Re: [x86/uaccess] 5b710f34e1: kernel BUG at mm/usercopy.c:75!

From: Linus Torvalds
Date: Wed Aug 17 2016 - 17:31:08 EST

Next message: John Stultz: "Re: [PATCH] selftests/timers: Add missing error code assignment before test"
Previous message: Linus Torvalds: "Re: RFC: Petition Intel/AMD to add POPF_IF insn"
In reply to: Kees Cook: "Re: [x86/uaccess] 5b710f34e1: kernel BUG at mm/usercopy.c:75!"
Next in thread: Kees Cook: "Re: [x86/uaccess] 5b710f34e1: kernel BUG at mm/usercopy.c:75!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 17, 2016 at 2:25 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> I had forwarded this bug Rik's way since the page-cross checking was
> suggested by him. I'm happy to drop it; it was a suggested improvement
> that was suspected to be safe (none of the folks testing this ran into
> it and we saw no report during its time in -next). I can prepare a
> patch if there isn't a better way to detect this kind of allocation.
> (FWIW, slab is handled separately.)

I can't think of any sane way to notice it normally.

Yes, with __GFP_COMPOUND you get the compound flag bits set, but as
mentioned, that's a special case for the large page VM handling, and
not applicable in general.

Very few things do higher order allocations outside of slab and the
task struct. But it does happen. Even fewer of those then have
contents that might get copied to user space, but it clearly happens
at least for _one_ case, and I can't convince myself that there might
not be other cases too..

Linus

Next message: John Stultz: "Re: [PATCH] selftests/timers: Add missing error code assignment before test"
Previous message: Linus Torvalds: "Re: RFC: Petition Intel/AMD to add POPF_IF insn"
In reply to: Kees Cook: "Re: [x86/uaccess] 5b710f34e1: kernel BUG at mm/usercopy.c:75!"
Next in thread: Kees Cook: "Re: [x86/uaccess] 5b710f34e1: kernel BUG at mm/usercopy.c:75!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]