On 31.03.2017 21:26, Linus Torvalds wrote:
Hmm. Thinking more about this, we do allow access to the first 1MB of
physical memory unconditionally (see devmem_is_allowed() in
arch/x86/mm/init.c). And I think we only _reserve_ the first 64kB or
something. So I guess even STRICT_DEVMEM isn't actually all that
strict.
So this should be visible even *with* STRICT_DEVMEM.
Does a simple
sudo dd if=/dev/mem of=/dev/null bs=4096 count=256
also show the same issue? Maybe regardless of STRICT_DEVMEM?
Yep, it is enough to trigger the bug.
Also crashes with the fedora kernel that has STRICT_DEVMEM:
$ sudo dd if=/dev/mem of=/dev/null bs=4096 count=256
Segmentation fault
[ 73.224025] usercopy: kernel memory exposure attempt detected from
ffff893a80059000 (dma-kmalloc-16) (4096 bytes)
[ 73.224049] ------------[ cut here ]------------
[ 73.224056] kernel BUG at mm/usercopy.c:75!
[ 73.224060] invalid opcode: 0000 [#1] SMP
[ 73.224237] CPU: 5 PID: 2860 Comm: dd Not tainted
4.9.14-200.fc25.x86_64 #1
Maybe we should change devmem_is_allowed() to return a ternary value,
and then have it be "allow access" (for reserved pages), "disallow
access" (for various random stuff), and "just read zero" (for pages in
the low 1M that aren't marked reserved).
That way things like that read the low 1M (like x86info) will
hopefully not be unhappy, but also won't be reading random kernel
data.
Linus
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>