count=256 Segmentation fault [ 73.224025] usercopy: kernel memory exposure attempt detected from ffff893a80059000 (dma-kmalloc-16) (4096 bytes) [ 73.224049] ------------[ cut here ]------------ [ 73.224056] kernel BUG at mm/usercopy.c:75! [ 73.224060] invalid opcode: 0000 [#1] SMP [ 73.224237] CPU: 5 PID: 2860 Comm: dd Not tainted 4.9.14-200.fc25.x86_64 #1 > Maybe we should change devmem_is_allowed() to return a ternary value, > and then have it be "allow access" (for reserved pages), "disallow > access" (for various random stuff), and "just read zero" (for pages in > the low 1M that aren't marked reserved). > > That way things like that read the low 1M (like x86info) will > hopefully not be unhappy, but also won't be reading random kernel > data. > > Linus >