On Wed, Mar 22, 2017 at 1:44 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Wed, Mar 22, 2017 at 1:38 PM, Thomas Garnier <thgarnie@xxxxxxxxxx> wrote: >> This patch ensures a syscall does not return to user-mode with a kernel >> address limit. If that happened, a process can corrupt kernel-mode >> memory and elevate privileges. >> >> For example, it would mitigation this bug: >> >> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990 >> >> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect >> state will result in a BUG_ON. > > I'm a bit confused about this choice of configurability. I can see > two sensible choices: > > 1. Enable this hardening feature: BUG if there's an exploitable bug. > > 2. Don't enable it at all. > > While it's possible that silently papering over the bug is slightly > faster than BUGging, it will allow bugs to continue to exist > undetected. We can default to BUGging. I think my approach was avoiding doing a BUG_ON just to avoid breaking people. > > --Andy -- Thomas -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
