original_kernel/fs
Heiko Carstens d0290bc20d fs/proc/kcore.c: use probe_kernel_read() instead of memcpy()
Commit df04abfd18 ("fs/proc/kcore.c: Add bounce buffer for ktext
data") added a bounce buffer to avoid hardened usercopy checks.  Copying
to the bounce buffer was implemented with a simple memcpy() assuming
that it is always valid to read from kernel memory iff the
kern_addr_valid() check passed.

A simple, but pointless, test case like "dd if=/proc/kcore of=/dev/null"
now can easily crash the kernel, since the former execption handling on
invalid kernel addresses now doesn't work anymore.

Also adding a kern_addr_valid() implementation wouldn't help here.  Most
architectures simply return 1 here, while a couple implemented a page
table walk to figure out if something is mapped at the address in
question.

With DEBUG_PAGEALLOC active mappings are established and removed all the
time, so that relying on the result of kern_addr_valid() before
executing the memcpy() also doesn't work.

Therefore simply use probe_kernel_read() to copy to the bounce buffer.
This also allows to simplify read_kcore().

At least on s390 this fixes the observed crashes and doesn't introduce
warnings that were removed with df04abfd18 ("fs/proc/kcore.c: Add
bounce buffer for ktext data"), even though the generic
probe_kernel_read() implementation uses uaccess functions.

While looking into this I'm also wondering if kern_addr_valid() could be
completely removed...(?)

Link: http://lkml.kernel.org/r/20171202132739.99971-1-heiko.carstens@de.ibm.com
Fixes: df04abfd18 ("fs/proc/kcore.c: Add bounce buffer for ktext data")
Fixes: f5509cc18d ("mm: Hardened usercopy")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-02-06 18:32:43 -08:00
..
9p
adfs
affs
afs
autofs4 Merge branch 'userns-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2018-01-30 14:43:12 -08:00
befs
bfs
btrfs Documentation updates for 4.16. New stuff includes refcount_t 2018-01-31 19:25:25 -08:00
cachefiles
ceph Documentation updates for 4.16. New stuff includes refcount_t 2018-01-31 19:25:25 -08:00
cifs Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
coda Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
configfs
cramfs
crypto fscrypt: fix build with pre-4.6 gcc versions 2018-02-01 10:51:18 -05:00
debugfs
devpts devpts: fix error handling in devpts_mntget() 2018-01-31 08:48:37 -08:00
dlm Merge branch 'work.sock_recvmsg' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 18:59:03 -08:00
ecryptfs Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
efivarfs
efs
exofs Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
exportfs
ext2 Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
ext4 Refactor support for encrypted symlinks to move common code to fscrypt. 2018-02-04 10:43:12 -08:00
f2fs Refactor support for encrypted symlinks to move common code to fscrypt. 2018-02-04 10:43:12 -08:00
fat
freevxfs
fscache
fuse Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
gfs2 gfs2: Glock dump performance regression fix 2018-02-01 11:27:11 -07:00
hfs
hfsplus
hostfs
hpfs
hugetlbfs hugetlb: implement memfd sealing 2018-01-31 17:18:39 -08:00
isofs
jbd2
jffs2 Documentation updates for 4.16. New stuff includes refcount_t 2018-01-31 19:25:25 -08:00
jfs Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
kernfs Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
lockd
minix
nfs Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
nfs_common
nfsd
nilfs2
nls
notify Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
ntfs
ocfs2 ocfs2: return error when we attempt to access a dirty bh in jbd2 2018-01-31 17:18:35 -08:00
omfs
openpromfs
orangefs Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
overlayfs ovl: check ERR_PTR() return value from ovl_encode_fh() 2018-02-05 09:50:29 +01:00
proc fs/proc/kcore.c: use probe_kernel_read() instead of memcpy() 2018-02-06 18:32:43 -08:00
pstore
qnx4
qnx6
quota
ramfs
reiserfs
romfs
squashfs
sysfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk 2018-02-01 13:36:15 -08:00
sysv
tracefs
ubifs Refactor support for encrypted symlinks to move common code to fscrypt. 2018-02-04 10:43:12 -08:00
udf
ufs Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
xfs Changes since last update: 2018-02-05 13:35:56 -08:00
Kconfig Staging/IIO patches for 4.16-rc1 2018-02-01 09:51:57 -08:00
Kconfig.binfmt
Makefile
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c
buffer.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c
coredump.c
dax.c Only miscellaneous cleanups and bug fixes for ext4 this cycle. 2018-02-03 13:49:22 -08:00
dcache.c Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs 2018-02-05 13:05:20 -08:00
dcookies.c
direct-io.c
drop_caches.c
eventfd.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
eventpoll.c
exec.c
fcntl.c shmem: rename functions that are memfd-related 2018-01-31 17:18:39 -08:00
fhandle.c
file.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
file_table.c
filesystems.c
fs-writeback.c
fs_pin.c
fs_struct.c
inode.c
internal.h
ioctl.c
iomap.c
libfs.c
locks.c
mbcache.c
mount.h
mpage.c
namei.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
namespace.c
no-block.c
nsfs.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-30 17:58:07 -08:00
read_write.c
readdir.c
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c
super.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-01-31 09:25:20 -08:00
sync.c
timerfd.c
userfaultfd.c userfaultfd: convert to use anon_inode_getfd() 2018-01-31 17:18:39 -08:00
utimes.c
xattr.c