On Tue, Jun 27, 2017 at 12:26 PM, Jason A. Donenfeld <ja...@zx2c4.com> wrote: > On Tue, Jun 27, 2017 at 9:22 PM, Andi Kleen <a...@linux.intel.com> wrote: >> Who would actually set mman_min_addr incorrectly? > > Historically there have been quite a few bypasses of mmap_min_addr, > actually. This is well-trodden ground.
Targeting things in /proc/sys via confused privileged helpers is extremely common. See Chrome OS pwn2own exploits (targetting modprobe sysctl), and plenty of others. Modern attack methodology is rarely a single-bug attack, but rather a chain of bugs, which may include producing or exploiting weak userspace configurations to soften the kernel. Regardless, it's a fair point that checking this unconditionally is wasteful. Strangely this doesn't help: - BUG_ON(release == NULL); + if (!__builtin_constant_p(release)) + BUG_ON(release == NULL); When nearly all callers pass a function directly: ... drivers/block/rbd.c: kref_put(&spec->kref, rbd_spec_free); drivers/char/hw_random/core.c: kref_put(&rng->ref, cleanup_rng); drivers/char/ipmi/ipmi_msghandler.c: kref_put(&e->intf->refcount, intf_free); ... Hmmm -Kees -- Kees Cook Pixel Security
