On Wed, Mar 22, 2017 at 1:44 PM, Andy Lutomirski <[email protected]> wrote: > On Wed, Mar 22, 2017 at 1:38 PM, Thomas Garnier <[email protected]> wrote: >> This patch ensures a syscall does not return to user-mode with a kernel >> address limit. If that happened, a process can corrupt kernel-mode >> memory and elevate privileges. >> >> For example, it would mitigation this bug: >> >> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990 >> >> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect >> state will result in a BUG_ON. > > I'm a bit confused about this choice of configurability. I can see > two sensible choices: > > 1. Enable this hardening feature: BUG if there's an exploitable bug. > > 2. Don't enable it at all. > > While it's possible that silently papering over the bug is slightly > faster than BUGging, it will allow bugs to continue to exist > undetected.
We can default to BUGging. I think my approach was avoiding doing a BUG_ON just to avoid breaking people. > > --Andy -- Thomas
