headers
Pavel Machek | 20 Aug 2001 22:06
Picon

Re: [TRIVIAL] Warn users about machines with non-working WP bit

Hi!

> >I just get another idea, that might be easier to get right. If
> >the only problem is one process changing the mm while another
> >process is doing a copy_to_user, we should be able to fix it by
> >placing a readlock on the mm while the copy_to_user is in progress.
> >  
> >
> Yes, that would work. copy_to_user is never called with the mmap 
> semaphore locked, i.e.
> 
> #define copy_to_user(...) >         down(&current->mm->mmap_sem); >         check_wp_bit(); >        
real_copy_to_user(); >         up(&current->mm->mmap_sem)
> 
> verify_area would just check that the pointer is below TASK_SIZE, and 
> the wp bit is checked within copy_to_user().
> 
> But how many 80386 Linux systems that run the 2.4 kernel exist?

Many embedded boxes, I beieve, have modern 386 CPUs.
								Pavel
--

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
Permalink | Reply | 1 comment |
headers
Pavel Machek | 20 Aug 2001 22:03
Picon

Re: [TRIVIAL] Warn users about machines with non-working WP bit

Hi!

> >   From: Manfred Spraul <manfred <at> colorfullife.com>
> >   Date: Tue, 06 Aug 2002 11:17:33 +0200
> >
> >   > -		printk("No.\n");
> >   > +		printk("No (that's security hole).\n");
> >   >  #ifdef CONFIG_X86_WP_WORKS_OK
> >   
> >   Could you explain the hole?
> >   WP works for user space apps, only ring0 (or ring 0-2?) code
> >   ignores the WP bit on i386.
> >
> >So copy_to_user() could write to user areas that are write-proteced.
> >
> >verify_area() checks aren't enough, consider a threaded application
> >calling mprotect() while the copy is in progress.

> Then we should either fix copy_to_user(), or mark 80386 unsupported, or 
> disable multi-threading on 80386. It's a random memory corruption, far 
> worse than a security hole.

Fortunately app has to be seriously missbehaving for this to happen. Fixing
copy_to_user would be nicest; I do not think dropping 386 because of *this*
is good idea... [But it might force 386 users to fix copy_to_user ;-)]

									Pavel
--

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Pavel Machek | 20 Aug 2001 22:45
Picon

Re: [PATCH] APM fix for 2.4.20pre1

Hi!

>  <at>  <at>  -897,10 +889,11  <at>  <at> 
>  	 */
>  #ifdef CONFIG_SMP
>  	/* Some bioses don't like being called from CPU != 0 */
> -	while (cpu_number_map(smp_processor_id()) != 0) {
> -		kernel_thread(apm_magic, NULL,
> -			CLONE_FS | CLONE_FILES | CLONE_SIGHAND | SIGCHLD);
> +	if (cpu_number_map(smp_processor_id()) != 0) {
> +		current->cpus_allowed = 1;
>  		schedule();
> +		if (unlikely(cpu_number_map(smp_processor_id()) != 0))
> +			BUG();

BUG_ON()?
								Pavel
--

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.
Permalink | Reply | 0 comments |

Gmane