fs/proc/kcore.c: Add bounce buffer for ktext data

olsajiri · Alex Shi · commit 351068f5efa8 · 2017-03-23T15:39:23.000+08:00
We hit hardened usercopy feature check for kernel text access by reading
kcore file:

  usercopy: kernel memory exposure attempt detected from ffffffff8179a01f (&lt;kernel text&gt;) (4065 bytes)
  kernel BUG at mm/usercopy.c:75!

Bypassing this check for kcore by adding bounce buffer for ktext data.

Reported-by: Steve Best &lt;sbest@redhat.com&gt;
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Suggested-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Jiri Olsa &lt;jolsa@kernel.org&gt;
Acked-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
(cherry picked from commit df04abfd181acc276ba6762c8206891ae10ae00d)
Signed-off-by: Alex Shi &lt;alex.shi@linaro.org&gt;
diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
@@ -516,7 +516,12 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
 			if (kern_addr_valid(start)) {
 				unsigned long n;
 
-				n = copy_to_user(buffer, (char *)start, tsz);
+				/*
+				 * Using bounce buffer to bypass the
+				 * hardened user copy kernel text checks.
+				 */
+				memcpy(buf, (char *) start, tsz);
+				n = copy_to_user(buffer, buf, tsz);
 				/*
 				 * We cannot distinguish between fault on source
 				 * and fault on destination. When this happens
