lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171113072941.GA110963@beast>
Date:   Sun, 12 Nov 2017 23:29:41 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org, David Windsor <dave@...lcore.net>,
        Paolo Bonzini <pbonzini@...hat.com>
Subject: [GIT PULL] usercopy whitelisting for v4.15-rc1

Hi,

Please pull these hardened usercopy whitelisting changes for v4.15-rc1.
This significantly narrows the areas of memory that can be copied to/from
userspace in the face of usercopy bugs.

Thanks!

-Kees

The following changes since commit 9e66317d3c92ddaab330c125dfe9d06eee268aff:

  Linux 4.14-rc3 (2017-10-01 14:54:54 -0700)

are available in the git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.15-rc1

for you to fetch changes up to 3889a28c449c01cebe166e413a58742002c2352b:

  lkdtm: Update usercopy tests for whitelisting (2017-11-08 15:40:04 -0800)

----------------------------------------------------------------
Currently, hardened usercopy performs dynamic bounds checking on slab
cache objects. This is good, but still leaves a lot of kernel memory
available to be copied to/from userspace in the face of bugs. To further
restrict what memory is available for copying, this creates a way to
whitelist specific areas of a given slab cache object for copying to/from
userspace, allowing much finer granularity of access control. Slab caches
that are never exposed to userspace can declare no whitelist for their
objects, thereby keeping them unavailable to userspace via dynamic copy
operations. (Note, an implicit form of whitelisting is the use of constant
sizes in usercopy operations and get_user()/put_user(); these bypass
hardened usercopy checks since these sizes cannot change at runtime.)

----------------------------------------------------------------
David Windsor (23):
      usercopy: Prepare for usercopy whitelisting
      usercopy: Enforce slab cache usercopy region boundaries
      usercopy: Mark kmalloc caches as usercopy caches
      dcache: Define usercopy region in dentry_cache slab cache
      vfs: Define usercopy region in names_cache slab caches
      vfs: Copy struct mount.mnt_id to userspace using put_user()
      ext4: Define usercopy region in ext4_inode_cache slab cache
      ext2: Define usercopy region in ext2_inode_cache slab cache
      jfs: Define usercopy region in jfs_ip slab cache
      befs: Define usercopy region in befs_inode_cache slab cache
      exofs: Define usercopy region in exofs_inode_cache slab cache
      orangefs: Define usercopy region in orangefs_inode_cache slab cache
      ufs: Define usercopy region in ufs_inode_cache slab cache
      vxfs: Define usercopy region in vxfs_inode slab cache
      cifs: Define usercopy region in cifs_request slab cache
      scsi: Define usercopy region in scsi_sense_cache slab cache
      net: Define usercopy region in struct proto slab cache
      ip: Define usercopy region in IP proto slab cache
      caif: Define usercopy region in caif proto slab cache
      sctp: Define usercopy region in SCTP proto slab cache
      sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
      fork: Define usercopy region in mm_struct slab caches
      fork: Define usercopy region in thread_stack slab caches

Kees Cook (8):
      net: Restrict unwhitelisted proto caches to size 0
      fork: Provide usercopy whitelisting for task_struct
      x86: Implement thread_struct whitelist for hardened usercopy
      arm64: Implement thread_struct whitelist for hardened usercopy
      arm: Implement thread_struct whitelist for hardened usercopy
      usercopy: Allow for temporary fallback for non-whitelisted usercopy
      usercopy: Restrict non-usercopy caches to size 0
      lkdtm: Update usercopy tests for whitelisting

Paolo Bonzini (2):
      kvm: whitelist struct kvm_vcpu_arch
      kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl

 arch/Kconfig                       | 11 +++++
 arch/arm/Kconfig                   |  1 +
 arch/arm/include/asm/processor.h   |  7 +++
 arch/arm64/Kconfig                 |  1 +
 arch/arm64/include/asm/processor.h |  8 ++++
 arch/x86/Kconfig                   |  1 +
 arch/x86/include/asm/processor.h   |  8 ++++
 arch/x86/kvm/x86.c                 |  7 +--
 drivers/misc/lkdtm.h               |  4 +-
 drivers/misc/lkdtm_core.c          |  4 +-
 drivers/misc/lkdtm_usercopy.c      | 88 +++++++++++++++++++++-----------------
 drivers/scsi/scsi_lib.c            |  9 ++--
 fs/befs/linuxvfs.c                 | 14 +++---
 fs/cifs/cifsfs.c                   | 10 +++--
 fs/dcache.c                        |  9 ++--
 fs/exofs/super.c                   |  7 ++-
 fs/ext2/super.c                    | 12 +++---
 fs/ext4/super.c                    | 12 +++---
 fs/fhandle.c                       |  3 +-
 fs/freevxfs/vxfs_super.c           |  8 +++-
 fs/jfs/super.c                     |  8 ++--
 fs/orangefs/super.c                | 15 ++++---
 fs/ufs/super.c                     | 13 +++---
 include/linux/sched/task.h         | 14 ++++++
 include/linux/slab.h               | 27 +++++++++---
 include/linux/slab_def.h           |  3 ++
 include/linux/slub_def.h           |  3 ++
 include/linux/stddef.h             |  2 +
 include/net/sctp/structs.h         |  9 +++-
 include/net/sock.h                 |  2 +
 kernel/fork.c                      | 31 +++++++++++---
 mm/slab.c                          | 35 ++++++++++++---
 mm/slab.h                          |  8 +++-
 mm/slab_common.c                   | 54 ++++++++++++++++++-----
 mm/slub.c                          | 46 ++++++++++++++++----
 mm/usercopy.c                      | 12 ++++++
 net/caif/caif_socket.c             |  2 +
 net/core/sock.c                    |  4 +-
 net/ipv4/raw.c                     |  2 +
 net/ipv6/raw.c                     |  2 +
 net/sctp/socket.c                  | 10 ++++-
 security/Kconfig                   | 12 ++++++
 virt/kvm/kvm_main.c                |  7 ++-
 43 files changed, 407 insertions(+), 138 deletions(-)

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ