Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-15 Thread Al Viro
On Mon, Jul 16, 2018 at 12:03:39AM +0200, Ingo Molnar wrote: > > * Jann Horn wrote: > > > - A malicious user can pass an arbitrary file to a setuid binary as > > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to > > be something normal, like a proper file or a pipe) then ca

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-15 Thread Linus Torvalds
On Sun, Jul 15, 2018 at 6:33 PM Jann Horn wrote: > > +Linus, Andy, Al from the other thread > > On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote: > > > > BTW., a naive question: would it make sense to simply disallow 'special' > > fds to be passed to setuid binaries, and fix any user-space that

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-15 Thread Jann Horn
+Linus, Andy, Al from the other thread On Mon, Jul 16, 2018 at 12:03 AM Ingo Molnar wrote: > * Jann Horn wrote: > > > - A malicious user can pass an arbitrary file to a setuid binary as > > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to > > be something normal, like a pr

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-15 Thread Ingo Molnar
* Jann Horn wrote: > - A malicious user can pass an arbitrary file to a setuid binary as > stdin/stdout/stderr. When the setuid binary (expecting stdin/stdout to > be something normal, like a proper file or a pipe) then calls read(0, > , ), if the kernel disregards the length argument and writ

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-09 Thread Andy Shevchenko
On Mon, 2018-07-09 at 09:41 +0200, Jann Horn wrote: > On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko > wrote: > > > > On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote: > > > Don't access the provided buffer out of bounds - this can cause a > > > kernel > > > out-of-bounds read when invoked thro

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-09 Thread Jann Horn
On Mon, Jul 9, 2018 at 8:53 AM Andy Shevchenko wrote: > > On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote: > > Don't access the provided buffer out of bounds - this can cause a > > kernel > > out-of-bounds read when invoked through sys_splice() or other things > > that > > use kernel_write()/__

Re: [PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-08 Thread Andy Shevchenko
On Fri, 2018-07-06 at 23:50 +0200, Jann Horn wrote: > Don't access the provided buffer out of bounds - this can cause a > kernel > out-of-bounds read when invoked through sys_splice() or other things > that > use kernel_write()/__kernel_write(). > Can you elaborate a bit this change? Only few pl

[PATCH] x86/mtrr: don't copy out-of-bounds data in mtrr_write

2018-07-06 Thread Jann Horn
Don't access the provided buffer out of bounds - this can cause a kernel out-of-bounds read when invoked through sys_splice() or other things that use kernel_write()/__kernel_write(). Fixes: 7f8ec5a4f01a ("x86/mtrr: Convert to use strncpy_from_user() helper") Signed-off-by: Jann Horn --- arch/x8