• Heiko Carstens's avatar
    fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() · da3b2246
    Heiko Carstens authored
    commit d0290bc2 upstream.
    
    Commit df04abfd ("fs/proc/kcore.c: Add bounce buffer for ktext
    data") added a bounce buffer to avoid hardened usercopy checks.  Copying
    to the bounce buffer was implemented with a simple memcpy() assuming
    that it is always valid to read from kernel memory iff the
    kern_addr_valid() check passed.
    
    A simple, but pointless, test case like "dd if=/proc/kcore of=/dev/null"
    now can easily crash the kernel, since the former execption handling on
    invalid kernel addresses now doesn't work anymore.
    
    Also adding a kern_addr_valid() implementation wouldn't help here.  Most
    architectures simply return 1 here, while a couple implemented a page
    table walk to figure out if something is mapped at the address in
    question.
    
    With DEBUG_PAGEALLOC active mappings are established and removed all the
    time, so that relying on the result of kern_addr_valid() before
    executing the memcpy() also doesn't work.
    
    Therefore simply use probe_kernel_read() to copy to the bounce buffer.
    This also allows to simplify read_kcore().
    
    At least on s390 this fixes the observed crashes and doesn't introduce
    warnings that were removed with df04abfd ("fs/proc/kcore.c: Add
    bounce buffer for ktext data"), even though the generic
    probe_kernel_read() implementation uses uaccess functions.
    
    While looking into this I'm also wondering if kern_addr_valid() could be
    completely removed...(?)
    
    Link: http://lkml.kernel.org/r/20171202132739.99971-1-heiko.carstens@de.ibm.com
    Fixes: df04abfd ("fs/proc/kcore.c: Add bounce buffer for ktext data")
    Fixes: f5509cc1 ("mm: Hardened usercopy")
    Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Al Viro <viro@ZenIV.linux.org.uk>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    da3b2246
kcore.c 15.4 KB