Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault

From: Andrey Konovalov
Date: Sun Jun 22 2025 - 19:45:51 EST

Next message: Yury Norov: "[PATCH v2 0/4] smp: Improve on cpumasks handling"
Previous message: Jassi Brar: "Re: [PATCH] mailbox: stop the release and reacquire of the chan lock"
In reply to: Sabyrzhan Tasbolatov: "Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault"
Next in thread: David Hildenbrand: "Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jun 22, 2025 at 9:09 PM Sabyrzhan Tasbolatov
<snovitoll@xxxxxxxxx> wrote:
>
> I haven't verified this, but theoretically, it's a handy
> “write-anywhere-safely” ROP gadget.
> Assume the attacker has already gained an arbitrary RW primitive
> via a UAF/OOB bug. Instead of stitching together
> prepare_kernel_cred() + commit_creds(), which is a common path
> of using exported symbols to achieve privilege escalation.
> This path needs two symbols and register juggling.
> With exported copy_to_kernel_nofault() they can do this:
>
> /* Pseudocode of exploit for a ROP stage running in kernel context */
> struct cred *cred = leaked_pointer;
> rop_call(copy_to_kernel_nofault, &cred->uid, &zero, 4)
>
> copy_to_kernel_nofault() disables page-faults around the write,
> so even if cred corupts a guard-page, the write will not crash.

Attacker can use copy_to_kernel_nofault without it being exported as well.

So I'd say this patch is more of a clean-up of exports.

Next message: Yury Norov: "[PATCH v2 0/4] smp: Improve on cpumasks handling"
Previous message: Jassi Brar: "Re: [PATCH] mailbox: stop the release and reacquire of the chan lock"
In reply to: Sabyrzhan Tasbolatov: "Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault"
Next in thread: David Hildenbrand: "Re: [PATCH v2] mm: unexport globally copy_to_kernel_nofault"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]