Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 5b679d4ad7a64a43e6e29a3fe634230bdeb1397b
commit5b679d4ad7a64a43e6e29a3fe634230bdeb1397b[log] [tgz]
authorKees Cook <keescook@chromium.org>Wed Apr 05 09:39:08 2017 -0700
committerChristian Hoffmann <chrmhoffmann@gmail.com>Sun Aug 13 11:59:36 2017 +0000
treeb99bd20aca295fec1de0ed1986719c6f42a3d3d5
parent5adef27fb000469465dc93ce414909a2c338a17f [diff]
mm: Tighten x86 /dev/mem with zeroing reads

Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is
disallowed. However, on x86, the first 1MB was always allowed for BIOS
and similar things, regardless of it actually being System RAM. It was
possible for heap to end up getting allocated in low 1MB RAM, and then
read by things like x86info or dd, which would trip hardened usercopy:

usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)

This changes the x86 exception for the low 1MB by reading back zeros for
System RAM areas instead of blindly allowing them. More work is needed to
extend this to mmap, but currently mmap doesn't go through usercopy, so
hardened usercopy won't Oops the kernel.

Change-Id: I1a24ac2c12c8e89d1a5a6360cc752db28c99cb2c
Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
2 files changed
tree: b99bd20aca295fec1de0ed1986719c6f42a3d3d5
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS