Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp319925imm; Fri, 31 Aug 2018 01:05:40 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYGOITndU3L5CYpvQftracVFmVmEBluyLby80lqjrJkYR1lD8GsGL9Oz3NaWlskiDeBEHw0 X-Received: by 2002:a62:45d2:: with SMTP id n79-v6mr14589208pfi.137.1535702740103; Fri, 31 Aug 2018 01:05:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535702740; cv=none; d=google.com; s=arc-20160816; b=mkvaKS2qkRXgaWb+MQJa2I0eQ5WHfBaaCItb6G21/pbMv+GkcITmvJHBmVksYkVpkI Vw2xKtXaxM/GQnROsDyJo2QvFT/wNBn2vu4NhSMR1d+nFw8tx8McEfHQaHyRD95+IY5z dNlWVnLLAMn4jPI7QbjxmKcXVUE1B0WdqPQYStz89GH95WXhTVwVVLN3MiGUVGMj5yzA bbCtUeDeyWbdpd4c5Yj2dPtNv8FOrS08i5WSZ3676GSc071e2p3MVtdaCQ4qyujOrCd9 q9un8ERq6KETGwzNh4W9+8sHsYUwY9rtSaNaavXnHv2SxPYdqVxk5IZtXzb4FGE7S0UN DDMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=20zevF4+hs0lJiq3j/807X54OI76o6W4huU9donIf5Y=; b=A2fhqeQ/5E39y7BIeJEaemYHriT/88c5TqVvtE7yKG2eASCagpZg1MWIbLL+7ec7sy BcZGAdKT45Jaca6AEv3L6S9DkyKD+zXgsmTRGuNh9lG6ApI825tjdm+IwXfNl2T3mBFJ gPLHPO3j+WbvnLoPfZrRV87dzYt3LdH6+/oIS8HmFQv+vQ/RXciYUJaYvR/Zb6uUAIHJ SjpfVLD/fO6BSXEESPpadPOxGkipjRNXWRvjOgoI9xYlfQQXW1iP9bkN/ua0YNh065oN GNJ5fpf1GK6QBcHG0L4S8BzAnvF/kXbSTnVFGviNmQOuxic5/dY0qnJzdHbmpwORfeqp vTFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d7-v6si8544608pll.162.2018.08.31.01.05.25; Fri, 31 Aug 2018 01:05:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727521AbeHaMK3 (ORCPT + 99 others); Fri, 31 Aug 2018 08:10:29 -0400 Received: from mx2.suse.de ([195.135.220.15]:41450 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727268AbeHaMK3 (ORCPT ); Fri, 31 Aug 2018 08:10:29 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id D8BBFADD8; Fri, 31 Aug 2018 08:04:14 +0000 (UTC) Date: Fri, 31 Aug 2018 10:04:41 +0200 From: Borislav Petkov To: Jann Horn Cc: Thomas Gleixner , linux-kernel@vger.kernel.org, Kees Cook Subject: Re: [PATCH] x86/dumpstack: fix address space casting in show_opcodes() Message-ID: <20180831080441.GB3354@nazgul.tnic> References: <20180830194736.210039-1-jannh@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180830194736.210039-1-jannh@google.com> User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 30, 2018 at 09:47:36PM +0200, Jann Horn wrote: > I sloppily passed a kernel-typed pointer to __range_not_ok(), and sparse > doesn't like that. > Make `prologue` a __user pointer (to protect against accidental > dereferences) and force-cast it to a kernel pointer when calling > probe_kernel_read(), which will then immediately force-cast it back to a > user pointer. Yeah, that's some crazy casting. Can we define a local __user pointer only for the check instead? It is less casting and looks simpler and actually even easier to understand what we're doing... --- diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c index 605c60b1624f..9c5a15491108 100644 --- a/arch/x86/kernel/dumpstack.c +++ b/arch/x86/kernel/dumpstack.c @@ -97,14 +97,17 @@ void show_opcodes(struct pt_regs *regs, const char *loglvl) #define OPCODE_BUFSIZE (PROLOGUE_SIZE + 1 + EPILOGUE_SIZE) u8 opcodes[OPCODE_BUFSIZE]; u8 *prologue = (u8 *)(regs->ip - PROLOGUE_SIZE); - bool bad_ip; + bool bad_ip = false; /* * Make sure userspace isn't trying to trick us into dumping kernel * memory by pointing the userspace instruction pointer at it. */ - bad_ip = user_mode(regs) && - __range_not_ok(prologue, OPCODE_BUFSIZE, TASK_SIZE_MAX); + if (user_mode(regs)) { + u8 __user *up = (u8 __user *)prologue; + + bad_ip = __range_not_ok(up, OPCODE_BUFSIZE, TASK_SIZE_MAX); + } if (bad_ip || probe_kernel_read(opcodes, prologue, OPCODE_BUFSIZE)) { printk("%sCode: Bad RIP value.\n", loglvl); -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --