[PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
Al Viro
viro at ZenIV.linux.org.uk
Mon May 8 13:48:58 PDT 2017
On Mon, May 08, 2017 at 04:06:35PM +0200, Jann Horn wrote:
> I think Kees might be talking about
> https://bugs.chromium.org/p/project-zero/issues/detail?id=822, fixed in
> commit e6978e4bf181fb3b5f8cb6f71b4fe30fbf1b655c. The issue was that
> perf code that can run in pretty much any context called access_ok().
And that commit has *NOT* solved the problem. perf_callchain_user()
can be called synchronously, without passing through that code.
Tracepoint shite...
That set_fs() should be done in get_perf_callchain(), just around the call of
perf_callchain_user(). Along with pagefault_disable(), actually.
BTW, that's a nice example demonstrating why doing that on the kernel
boundary is wrong. Wider (in theory) area being "protected" => easier
to miss the ways not crossing its border.
More information about the linux-arm-kernel
mailing list