diff options
authorJiri Olsa <jolsa@kernel.org>2016-09-08 09:57:08 +0200
committerAlex Shi <alex.shi@linaro.org>2017-03-23 15:39:23 +0800
commit351068f5efa8ae188bb1250eae0aa74060d493c8 (patch)
parentfd0b2a599a78a04f3764d74fe34b112db78531db (diff)
fs/proc/kcore.c: Add bounce buffer for ktext datav4.4/topic/mm-kaslr-pax_usercopy
We hit hardened usercopy feature check for kernel text access by reading kcore file: usercopy: kernel memory exposure attempt detected from ffffffff8179a01f (<kernel text>) (4065 bytes) kernel BUG at mm/usercopy.c:75! Bypassing this check for kcore by adding bounce buffer for ktext data. Reported-by: Steve Best <sbest@redhat.com> Fixes: f5509cc18daa ("mm: Hardened usercopy") Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jiri Olsa <jolsa@kernel.org> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit df04abfd181acc276ba6762c8206891ae10ae00d) Signed-off-by: Alex Shi <alex.shi@linaro.org>
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
index 92e6726f6e37..d1e5a66a33ba 100644
--- a/fs/proc/kcore.c
+++ b/fs/proc/kcore.c
@@ -516,7 +516,12 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
if (kern_addr_valid(start)) {
unsigned long n;
- n = copy_to_user(buffer, (char *)start, tsz);
+ /*
+ * Using bounce buffer to bypass the
+ * hardened user copy kernel text checks.
+ */
+ memcpy(buf, (char *) start, tsz);
+ n = copy_to_user(buffer, buf, tsz);
* We cannot distinguish between fault on source
* and fault on destination. When this happens