1a4fb51a8b
I found the following pattern that leads in to interesting findings: grep -r "ret.*|=.*__put_user" * grep -r "ret.*|=.*__get_user" * grep -r "ret.*|=.*__copy" * The __put_user() calls in compat_ioctl.c, ptrace compat, signal compat, since those appear in compat code, we could probably expect the kernel addresses not to be reachable in the lower 32-bit range, so I think they might not be exploitable. For the "__get_user" cases, I don't think those are exploitable: the worse that can happen is that the kernel will copy kernel memory into in-kernel buffers, and will fail immediately afterward. The alpha csum_partial_copy_from_user() seems to be missing the access_ok() check entirely. The fix is inspired from x86. This could lead to information leak on alpha. I also noticed that many architectures map csum_partial_copy_from_user() to csum_partial_copy_generic(), but I wonder if the latter is performing the access checks on every architectures. Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Richard Henderson <rth@twiddle.net> Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> Cc: Matt Turner <mattst88@gmail.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Oleg Nesterov <oleg@redhat.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Makefile | ||
| apc.c | ||
| asm-offsets.c | ||
| audit.c | ||
| auxio_32.c | ||
| auxio_64.c | ||
| btext.c | ||
| central.c | ||
| cherrs.S | ||
| chmc.c | ||
| compat_audit.c | ||
| cpu.c | ||
| cpumap.c | ||
| cpumap.h | ||
| devices.c | ||
| dma.c | ||
| ds.c | ||
| dtlb_miss.S | ||
| dtlb_prot.S | ||
| ebus.c | ||
| entry.S | ||
| entry.h | ||
| etrap_32.S | ||
| etrap_64.S | ||
| fpu_traps.S | ||
| ftrace.c | ||
| getsetcc.S | ||
| head_32.S | ||
| head_64.S | ||
| helpers.S | ||
| hvapi.c | ||
| hvcalls.S | ||
| hvtramp.S | ||
| idprom.c | ||
| iommu.c | ||
| iommu_common.h | ||
| ioport.c | ||
| irq.h | ||
| irq_32.c | ||
| irq_64.c | ||
| itlb_miss.S | ||
| ivec.S | ||
| jump_label.c | ||
| kernel.h | ||
| kgdb_32.c | ||
| kgdb_64.c | ||
| kprobes.c | ||
| kstack.h | ||
| ktlb.S | ||
| ldc.c | ||
| led.c | ||
| leon_kernel.c | ||
| leon_pci.c | ||
| leon_pci_grpci1.c | ||
| leon_pci_grpci2.c | ||
| leon_pmc.c | ||
| leon_smp.c | ||
| mdesc.c | ||
| misctrap.S | ||
| module.c | ||
| nmi.c | ||
| of_device_32.c | ||
| of_device_64.c | ||
| of_device_common.c | ||
| of_device_common.h | ||
| pci.c | ||
| pci_common.c | ||
| pci_fire.c | ||
| pci_impl.h | ||
| pci_msi.c | ||
| pci_psycho.c | ||
| pci_sabre.c | ||
| pci_schizo.c | ||
| pci_sun4v.c | ||
| pci_sun4v.h | ||
| pci_sun4v_asm.S | ||
| pcic.c | ||
| pcr.c | ||
| perf_event.c | ||
| pmc.c | ||
| power.c | ||
| process_32.c | ||
| process_64.c | ||
| prom.h | ||
| prom_32.c | ||
| prom_64.c | ||
| prom_common.c | ||
| prom_irqtrans.c | ||
| psycho_common.c | ||
| psycho_common.h | ||
| ptrace_32.c | ||
| ptrace_64.c | ||
| reboot.c | ||
| rtrap_32.S | ||
| rtrap_64.S | ||
| sbus.c | ||
| setup_32.c | ||
| setup_64.c | ||
| signal32.c | ||
| signal_32.c | ||
| signal_64.c | ||
| sigutil.h | ||
| sigutil_32.c | ||
| sigutil_64.c | ||
| smp_32.c | ||
| smp_64.c | ||
| sparc_ksyms_32.c | ||
| sparc_ksyms_64.c | ||
| spiterrs.S | ||
| sstate.c | ||
| stacktrace.c | ||
| starfire.c | ||
| sun4d_irq.c | ||
| sun4d_smp.c | ||
| sun4m_irq.c | ||
| sun4m_smp.c | ||
| sun4v_ivec.S | ||
| sun4v_tlb_miss.S | ||
| sys32.S | ||
| sys_sparc32.c | ||
| sys_sparc_32.c | ||
| sys_sparc_64.c | ||
| syscalls.S | ||
| sysfs.c | ||
| systbls.h | ||
| systbls_32.S | ||
| systbls_64.S | ||
| tadpole.c | ||
| time_32.c | ||
| time_64.c | ||
| trampoline_32.S | ||
| trampoline_64.S | ||
| traps_32.c | ||
| traps_64.c | ||
| tsb.S | ||
| ttable_32.S | ||
| ttable_64.S | ||
| una_asm_32.S | ||
| una_asm_64.S | ||
| unaligned_32.c | ||
| unaligned_64.c | ||
| utrap.S | ||
| vio.c | ||
| viohs.c | ||
| visemul.c | ||
| vmlinux.lds.S | ||
| windows.c | ||
| winfixup.S | ||
| wof.S | ||
| wuf.S | ||