On Tue, May 24, 2016 at 3:48 PM, Andy Lutomirski <l...@kernel.org> wrote: > This series hardens x86's uaccess code a bit. It adds warnings for > some screwups, adds an OOPS for a major exploitable screwup, and it > improves debuggability a bit by indicating non-default fs in oopses. > > It shouldn't cause any new OOPSes except in the particularly > dangerous case where the kernel faults on a kernel address under > USER_DS, which indicates that an access_ok is missing and is likely > to be easily exploitable -- OOPSing will make it harder to exploit. > > I have some draft patches to force OOPSes on user address accesses > under KERNEL_DS (which is a big no-no), but I'd rather make those > warn instead of OOPSing, and I don't have a good implementation of > that yet. Those patches aren't part of this series. > > Andy Lutomirski (7): > x86/xen: Simplify set_aliased_prot > x86/extable: Pass error_code and an extra unsigned long to exhandlers > x86/uaccess: Give uaccess faults their own handler > x86/dumpstack: If addr_limit is non-default, display it > x86/uaccess: Warn on uaccess faults other than #PF > x86/uaccess: Don't fix up USER_DS uaccess faults to kernel addresses > x86/uaccess: OOPS or warn on a fault with KERNEL_DS and > !pagefault_disabled()
Reviewed-by: Kees Cook <keesc...@chromium.org> I'm going to see what this does to lib/test_user_copy.c ... I might have to move it into lkdtm.c if there is an added Oops condition. -Kees -- Kees Cook Chrome OS & Brillo Security
