[kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support
Kees Cook
keescook at chromium.org
Sat Jul 9 10:07:34 PDT 2016
On Fri, Jul 8, 2016 at 11:17 PM, <Valdis.Kletnieks at vt.edu> wrote:
> Yeah, 'ping' dies with a similar traceback going to rawv6_setsockopt(),
> and 'trinity' dies a horrid death during initialization because it creates
> some sctp sockets to fool around with. The problem in all these cases is that
> setsockopt uses copy_from_user() to pull in the option value, and the allocation
> isn't tagged with USERCOPY to whitelist it.
Just a note to clear up confusion: this series doesn't include the
whitelist protection, so this appears to be either bugs in the slub
checker or bugs in the code using the cfq_io_cq cache. I suspect the
former. :)
-Kees
--
Kees Cook
Chrome OS & Brillo Security
More information about the linux-arm-kernel
mailing list