On Wed, May 22, 2013 at 2:07 PM, Andy Lutomirski <l...@amacapital.net> wrote: > Currently, __get_user can't trigger an OOPS -- any exception will be > caught and return -EFAULT. This means that, if an access_ok check is > missing somewhere, then an attacker can freely use it to probe for valid > kernel mappings. > > This series annotates all of the exception fixups as "catch anything" or > "catch valid uaccess faults", and skips the fixup (and hence oopses) if > an instruction of the latter type faults for any reason other than a > page fault to a user address. > > I know of only one bug of this type; it's fixed in patch 5. > > Perhaps surprisingly, this seems to survive Trinity fairly well. > > Andy Lutomirski (5): > x86: Split "utter crap" pnpbios fixup out of fixup_exception > x86: Clean up extable entry format (and free up a bit) > x86: Annotate _ASM_EXTABLE users to distinguish uaccess from > everything else > x86: Don't fixup uaccess faults to kernel or non-canonical addresses > net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
Patch 5 is (for better or for worse) in -linus now. What's the status of the other four? (They're certainly not 3.10 material.) --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
