lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5jKvB=pff18gRRwieFBUKtc6cD6wYBiqO754010UnmXR7w@mail.gmail.com>
Date:   Wed, 15 Nov 2017 23:45:49 -0800
From:   Kees Cook <keescook@...omium.org>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     LKML <linux-kernel@...r.kernel.org>,
        David Windsor <dave@...lcore.net>,
        Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1

On Sun, Nov 12, 2017 at 11:29 PM, Kees Cook <keescook@...omium.org> wrote:
> Please pull these hardened usercopy whitelisting changes for v4.15-rc1.
> This significantly narrows the areas of memory that can be copied to/from
> userspace in the face of usercopy bugs.

Just wanted to make sure this pull request was still on your radar.
Let me know if you want me to do a full resend.

Thanks!

-Kees

> The following changes since commit 9e66317d3c92ddaab330c125dfe9d06eee268aff:
>
>   Linux 4.14-rc3 (2017-10-01 14:54:54 -0700)
>
> are available in the git repository at:
>
>   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.15-rc1
>
> for you to fetch changes up to 3889a28c449c01cebe166e413a58742002c2352b:
>
>   lkdtm: Update usercopy tests for whitelisting (2017-11-08 15:40:04 -0800)
>
> ----------------------------------------------------------------
> Currently, hardened usercopy performs dynamic bounds checking on slab
> cache objects. This is good, but still leaves a lot of kernel memory
> available to be copied to/from userspace in the face of bugs. To further
> restrict what memory is available for copying, this creates a way to
> whitelist specific areas of a given slab cache object for copying to/from
> userspace, allowing much finer granularity of access control. Slab caches
> that are never exposed to userspace can declare no whitelist for their
> objects, thereby keeping them unavailable to userspace via dynamic copy
> operations. (Note, an implicit form of whitelisting is the use of constant
> sizes in usercopy operations and get_user()/put_user(); these bypass
> hardened usercopy checks since these sizes cannot change at runtime.)
>
> ----------------------------------------------------------------
> David Windsor (23):
>       usercopy: Prepare for usercopy whitelisting
>       usercopy: Enforce slab cache usercopy region boundaries
>       usercopy: Mark kmalloc caches as usercopy caches
>       dcache: Define usercopy region in dentry_cache slab cache
>       vfs: Define usercopy region in names_cache slab caches
>       vfs: Copy struct mount.mnt_id to userspace using put_user()
>       ext4: Define usercopy region in ext4_inode_cache slab cache
>       ext2: Define usercopy region in ext2_inode_cache slab cache
>       jfs: Define usercopy region in jfs_ip slab cache
>       befs: Define usercopy region in befs_inode_cache slab cache
>       exofs: Define usercopy region in exofs_inode_cache slab cache
>       orangefs: Define usercopy region in orangefs_inode_cache slab cache
>       ufs: Define usercopy region in ufs_inode_cache slab cache
>       vxfs: Define usercopy region in vxfs_inode slab cache
>       cifs: Define usercopy region in cifs_request slab cache
>       scsi: Define usercopy region in scsi_sense_cache slab cache
>       net: Define usercopy region in struct proto slab cache
>       ip: Define usercopy region in IP proto slab cache
>       caif: Define usercopy region in caif proto slab cache
>       sctp: Define usercopy region in SCTP proto slab cache
>       sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
>       fork: Define usercopy region in mm_struct slab caches
>       fork: Define usercopy region in thread_stack slab caches
>
> Kees Cook (8):
>       net: Restrict unwhitelisted proto caches to size 0
>       fork: Provide usercopy whitelisting for task_struct
>       x86: Implement thread_struct whitelist for hardened usercopy
>       arm64: Implement thread_struct whitelist for hardened usercopy
>       arm: Implement thread_struct whitelist for hardened usercopy
>       usercopy: Allow for temporary fallback for non-whitelisted usercopy
>       usercopy: Restrict non-usercopy caches to size 0
>       lkdtm: Update usercopy tests for whitelisting
>
> Paolo Bonzini (2):
>       kvm: whitelist struct kvm_vcpu_arch
>       kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
>
>  arch/Kconfig                       | 11 +++++
>  arch/arm/Kconfig                   |  1 +
>  arch/arm/include/asm/processor.h   |  7 +++
>  arch/arm64/Kconfig                 |  1 +
>  arch/arm64/include/asm/processor.h |  8 ++++
>  arch/x86/Kconfig                   |  1 +
>  arch/x86/include/asm/processor.h   |  8 ++++
>  arch/x86/kvm/x86.c                 |  7 +--
>  drivers/misc/lkdtm.h               |  4 +-
>  drivers/misc/lkdtm_core.c          |  4 +-
>  drivers/misc/lkdtm_usercopy.c      | 88 +++++++++++++++++++++-----------------
>  drivers/scsi/scsi_lib.c            |  9 ++--
>  fs/befs/linuxvfs.c                 | 14 +++---
>  fs/cifs/cifsfs.c                   | 10 +++--
>  fs/dcache.c                        |  9 ++--
>  fs/exofs/super.c                   |  7 ++-
>  fs/ext2/super.c                    | 12 +++---
>  fs/ext4/super.c                    | 12 +++---
>  fs/fhandle.c                       |  3 +-
>  fs/freevxfs/vxfs_super.c           |  8 +++-
>  fs/jfs/super.c                     |  8 ++--
>  fs/orangefs/super.c                | 15 ++++---
>  fs/ufs/super.c                     | 13 +++---
>  include/linux/sched/task.h         | 14 ++++++
>  include/linux/slab.h               | 27 +++++++++---
>  include/linux/slab_def.h           |  3 ++
>  include/linux/slub_def.h           |  3 ++
>  include/linux/stddef.h             |  2 +
>  include/net/sctp/structs.h         |  9 +++-
>  include/net/sock.h                 |  2 +
>  kernel/fork.c                      | 31 +++++++++++---
>  mm/slab.c                          | 35 ++++++++++++---
>  mm/slab.h                          |  8 +++-
>  mm/slab_common.c                   | 54 ++++++++++++++++++-----
>  mm/slub.c                          | 46 ++++++++++++++++----
>  mm/usercopy.c                      | 12 ++++++
>  net/caif/caif_socket.c             |  2 +
>  net/core/sock.c                    |  4 +-
>  net/ipv4/raw.c                     |  2 +
>  net/ipv6/raw.c                     |  2 +
>  net/sctp/socket.c                  | 10 ++++-
>  security/Kconfig                   | 12 ++++++
>  virt/kvm/kvm_main.c                |  7 ++-
>  43 files changed, 407 insertions(+), 138 deletions(-)
>
> --
> Kees Cook
> Pixel Security



-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ