oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access

From: Yann Droneaud <ydroneaud () opteya com>
Date: Thu, 02 Apr 2015 15:30:31 +0200
Hi,

Le jeudi 02 avril 2015 à 10:52 +0000, Shachar Raindel a écrit :

-----Original Message-----
From: Yann Droneaud [mailto:ydroneaud () opteya com]
Sent: Thursday, April 02, 2015 1:05 PM
Le mercredi 18 mars 2015 à 17:39 +0000, Shachar Raindel a écrit :



+ /*
+  * If the combination of the addr and size requested for this

memory

+  * region causes an integer overflow, return error.
+  */
+ if ((PAGE_ALIGN(addr + size) <= size) ||
+     (PAGE_ALIGN(addr + size) <= addr))
+         return ERR_PTR(-EINVAL);
+


Can access_ok() be used here ?

         if (!access_ok(writable ? VERIFY_WRITE : VERIFY_READ,
                        addr, size))
                  return ERR_PTR(-EINVAL);



No, this will break the current ODP semantics.

ODP allows the user to register memory that is not accessible yet.
This is a critical design feature, as it allows avoiding holding
a registration cache. Adding this check will break the behavior,
forcing memory to be all accessible when registering an ODP MR.



Where's the check for the range being in userspace memory space,
especially for the ODP case ?

For non ODP case (eg. plain old behavior), does get_user_pages()
ensure the requested pages fit in userspace region on all 
architectures ? I think so.

In ODP case, I'm not sure such check is ever done ?
(Aside, does it take special mesure to protect shared mapping from
being read and/or *written* ?)

Regards.

-- 
Yann Droneaud
OPTEYA
Previous By Date Next
Previous By Thread Next

Current thread: