On Wed, Mar 29, 2023 at 07:13:22PM +0200, Oleg Nesterov wrote:
> On 03/28, Gregory Price wrote:
> >
> > Not sure how I should proceed here,
>
> Can't we just kill this access_ok() in set_syscall_user_dispatch() ?
> I don't think it buys too much.
>
> Oleg.
>
> diff --git a/kernel/entry/syscall_user_dispatch.c b/kernel/entry/syscall_user_dispatch.c
> index 0b6379adff6b..d2e516ece52b 100644
> --- a/kernel/entry/syscall_user_dispatch.c
> +++ b/kernel/entry/syscall_user_dispatch.c
> @@ -43,11 +43,7 @@ bool syscall_user_dispatch(struct pt_regs *regs)
> return false;
>
> if (likely(sd->selector)) {
> - /*
> - * access_ok() is performed once, at prctl time, when
> - * the selector is loaded by userspace.
> - */
> - if (unlikely(__get_user(state, sd->selector))) {
> + if (unlikely(get_user(state, sd->selector))) {
> force_exit_sig(SIGSEGV);
> return true;
> }
> @@ -86,9 +82,6 @@ int set_syscall_user_dispatch(unsigned long mode, unsigned long offset,
> if (offset && offset + len <= offset)
> return -EINVAL;
>
> - if (selector && !access_ok(selector, sizeof(*selector)))
> - return -EFAULT;
> -
> break;
> default:
> return -EINVAL;
>
The result of this would be either a task calling via prctl or a tracer
calling via ptrace would be capable of setting selector to a bad pointer
and producing a SIGSEGV on the next system call.
It's a pretty small footgun, but maybe that's reasonable?
>From a user perspective, debugging this behavior would be nightmarish.
Your call to prctl/ptrace would succeed and the process would continue
to execute until the next syscall - at which point you incur a SIGSEGV,
and depending on the syscall that could mean anything?
Everything feels bad here lol.
~Gregory
