From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Brad Spengler <spender@grsecurity.net>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Kernel Panic
Date: Fri, 9 Dec 2016 13:56:14 +0100 [thread overview]
Message-ID: <CAHmME9oQ5HJb937HOwJJbAhaORuFpz5cRp=fhLV=u8rEUST5PA@mail.gmail.com> (raw)
In-Reply-To: <20161209121144.GA31448@grsecurity.net>
On Fri, Dec 9, 2016 at 1:11 PM, Brad Spengler <spender@grsecurity.net> wrote:
> It's not potentially, it is trouble. That code didn't use to be there
> btw, that optimization was introduced sometime between 3.14 and 4.4.
> So you could take your pick I guess, either that code is wrong or yours
> is wrong ;) As a third-party module generally that makes your code
> "wrong" (because it being fixed in 4.9 won't help all the other versions
> out there that exist) but I do indeed pass through the original buffer
> through the rest of the function, as it's only the virt_to_page that's
> the problem.
It was added with v4.0-6954-g74412fd5d71b, so I guess this means it
arrived at 4.1.
Quite clearly the kernel code is "wrong", since the vast majority of
other callers in the kernel also use it with the quite reasonable
assumption that simple memcpy is stack-safe. When all of the consumers
assume a function will work in a particular way, and then upstream
tries to "optimize" the function and breaks things, that usually means
it's a problem with the optimization, not with the consumers.
Anyway, what I suspect the upstream response will be is that since
this is just a check of equality of addresses, with no dereferencing,
it will always (?) just be false for stack addresses, and so there's
no functional detriment, despite it being not correct. Or some boring
reasoning along these lines.
But anyway, splitting hairs... I'll monitor the grsec changelog and
ping the guy on the wireguard mailing list who ran into the issue when
it's fixed.
next prev parent reply other threads:[~2016-12-09 12:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-06 6:23 Samuel Holland
2016-12-06 18:19 ` Jason A. Donenfeld
2016-12-06 18:26 ` Samuel Holland
2016-12-06 18:31 ` Jason A. Donenfeld
2016-12-06 22:39 ` Jason A. Donenfeld
2016-12-07 0:44 ` PaX Team
2016-12-07 10:38 ` Jason A. Donenfeld
[not found] ` <CAHmME9pVCDu88c6n+LV9Mtd5Ohu8o-7RSQB4kRjsHGRQ3jF8zw@mail.gmail.com>
[not found] ` <20161208231626.GA5230@grsecurity.net>
2016-12-09 11:17 ` Jason A. Donenfeld
[not found] ` <20161209121144.GA31448@grsecurity.net>
2016-12-09 12:56 ` Jason A. Donenfeld [this message]
2016-12-09 13:27 ` Jason A. Donenfeld
2016-12-09 15:54 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHmME9oQ5HJb937HOwJJbAhaORuFpz5cRp=fhLV=u8rEUST5PA@mail.gmail.com' \
--to=jason@zx2c4.com \
--cc=spender@grsecurity.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).