[PATCH v4 1/4] syscalls: Restore address limit after a syscall
thgarnie at google.com
Wed Mar 22 13:49:51 PDT 2017
On Wed, Mar 22, 2017 at 1:44 PM, Andy Lutomirski <luto at amacapital.net> wrote:
> On Wed, Mar 22, 2017 at 1:38 PM, Thomas Garnier <thgarnie at google.com> wrote:
>> This patch ensures a syscall does not return to user-mode with a kernel
>> address limit. If that happened, a process can corrupt kernel-mode
>> memory and elevate privileges.
>> For example, it would mitigation this bug:
>> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect
>> state will result in a BUG_ON.
> I'm a bit confused about this choice of configurability. I can see
> two sensible choices:
> 1. Enable this hardening feature: BUG if there's an exploitable bug.
> 2. Don't enable it at all.
> While it's possible that silently papering over the bug is slightly
> faster than BUGging, it will allow bugs to continue to exist
We can default to BUGging. I think my approach was avoiding doing a
BUG_ON just to avoid breaking people.
More information about the linux-arm-kernel