www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Kees Cook <keescook@chromium.org>
	Wed, 5 Apr 2017 16:39:08 +0000 (09:39 -0700)
committer	Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
	Wed, 13 Sep 2017 15:57:53 +0000 (08:57 -0700)
commit	fe452c4e2899cbb73cad17f46d1311a1d952db62
tree	5df42030d6fcf5b5e80e20f087e932ca2510eeb3	tree
parent	dcfd7c2e2b698bcbd4d1d88723c9a4e3cfdc1eab	commit \| diff

mm: Tighten x86 /dev/mem with zeroing reads

Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
disallowed. However, on x86, the first 1MB was always allowed for BIOS
and similar things, regardless of it actually being System RAM. It was
possible for heap to end up getting allocated in low 1MB RAM, and then
read by things like x86info or dd, which would trip hardened usercopy:

usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)

This changes the x86 exception for the low 1MB by reading back zeros for
System RAM areas instead of blindly allowing them. More work is needed to
extend this to mmap, but currently mmap doesn't go through usercopy, so
hardened usercopy won't Oops the kernel.

Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
(cherry picked from commit a4866aa812518ed1a37d8ea0c881dc946409de94)

Orabug: 25917914
CVE: CVE-2017-7889

Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>

arch/x86/mm/init.c		diff \| blob \| history
drivers/char/mem.c		diff \| blob \| history