Re: [RFC][PATCH] mm: Tighten x86 /dev/mem with zeroing

From: Tommi Rantala
Date: Thu Apr 06 2017 - 10:25:52 EST

Next message: Andrew Lunn: "Re: [PATCH 4/4] net: dsa: LAN9303: add MDIO managed mode support"
Previous message: Joerg Roedel: "[PATCH] x86/mpx, selftests: Only check bounds-vs-shadow when we keep shadow"
In reply to: Kees Cook: "[RFC][PATCH] mm: Tighten x86 /dev/mem with zeroing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 06.04.2017 03:00, Kees Cook wrote:

This changes the x86 exception for the low 1MB by reading back zeros for
RAM areas instead of blindly allowing them. (It may be possible for heap
to end up getting allocated in low 1MB RAM, and then read out, possibly
tripping hardened usercopy.)

Unfinished: this still needs mmap support.

Reported-by: Tommi Rantala <tommi.t.rantala@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
Tommi, can you check and see if this fixes what you're seeing? I want to
make sure this actually works first. (x86info uses seek/read not mmap.)

Hi, I can confirm that it works (after adding CONFIG_STRICT_DEVMEM), no more kernel bugs when running x86info.

open("/dev/mem", O_RDONLY) = 3
lseek(3, 1038, SEEK_SET) = 1038
read(3, "\300\235", 2) = 2
lseek(3, 646144, SEEK_SET) = 646144
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024
lseek(3, 1043, SEEK_SET) = 1043
read(3, "w\2", 2) = 2
lseek(3, 645120, SEEK_SET) = 645120
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024
lseek(3, 654336, SEEK_SET) = 654336
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1024) = 1024
lseek(3, 983040, SEEK_SET) = 983040
read(3, "IFE$\245S\0\0\1\0\0\0\0\360y\0\0\360\220\260\30\237{=\23\10\17\0000\276\17\0"..., 65536) = 65536
lseek(3, 917504, SEEK_SET) = 917504
read(3, "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"..., 65536) = 65536
lseek(3, 524288, SEEK_SET) = 524288
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536) = 65536
lseek(3, 589824, SEEK_SET) = 589824
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 65536) = 65536

dd works too:

# LANG=C dd if=/dev/mem of=/dev/null bs=4096 count=256
256+0 records in
256+0 records out
1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0874073 s, 12.0 MB/s

---

arch/x86/mm/init.c | 41 +++++++++++++++++++--------
drivers/char/mem.c | 82 ++++++++++++++++++++++++++++++++++--------------------
2 files changed, 82 insertions(+), 41 deletions(-)

Next message: Andrew Lunn: "Re: [PATCH 4/4] net: dsa: LAN9303: add MDIO managed mode support"
Previous message: Joerg Roedel: "[PATCH] x86/mpx, selftests: Only check bounds-vs-shadow when we keep shadow"
In reply to: Kees Cook: "[RFC][PATCH] mm: Tighten x86 /dev/mem with zeroing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]