Received: by 10.223.164.202 with SMTP id h10csp378619wrb; Fri, 10 Nov 2017 07:46:48 -0800 (PST) X-Google-Smtp-Source: AGs4zMaRYFpp6UVd8Y63Sk1xYwoWb4Du1l7I3Bro1VGFL2C6wEFORK5CkdrPuRaagIOZ1XVCqrJT X-Received: by 10.98.21.17 with SMTP id 17mr823608pfv.120.1510328808821; Fri, 10 Nov 2017 07:46:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510328808; cv=none; d=google.com; s=arc-20160816; b=POjRi7fSMvoEpmzGY1hOjK+NyiApsQ5pNjxMPFHrI/0bE3MRS/LLhgbMk2KRQTAHEU 84NNPrJw9k+39LRT55jGcTMXFE0HeRqzRymPR5JLJHHlwpEa/lwbZq/SiPaDK2iHYqTO MU6piVGwGDsw8kMhcvlcLLaJSzbH6FYmsSpbxaRpa1CGey9esetsyRbm4oR3nNEYQ1Ib NnandjVnZVZLFTPQ9h57bXUV5v64j/E0rkmfe4NjWAwEHVbh0gtdrjsxVyVa4pohnd54 gh5hfGyV27yQR9dCe/SAmKOqGnfLtYWC9c2wRwQSAv/xc8/hTHRHiG4NUPLROqoiNikh qc7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:organization:subject:cc:to:from:date :arc-authentication-results; bh=CPRfI9oGXwaHEHa8KSSHoMaoUaTbxLcN5B9UmHdN0R0=; b=SogeUhpghKLX1yUK/x6+QhlQXw2nwdijmp1hq2c+UrPk12NIAcaMPcBYVTAwWOG083 c68z1xd3/z14k2OTKtQjbbXl7vRi9/MQKt83F59V9WXRLtdnzfyo4g50uApgDzLUOKmr rEjQAJCrFP67LKHsIckTIBcmGuHCv9mr+NyPvZhy9wRXhiTCdS4KYsKI5po4RuMoVUkz ud7PV3/mOq1mlxTCPp0ardZxjhVICwnekuUmFOK+SSRw2fBLCJf15Xc1Y1KKlT5pQTss e7vvAOPiH2kxHAb0d8rYHKmej4xWuWutLuVvZVv63xcYPRhoogorvbyhwD3qwnyEeWyN rb3g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a6si9484098pll.474.2017.11.10.07.46.37; Fri, 10 Nov 2017 07:46:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753038AbdKJPqD (ORCPT + 82 others); Fri, 10 Nov 2017 10:46:03 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:52436 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751426AbdKJPqC (ORCPT ); Fri, 10 Nov 2017 10:46:02 -0500 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vAAFjuIU102587 for ; Fri, 10 Nov 2017 10:46:01 -0500 Received: from e06smtp15.uk.ibm.com (e06smtp15.uk.ibm.com [195.75.94.111]) by mx0b-001b2d01.pphosted.com with ESMTP id 2e5ef1sxgg-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 10 Nov 2017 10:45:58 -0500 Received: from localhost by e06smtp15.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 10 Nov 2017 15:45:35 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp15.uk.ibm.com (192.168.101.145) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 10 Nov 2017 15:45:32 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id vAAFjViB26214628; Fri, 10 Nov 2017 15:45:31 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 768C5A4040; Fri, 10 Nov 2017 15:40:28 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 21A8CA4057; Fri, 10 Nov 2017 15:40:28 +0000 (GMT) Received: from TP-holzheu (unknown [9.152.212.222]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 10 Nov 2017 15:40:28 +0000 (GMT) Date: Fri, 10 Nov 2017 16:45:29 +0100 From: Michael Holzheu To: Kees Cook Cc: Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, Heiko Carstens , Martin Schwidefsky , Vasily Gorbik Subject: Does CONFIG_HARDENED_USERCOPY break /dev/mem? Organization: IBM X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17111015-0020-0000-0000-000003CAE18B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17111015-0021-0000-0000-000042600468 Message-Id: <20171110164529.14db25d6@TP-holzheu> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-10_07:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1711100220 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Kees, When I try to run the crash tool on my s390 live system I get a kernel panic when reading memory within the kernel image: # uname -a Linux r3545011 4.14.0-rc8-00066-g1c9dbd4615fd #45 SMP PREEMPT Fri Nov 10 16:16:22 CET 2017 s390x s390x s390x GNU/Linux # crash /boot/vmlinux-devel /dev/mem # crash> rd 0x100000 usercopy: kernel memory exposure attempt detected from 0000000000100000 () (8 bytes) ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:72! illegal operation: 0001 ilc:1 [#1] PREEMPT SMP. Modules linked in: CPU: 0 PID: 1461 Comm: crash Not tainted 4.14.0-rc8-00066-g1c9dbd4615fd-dirty #46 Hardware name: IBM 2827 H66 706 (z/VM 6.3.0) task: 000000001ad10100 task.stack: 000000001df78000 Krnl PSW : 0704d00180000000 000000000038165c (__check_object_size+0x164/0x1d0) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: 0000000012440e1d 0000000080000000 0000000000000061 00000000001cabc0 00000000001cc6d6 0000000000000000 0000000000cc4ed2 0000000000001000 000003ffc22fdd20 0000000000000008 0000000000100008 0000000000000001 0000000000000008 0000000000100000 0000000000381658 000000001df7bc90 Krnl Code: 000000000038164c: c020004a1c4a larl %r2,cc4ee0 0000000000381652: c0e5fff2581b brasl %r14,1cc688 #0000000000381658: a7f40001 brc 15,38165a >000000000038165c: eb42000c000c srlg %r4,%r2,12 0000000000381662: eb32001c000c srlg %r3,%r2,28 0000000000381668: c0110003ffff lgfi %r1,262143 000000000038166e: ec31ff752065 clgrj %r3,%r1,2,381558 0000000000381674: a7f4ff67 brc 15,381542 Call Trace: ([<0000000000381658>] __check_object_size+0x160/0x1d0) [<000000000082263a>] read_mem+0xaa/0x130. [<0000000000386182>] __vfs_read+0x42/0x168. [<000000000038632e>] vfs_read+0x86/0x140. [<0000000000386a26>] SyS_read+0x66/0xc0. [<0000000000ace6a4>] system_call+0xc4/0x2b0. INFO: lockdep is turned off. Last Breaking-Event-Address: [<0000000000381658>] __check_object_size+0x160/0x1d0 Kernel panic - not syncing: Fatal exception: panic_on_oops With CONFIG_HARDENED_USERCOPY copy_to_user() checks in __check_object_size() if the source address is within the kernel image: - __check_object_size() -> check_kernel_text_object(): /* Is this address range in the kernel text area? */ static inline const char *check_kernel_text_object(const void *ptr, unsigned long n) { unsigned long textlow = (unsigned long)_stext; unsigned long texthigh = (unsigned long)_etext; unsigned long textlow_linear, texthigh_linear; if (overlaps(ptr, n, textlow, texthigh)) return ""; When the crash tool reads from 0x100000, this check leads to the kernel BUG() in drivers/char/mem.c: 144 } else { 145 /* 146 * On ia64 if a page has been mapped somewhere as 147 * uncached, then it must also be accessed uncached 148 * by the kernel or data corruption may occur. 149 */ 150 ptr = xlate_dev_mem_ptr(p); 151 if (!ptr) 152 return -EFAULT; 153 154 remaining = copy_to_user(buf, ptr, sz); <<<---- BUG 155 156 unxlate_dev_mem_ptr(p, ptr); 157 } Here the reporting function in mm/usercopy.c: 61 static void report_usercopy(const void *ptr, unsigned long len, 62 bool to_user, const char *type) 63 { 64 pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", 65 to_user ? "exposure" : "overwrite", 66 to_user ? "from" : "to", ptr, type ? : "unknown", len); 67 /* 68 * For greater effect, it would be nice to do do_group_exit(), 69 * but BUG() actually hooks all the lock-breaking and per-arch 70 * Oops code, so that is used here instead. 71 */ 72 BUG(); 73 } Shouldn't we skip the kernel address check for /dev/mem - at least when CONFIG_STRICT_DEVMEM is not enabled? Michael From 1584936350547950815@xxx Fri Nov 24 08:44:50 +0000 2017 X-GM-THRID: 1584853998505310579 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread