Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S933380AbdCaTdH (ORCPT <rfc822;w@1wt.eu>);
        Fri, 31 Mar 2017 15:33:07 -0400
Received: from mail-eopbgr00096.outbound.protection.outlook.com ([40.107.0.96]:63072
        "EHLO EUR02-AM5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S933202AbdCaTc7 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 31 Mar 2017 15:32:59 -0400
Authentication-Results: google.com; dkim=none (message not signed)
 header.d=none;google.com; dmarc=none action=none header.from=nokia.com;
Subject: Re: sudo x86info -a => kernel BUG at mm/usercopy.c:78!
To: Linus Torvalds <torvalds@linux-foundation.org>,
        Kees Cook <keescook@chromium.org>
References: <d928849c-e7c3-6b81-e551-a39fa976f341@nokia.com>
 <CAGXu5jKo4gw=RHCmcY3v+GTiUUgteLbmvHDghd-Lrm7RprL8=Q@mail.gmail.com>
 <20170330194143.cbracica3w3ijrcx@codemonkey.org.uk>
 <CAGXu5jK8=g8rBx1J4+gC8-3nwRLe2Va89hHX=S-P6SvvgiVb9A@mail.gmail.com>
 <20170331171724.nm22iqiellfsvj5z@codemonkey.org.uk>
 <CAGXu5jL7MGNut_izksDKJHNJjPZqvu_84GBwHjqVeRbjDJyMWw@mail.gmail.com>
 <CA+55aFwOCnhSF4Tyk8x0+EpcWmaDd9X5bi1w=O1aReEK53OY8A@mail.gmail.com>
CC: Dave Jones <davej@codemonkey.org.uk>, Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>, Laura Abbott <labbott@redhat.com>,
        Ingo Molnar <mingo@kernel.org>, Josh Poimboeuf <jpoimboe@redhat.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Eric Biggers <ebiggers@google.com>
From: Tommi Rantala <tommi.t.rantala@nokia.com>
Message-ID: <a6543d13-6247-08de-903e-f4d1bbb52881@nokia.com>
Date: Fri, 31 Mar 2017 22:32:53 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CA+55aFwOCnhSF4Tyk8x0+EpcWmaDd9X5bi1w=O1aReEK53OY8A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [2001:14ba:1efe:ec00::3]
X-ClientProxiedBy: DB6PR1001CA0040.EURPRD10.PROD.OUTLOOK.COM (10.168.69.154)
 To DB6PR0701MB2359.eurprd07.prod.outlook.com (10.168.75.13)
X-MS-Office365-Filtering-Correlation-Id: 0e1c1ebb-eef5-4793-da4f-08d4786cbb5a
X-MS-Office365-Filtering-HT: Tenant
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(201703131423075)(201703031133081);SRVR:DB6PR0701MB2359;
X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;3:Sv88CJrFUqUMppMagEjmrW0fu4lmUMZyi82V9ZrOYAl6xtww9THLjNQKopkp79Rt3tfkHMHdtSdZW0kCIgvvM91M5waZ8gsIIjdPM0FT1AMziJ8ZY2OScRhGF8vVh4+FoLajWPoE9gcNcgstgQkJJGKMpufUR/8M9k+9dsyClPmbn43L+bp31uQahkn1nrH/2gDMkEtPoCdYsVnKy+L7UX7w/+og6LMlx5urGBjZphTIBoJ401CoKlrQO18+Nu35mvyAD4T/m1cZ5PgtgNcgUFE3hPV4Jchgwfr71HexGGXw2ksdgR2VYwOWx1tHN67J94BOrfIlGs3Jxa0TeGqFKNJGBsv8IZ4De4W/WomNh2M=;25:1qDpi4bA20PndJG6H9aoftLRENbBHe9rJKwwPWeCUojq7iCs61Qx1BrQ1+CFizIbNo+TeCDTDfE4HKOtS898hfkxeCjLmbjojX+OhY2ZriGrEzeXjmLQ4kafghT7D4LSBNZhYix0jUCqp89Tfn85H0vC3uc5DCQyQKavQhBVn61qFebbThq1y2kHviPrVXYrYhBwXj4fgdQ4Ge0u9iJfauUT9i8xZcAvZKbOgMNQCnsXQrRzGCldyTQByH8GkU+IFZ8hpQecHP6Ds8crfIluKAoytPOEaB473nSCxS232nJjI++M37WHhOTdN4qdASEWSGlMMhBkxWdMia3RQ3o196L0FErMPi5SorkeX2re5Dyqf6yZtljp25lkbN0bcRdEe4Qyb0zdzqIjNhLR41MdvvIp9m2kW3QsaI/j/nQWpzDqGgZm5ozhIRYJa2zAz6roaRy5qX/PRrWFIebdzWESEA==
X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;31:nVlf99j4jzzyyHuUNccYAgBG59wRFwB8yDX9vjiX2hqnH3q4b/w8LKc47DVZeTI41hiGWW14jzaFQnot/dUYERIyz9yz0hUnKAYY3mw9mgJANhbKeYuCRdu+nX62zCPf6olQQ1f3L6G+R1zJfT6j05Ourm6IohA8uYqL3BSdBY2pjFt4NxThGDAfvj0sQZh6/KhPMwfmt9ocjAqJQ64eUEj/XRIFCY303NjHXpH+TfqJyWRl/saYjsHQ3hPEUtNDvR/YwdTjVCEm8O10TPYN12Xg2siR3+KcCuGjNausz/E=;20:tZ1pfMwRFELlEOeUheX78kbx3XrX6NaOKYJntuceM1D8EoCPySS7kDX153oM+8u4wHsA0PHVxJKg2BJ3M/kp1CsqYuPTNdqGpXyeduIswKnQ1FYw/DvOEd2p+v5g2b/1/L2fOGNyo8YuzIfJIR9NkUOfGqBxuIXyE7cOC85D9K5+VXUDULszhTrOJw9s3sXwqhBqKJ+kOHTfhECXTfFLsdx4+skS+/u790He0ipKTEuT6S//EbWkD2GhOoqJmgjj6jpnyLKDnnOUO+/RO6YPgBR3Y1JfonF1ITPDzfT1Ry30B6N4KWvF2vh+g+MCkC3UFU5uEhXdyMr04W7TZbkNGbQ+ojI5UEXFmkruJtF4/5yn+J7FCKzCIJn8L7ZDkGeTURXd3LHrK4Y0ZauV6dGiE8OKO/NXVcsihxrJJl9dlLu59koVoyJjeejKGB1I/Ta8yJQCB2TWW5y3y8ON0nRNUhqxSuqIQ8q/TUAYLoK5tTHtGK94FoIHT0JF8cD+bnv5
X-Microsoft-Antispam-PRVS: <DB6PR0701MB2359C066C826E576F35E7989B4370@DB6PR0701MB2359.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148);SRVR:DB6PR0701MB2359;BCL:0;PCL:0;RULEID:;SRVR:DB6PR0701MB2359;
X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;4:vZ3juKZ0T7GOmX3EICBfn02pyRY8M9+6dPMIqb2kcdzvQaeDNygwOi0hl3vnyplf0b76UGL+ZXP0H3UCkb7gKXbR6RytDF99ETk8vhioosa7iP4N7iNP3ZOLHsJdLJFvA2MlXQB3e592lH7f2Z+k1j+2V5QMmBlY0/FZJ9OFjDluTcPnjMeqdT1WLzfiJZ04z+vCkGbcb2SWk9i6fapZiXCqqCtn2ptHhHUVFRDFywAcr/L1j1wCT2cLNAEQLvRYd5V7q2q1wrbTs+J8AyfbMnGaJDABDHAt2D1EG75Ptm6arI8uz20iwKG829kUNOB8OLOBpkVIzJ7pyeTTVMxWj3vRQf8W8Ci2uNFFx0zCM73xiSPEfO0GBZk//DXuWHKFQ9+lKlYA+Pjt8SRX8peKBv71rpN33TRMkFO+Svh/iCh4kjExTZXXwREgI4AGWCWUYXbRt+CiJToWSLr+Rnx4DFNxQFhSzxOzHEQHR0C2MyDfjckz7kEFbRYOKwIZcM0C8B9FYYcz2DA/+LVUIjlIPRrD8WLo/88J4eT1+xzCAqKmpVCcqbJDOjM62kI8oiwWq8QJx6C7SEzEeLpe0fnVN4u3TYSqrVTMJp1iir9iL9InBMHvTruE7h1HgHLX2KwEtbKQP8Hj09SPIx1JLCQbs4pexLU0pcGusXWeJenJTHSQQSjdtNzenKHLCcU9oclKWnqYqz59nGslo/pkyhvV6edzk4aUU4P8TcmLhWIYi5I=
X-Forefront-PRVS: 02638D901B
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(4630300001)(6009001)(39850400002)(39400400002)(39410400002)(39450400003)(39840400002)(39860400002)(24454002)(93886004)(229853002)(65826007)(33646002)(5660300001)(2906002)(83506001)(2950100002)(53936002)(38730400002)(42186005)(31686004)(54906002)(6246003)(50466002)(86362001)(7736002)(305945005)(31696002)(6486002)(36756003)(23676002)(65806001)(230700001)(65956001)(81166006)(76176999)(8676002)(50986999)(54356999)(226693001)(25786009)(53546009)(4001350100001)(6116002)(189998001)(4326008)(47776003);DIR:OUT;SFP:1102;SCL:1;SRVR:DB6PR0701MB2359;H:[IPv6:2001:14ba:1efe:ec00::3];FPR:;SPF:None;MLV:sfv;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQUjA3MDFNQjIzNTk7MjM6LzJmWUFFbW9rd3AvY3pBWS9ILzQxaVN6?=
 =?utf-8?B?YU9GdCt5eENHM3htamt1Y0RYeVY5cXljcTFTazNuKzdtRmdLUzVCbjJRb1NV?=
 =?utf-8?B?cmUrRkJ5cGJrMC8zK0hmM0JmYXBNKzJtQXJOOTVUam4wUXU0bWdWWUdaSEcv?=
 =?utf-8?B?M2QzQXlnUDJrcXMxSU1EVkhicjl3MmhrekY4c2pZQjhiWWpUbGJndEo5NTRU?=
 =?utf-8?B?RmhvQ0dQUkgrRDVhUEJ6cFovRGJ5ZDF2dksyaS9TenhyVnlHVDNEMUVjZGFE?=
 =?utf-8?B?QXpSUHZUTG1EUDd0cm5iUnhka250QzBuUklhQVgvbHErdTREY3lCTlkyUUYz?=
 =?utf-8?B?MCsxN1V4dmZKREFJRWdlOTF4UXAxVXNHdFk4SlQxaW8vWnlvclRJMnlMampZ?=
 =?utf-8?B?VWdkSDVmQnRjVVVFTnZIc3JxV2FUdjg5eXZpRHY4cE5HSUV6V2JaRWladld1?=
 =?utf-8?B?a3pXM2hKMjJ5Y2x5V2ZXSCtWMTB5Yy9BN0JWcXIrSVVQcDBGbkY1bjlsL0tI?=
 =?utf-8?B?UUt4d2FXeFlNVExsYXRDUGFWRHN0bHFHU2RVZ3lOSG4wbVhIVkl4bHlTRzdF?=
 =?utf-8?B?bzB4Qzc0MGVFMzh3bHgxZUZtVjljdW9LU1Q4Q1YrWCtQdVFLeHR3TVJTVm5M?=
 =?utf-8?B?dXh4MGVoLzZLaE5ZWHZRVTQwN2tqMjVFV29UcFBrbEViODFhamplTHArLzVM?=
 =?utf-8?B?K3AvWTBIZkdQR0NPT3lvOWdOajUyOWZLNHZYT0hVZU9mQjc2N2l4K05Jckw1?=
 =?utf-8?B?M2tSMkt0d2IydFM4Ny9xUTdndVl4c2wvYVRuSGRLMmt1WUo1ZFBmVXJWMWxs?=
 =?utf-8?B?K3k1OVI3djY2NWpSU2Q4QUYvaGNFR21yNnJXcHhvQkhBL3lyQVo3aTdkdGV1?=
 =?utf-8?B?RFRwRkxseEtib0ZDczkzczZweCtodjBsdzY4QTlXRTJiSUhLMm9lbDJzaDJr?=
 =?utf-8?B?RjFqd1h6QytGekYzSUlkQXE1djNIN21QOFN1cU5pWERHRUNNSHRCNGpoVUpa?=
 =?utf-8?B?MGUxWnJvUFo3RGpPYWZaZVdIWG9TMmU2aWVESHNaYzcxRXZOeUZVd0U3c0JM?=
 =?utf-8?B?enJMNEhmbGw2RW0rS2hMNUdMeFFJVGVmWDBWN0xieFZIcFBEU29HSGszQWhB?=
 =?utf-8?B?cXAwS0M1WHVMZmV4enFpODJ5cVRzNmFuNnk2UXJEOVBJanRFM0JaZ1ZDRmt6?=
 =?utf-8?B?bmJlV2dFNWthOURobWdzbGRscGwweEVmeEJXT0ZtempJRFdOVXMwMW1OVDE5?=
 =?utf-8?B?S2c5bUN4dnN2N2ZZaVZwQlJGeHlKVloyN1FlMXdBZ1RKdDVKZlRIV0NRZUFP?=
 =?utf-8?B?RERYSFpHMElORzM3cXZEeS9HcnZnQ0p3QlZXd09YdTZjbnR3WFkrNkVQU1B1?=
 =?utf-8?B?TzQycEsrL0I1NDlSMXpVcjFOdXQzbk5pRFc2WVpld3NQYWltYWExR1RSSk0r?=
 =?utf-8?B?bGZlWlVDZ3hlT29Yak14QjhrOUJlNTNPcE9IS1BLc0dVb09xenJLL3lkVjZD?=
 =?utf-8?B?YkRWa0szVzlGd1k5R2Y2NEdLdm1GZUwxNGM5N1p0TFREbmdWSTNnRTdVd1Y2?=
 =?utf-8?B?aStIZXZ0eklNZjhjT21MYzNtL2loZmVSdFV6dCtOL3VhU0tKemIyczJwZ0d6?=
 =?utf-8?Q?o=3D?=
X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;6:UlOz5WgnVCz7+UUmbXFW+tfefYnRaj+BmVyMMdIOoroQ4PdPx7JXAQbuMapldVeJcbhsgNHJLuRU5bY9DB23qmDKtWnvNWG0pWZOkeMkpqb6O38mBC82f7pzDn2WBBhsCtJbPyGjndZXZgh2Su0uI2rDd6yILcuURN2FGxMzkDJ9WxTxktD1u1+d7CsTWzjfx/p6Jkw9pRpQ4bibzilu3yaCHHZI2YJwGSfWTBJdJVB7P/eQkj1OZkyEn8yoDwc1Ycw+Ce8+1IZXqftTp4byfXLIz6FW3S7UByGio3JJJDNSyK4/LnmIRvJUD70rIZN2+ZsiCSYHQ5UtKki7+uIs+cKUenyzgY0pjEKjgTh3iev3dgA/RA1KLxcZ+pg5DWM0UFAFEQ3cmi2Phxcho8afgYxj0m/OnZUQv1+lvLwYY7g=;5:YgP1pFH5T8rzDD2Fuc8vluWZdkna+HMYVTH2oOeyMoOh3uzcmkkdX5/zjU0uCXlMN1rZl+wVwq1N+P0mo7dkY1LJXrnnRmi7wy7xnWPgAlOuVNXwAaCDTKtGiiA8tsrq0xL5FZM0YqfNdN2ULt0rtkLaK94lxFE8udVyNY/foY4=;24:hlkphf+t9CfaJ0YZyZCGgcSEe/HmIv+XoA9Dbh49NaTnz0CKzkHR/W69B0QL3vjrZ2BuiXhH9jvH3M+6w1rlF1QAnaSt4zV6gX58Kg1gse0=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1;DB6PR0701MB2359;7:x5lcoyOMPniMX4/0Z10GQs+KXAhuI4PvF0aVETwNRaI2jtHHGFRhnbiibiKEIaOC+ohVR6TaZvz//O0pOsrgUtk8965COltnKhdCMv9wgLLWA1emWrhxEEj9B0Xp34yVYY1Ddpq4WzMtuAeaUkc3aHe3A7cWsgllDhuyLMbsGep3eZbCZckXp3FFo2W2j+fspEuwA8I5FD0ZWeV+CBLcl+z20VAcD4Nf744zEEfM7gpOnPg+qoJKWaBpWHXenoEmRdB29sTQWoKdGpNeJvsaH/h8V/Fr1JBk4zFif5trbcoNXw81DC5pVHfD8bN9x2fJmY+Hk1I92uK4tLSI3CKcsg==
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Mar 2017 19:32:55.3430 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2359
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1468
Lines: 42

On 31.03.2017 21:26, Linus Torvalds wrote:
> Hmm. Thinking more about this, we do allow access to the first 1MB of
> physical memory unconditionally (see devmem_is_allowed() in
> arch/x86/mm/init.c). And I think we only _reserve_ the first 64kB or
> something. So I guess even STRICT_DEVMEM isn't actually all that
> strict.
>
> So this should be visible even *with* STRICT_DEVMEM.
>
> Does a simple
>
>      sudo dd if=/dev/mem of=/dev/null bs=4096 count=256
>
> also show the same issue? Maybe regardless of STRICT_DEVMEM?

Yep, it is enough to trigger the bug.

Also crashes with the fedora kernel that has STRICT_DEVMEM:

$ sudo dd if=/dev/mem of=/dev/null bs=4096 count=256
Segmentation fault

[   73.224025] usercopy: kernel memory exposure attempt detected from 
ffff893a80059000 (dma-kmalloc-16) (4096 bytes)
[   73.224049] ------------[ cut here ]------------
[   73.224056] kernel BUG at mm/usercopy.c:75!
[   73.224060] invalid opcode: 0000 [#1] SMP
[   73.224237] CPU: 5 PID: 2860 Comm: dd Not tainted 
4.9.14-200.fc25.x86_64 #1


> Maybe we should change devmem_is_allowed() to return a ternary value,
> and then have it be "allow access" (for reserved pages), "disallow
> access" (for various random stuff), and "just read zero" (for pages in
> the low 1M that aren't marked reserved).
>
> That way things like that read the low 1M (like x86info) will
> hopefully not be unhappy, but also won't be reading random kernel
> data.
>
>               Linus
>