[PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode
Andy Lutomirski
luto at kernel.org
Fri May 12 16:15:56 PDT 2017
On Mon, May 8, 2017 at 1:48 PM, Al Viro <viro at zeniv.linux.org.uk> wrote:
> On Mon, May 08, 2017 at 04:06:35PM +0200, Jann Horn wrote:
>
>> I think Kees might be talking about
>> https://bugs.chromium.org/p/project-zero/issues/detail?id=822, fixed in
>> commit e6978e4bf181fb3b5f8cb6f71b4fe30fbf1b655c. The issue was that
>> perf code that can run in pretty much any context called access_ok().
>
> And that commit has *NOT* solved the problem. perf_callchain_user()
> can be called synchronously, without passing through that code.
> Tracepoint shite...
>
> That set_fs() should be done in get_perf_callchain(), just around the call of
> perf_callchain_user(). Along with pagefault_disable(), actually.
>
Even that's not quite enough because of a different issue: perf nmis
can hit during scheduling or when we're in lazy mm, leading to the
entirely wrong set of page tables being used. We need
nmi_uaccess_begin() and nmi_uaccess_end(), and the former needs to be
allowed to fail.
AFAIK this isn't presently a security problem because it mainly
affects kernel threads, and you need to be root to profile them, but
maybe there's some race where it does matter.
More information about the linux-arm-kernel
mailing list