CONFIG_HARDENED_USERCOPY detects kernel memory overwrite attempt to kernel text #15
Assignees
Labels
Comments
|
@Palmyr3 care to take a look at this one ? |
|
@EvgeniiDidin could you please elaborate a bit on how important is that one for us? I.e. is it required by some project like OpenWrt etc? That will help us to prioritize it properly. |
abrodkin
changed the title
|
In OpenWrt Disabling this option in |
roxell
pushed a commit
to roxell/linux
that referenced
this issue
Jun 11, 2021
Currently enabling this triggers a warning | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)! | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()! | |gcc generated __builtin_trap |Path: /bin/busybox |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22 | |[ECR ]: 0x00090005 => gcc generated __builtin_trap |[EFA ]: 0x9024fcaa |[BLINK ]: usercopy_abort+0x8a/0x8c |[ERET ]: memfd_fcntl+0x0/0x470 |[STAT32]: 0x80080802 : IE K |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950 |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000 |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000 |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000 |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00 |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572 |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000 |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001 |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1 |r24: 0xbe196c00 r25: 0xbf0ed280 | |Stack Trace: | memfd_fcntl+0x0/0x470 | usercopy_abort+0x8a/0x8c | __check_object_size+0x10e/0x138 | copy_strings+0x1f4/0x38c | __do_execve_file+0x352/0x848 | EV_Trap+0xcc/0xd0 Fixes: foss-for-synopsys-dwc-arc-processors#15 Reported-by: Evgeniy Didin <didin@synopsys.com> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
ColinIanKing
pushed a commit
to ColinIanKing/linux-next
that referenced
this issue
Jun 15, 2021
Currently enabling this triggers a warning | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)! | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()! | |gcc generated __builtin_trap |Path: /bin/busybox |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22 | |[ECR ]: 0x00090005 => gcc generated __builtin_trap |[EFA ]: 0x9024fcaa |[BLINK ]: usercopy_abort+0x8a/0x8c |[ERET ]: memfd_fcntl+0x0/0x470 |[STAT32]: 0x80080802 : IE K |... |... |Stack Trace: | memfd_fcntl+0x0/0x470 | usercopy_abort+0x8a/0x8c | __check_object_size+0x10e/0x138 | copy_strings+0x1f4/0x38c | __do_execve_file+0x352/0x848 | EV_Trap+0xcc/0xd0 The issue is triggered by an allocation in "init reclaimed" region. ARC _stext emcompasses the init region (for historical reasons we wanted the init.text to be under .text as well). This however trips up __check_object_size()->check_kernel_text_object() which treats this as object bleeding into kernel text. Fix that by rezoning _stext to start from regular kernel .text and leave out .init altogether. Fixes: foss-for-synopsys-dwc-arc-processors/linux#15 Reported-by: Evgeniy Didin <didin@synopsys.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this issue
Jun 16, 2021
Currently enabling this triggers a warning | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)! | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()! | |gcc generated __builtin_trap |Path: /bin/busybox |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22 | |[ECR ]: 0x00090005 => gcc generated __builtin_trap |[EFA ]: 0x9024fcaa |[BLINK ]: usercopy_abort+0x8a/0x8c |[ERET ]: memfd_fcntl+0x0/0x470 |[STAT32]: 0x80080802 : IE K |BTA: 0x901ba38c SP: 0xbe161ecc FP: 0xbf9fe950 |LPS: 0x90677408 LPE: 0x9067740c LPC: 0x00000000 |r00: 0x0000003c r01: 0xbf0ed280 r02: 0x00000000 |r03: 0xbe15fa30 r04: 0x00d2803e r05: 0x00000000 |r06: 0x675d7000 r07: 0x00000000 r08: 0x675d9c00 |r09: 0x00000000 r10: 0x0000035c r11: 0x61206572 |r12: 0x9024fcaa r13: 0x0000000b r14: 0x0000000b |r15: 0x00000000 r16: 0x90169ffc r17: 0x90168000 |r18: 0x00000000 r19: 0xbf092010 r20: 0x00000001 |r21: 0x00000011 r22: 0x5ffffff1 r23: 0x90169ff1 |r24: 0xbe196c00 r25: 0xbf0ed280 | |Stack Trace: | memfd_fcntl+0x0/0x470 | usercopy_abort+0x8a/0x8c | __check_object_size+0x10e/0x138 | copy_strings+0x1f4/0x38c | __do_execve_file+0x352/0x848 | EV_Trap+0xcc/0xd0 Fixes: foss-for-synopsys-dwc-arc-processors#15 Reported-by: Evgeniy Didin <didin@synopsys.com> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
|
Merged upstream for 5.13-rc7 inclusion. |
mkopec
pushed a commit
to mkopec/linux
that referenced
this issue
Jun 20, 2021
Currently enabling this triggers a warning | usercopy: Kernel memory overwrite attempt detected to kernel text (offset 155633, size 11)! | usercopy: BUG: failure at mm/usercopy.c:99/usercopy_abort()! | |gcc generated __builtin_trap |Path: /bin/busybox |CPU: 0 PID: 84 Comm: init Not tainted 5.4.22 | |[ECR ]: 0x00090005 => gcc generated __builtin_trap |[EFA ]: 0x9024fcaa |[BLINK ]: usercopy_abort+0x8a/0x8c |[ERET ]: memfd_fcntl+0x0/0x470 |[STAT32]: 0x80080802 : IE K |... |... |Stack Trace: | memfd_fcntl+0x0/0x470 | usercopy_abort+0x8a/0x8c | __check_object_size+0x10e/0x138 | copy_strings+0x1f4/0x38c | __do_execve_file+0x352/0x848 | EV_Trap+0xcc/0xd0 The issue is triggered by an allocation in "init reclaimed" region. ARC _stext emcompasses the init region (for historical reasons we wanted the init.text to be under .text as well). This however trips up __check_object_size()->check_kernel_text_object() which treats this as object bleeding into kernel text. Fix that by rezoning _stext to start from regular kernel .text and leave out .init altogether. Fixes: foss-for-synopsys-dwc-arc-processors#15 Reported-by: Evgeniy Didin <didin@synopsys.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
hauke
added a commit
to hauke/openwrt
that referenced
this issue
Apr 22, 2023
This activates CONFIG_HARDENED_USERCOPY for the remaining targets. This adds additional checks in the copy_from_user() and copy_to_user() functions. This was not activated for ARCHS38 before because of a bug in the Linux kernel 5.4 till 5.14, which as fixed and is described here: foss-for-synopsys-dwc-arc-processors/linux#15 I do not know why this was deactivated for mt7629 and rockchip. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Vladdrako
pushed a commit
to Vladdrako/openwrt
that referenced
this issue
Apr 25, 2023
This activates CONFIG_HARDENED_USERCOPY for the remaining targets. This adds additional checks in the copy_from_user() and copy_to_user() functions. This was not activated for ARCHS38 before because of a bug in the Linux kernel 5.4 till 5.14, which as fixed and is described here: foss-for-synopsys-dwc-arc-processors/linux#15 I do not know why this was deactivated for mt7629 and rockchip. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
hauke
added a commit
to hauke/openwrt
that referenced
this issue
Apr 29, 2023
This activates CONFIG_HARDENED_USERCOPY for the remaining targets. This adds additional checks in the copy_from_user() and copy_to_user() functions. This was not activated for ARCHS38 before because of a bug in the Linux kernel 5.4 till 5.14, which as fixed and is described here: foss-for-synopsys-dwc-arc-processors/linux#15 I do not know why this was deactivated for mt7629 and rockchip. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Starting Linux kernel v5.4.22 on both HSDK & nSIM with ARC HS with enabled
CONFIG_HARDENED_USERCOPYoption ends up with hang with the next message:The text was updated successfully, but these errors were encountered: