[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5jKvB=pff18gRRwieFBUKtc6cD6wYBiqO754010UnmXR7w@mail.gmail.com>
Date: Wed, 15 Nov 2017 23:45:49 -0800
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: LKML <linux-kernel@...r.kernel.org>,
David Windsor <dave@...lcore.net>,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
On Sun, Nov 12, 2017 at 11:29 PM, Kees Cook <keescook@...omium.org> wrote:
> Please pull these hardened usercopy whitelisting changes for v4.15-rc1.
> This significantly narrows the areas of memory that can be copied to/from
> userspace in the face of usercopy bugs.
Just wanted to make sure this pull request was still on your radar.
Let me know if you want me to do a full resend.
Thanks!
-Kees
> The following changes since commit 9e66317d3c92ddaab330c125dfe9d06eee268aff:
>
> Linux 4.14-rc3 (2017-10-01 14:54:54 -0700)
>
> are available in the git repository at:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.15-rc1
>
> for you to fetch changes up to 3889a28c449c01cebe166e413a58742002c2352b:
>
> lkdtm: Update usercopy tests for whitelisting (2017-11-08 15:40:04 -0800)
>
> ----------------------------------------------------------------
> Currently, hardened usercopy performs dynamic bounds checking on slab
> cache objects. This is good, but still leaves a lot of kernel memory
> available to be copied to/from userspace in the face of bugs. To further
> restrict what memory is available for copying, this creates a way to
> whitelist specific areas of a given slab cache object for copying to/from
> userspace, allowing much finer granularity of access control. Slab caches
> that are never exposed to userspace can declare no whitelist for their
> objects, thereby keeping them unavailable to userspace via dynamic copy
> operations. (Note, an implicit form of whitelisting is the use of constant
> sizes in usercopy operations and get_user()/put_user(); these bypass
> hardened usercopy checks since these sizes cannot change at runtime.)
>
> ----------------------------------------------------------------
> David Windsor (23):
> usercopy: Prepare for usercopy whitelisting
> usercopy: Enforce slab cache usercopy region boundaries
> usercopy: Mark kmalloc caches as usercopy caches
> dcache: Define usercopy region in dentry_cache slab cache
> vfs: Define usercopy region in names_cache slab caches
> vfs: Copy struct mount.mnt_id to userspace using put_user()
> ext4: Define usercopy region in ext4_inode_cache slab cache
> ext2: Define usercopy region in ext2_inode_cache slab cache
> jfs: Define usercopy region in jfs_ip slab cache
> befs: Define usercopy region in befs_inode_cache slab cache
> exofs: Define usercopy region in exofs_inode_cache slab cache
> orangefs: Define usercopy region in orangefs_inode_cache slab cache
> ufs: Define usercopy region in ufs_inode_cache slab cache
> vxfs: Define usercopy region in vxfs_inode slab cache
> cifs: Define usercopy region in cifs_request slab cache
> scsi: Define usercopy region in scsi_sense_cache slab cache
> net: Define usercopy region in struct proto slab cache
> ip: Define usercopy region in IP proto slab cache
> caif: Define usercopy region in caif proto slab cache
> sctp: Define usercopy region in SCTP proto slab cache
> sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
> fork: Define usercopy region in mm_struct slab caches
> fork: Define usercopy region in thread_stack slab caches
>
> Kees Cook (8):
> net: Restrict unwhitelisted proto caches to size 0
> fork: Provide usercopy whitelisting for task_struct
> x86: Implement thread_struct whitelist for hardened usercopy
> arm64: Implement thread_struct whitelist for hardened usercopy
> arm: Implement thread_struct whitelist for hardened usercopy
> usercopy: Allow for temporary fallback for non-whitelisted usercopy
> usercopy: Restrict non-usercopy caches to size 0
> lkdtm: Update usercopy tests for whitelisting
>
> Paolo Bonzini (2):
> kvm: whitelist struct kvm_vcpu_arch
> kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
>
> arch/Kconfig | 11 +++++
> arch/arm/Kconfig | 1 +
> arch/arm/include/asm/processor.h | 7 +++
> arch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/processor.h | 8 ++++
> arch/x86/Kconfig | 1 +
> arch/x86/include/asm/processor.h | 8 ++++
> arch/x86/kvm/x86.c | 7 +--
> drivers/misc/lkdtm.h | 4 +-
> drivers/misc/lkdtm_core.c | 4 +-
> drivers/misc/lkdtm_usercopy.c | 88 +++++++++++++++++++++-----------------
> drivers/scsi/scsi_lib.c | 9 ++--
> fs/befs/linuxvfs.c | 14 +++---
> fs/cifs/cifsfs.c | 10 +++--
> fs/dcache.c | 9 ++--
> fs/exofs/super.c | 7 ++-
> fs/ext2/super.c | 12 +++---
> fs/ext4/super.c | 12 +++---
> fs/fhandle.c | 3 +-
> fs/freevxfs/vxfs_super.c | 8 +++-
> fs/jfs/super.c | 8 ++--
> fs/orangefs/super.c | 15 ++++---
> fs/ufs/super.c | 13 +++---
> include/linux/sched/task.h | 14 ++++++
> include/linux/slab.h | 27 +++++++++---
> include/linux/slab_def.h | 3 ++
> include/linux/slub_def.h | 3 ++
> include/linux/stddef.h | 2 +
> include/net/sctp/structs.h | 9 +++-
> include/net/sock.h | 2 +
> kernel/fork.c | 31 +++++++++++---
> mm/slab.c | 35 ++++++++++++---
> mm/slab.h | 8 +++-
> mm/slab_common.c | 54 ++++++++++++++++++-----
> mm/slub.c | 46 ++++++++++++++++----
> mm/usercopy.c | 12 ++++++
> net/caif/caif_socket.c | 2 +
> net/core/sock.c | 4 +-
> net/ipv4/raw.c | 2 +
> net/ipv6/raw.c | 2 +
> net/sctp/socket.c | 10 ++++-
> security/Kconfig | 12 ++++++
> virt/kvm/kvm_main.c | 7 ++-
> 43 files changed, 407 insertions(+), 138 deletions(-)
>
> --
> Kees Cook
> Pixel Security
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists