| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <201911121313.1097D6EE@keescook>
Date: Tue, 12 Nov 2019 13:21:54 -0800
From: Kees Cook <keescook@...omium.org>
To: Jiri Slaby <jslaby@...e.cz>,
Alexander Viro <viro@...iv.linux.org.uk>
Cc: linux-kernel@...r.kernel.org, David Windsor <dave@...lcore.net>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
linux-xfs@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Christoph Hellwig <hch@...radead.org>,
Christoph Lameter <cl@...ux.com>,
"David S. Miller" <davem@...emloft.net>,
Laura Abbott <labbott@...hat.com>,
Mark Rutland <mark.rutland@....com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Christoffer Dall <christoffer.dall@...aro.org>,
Dave Kleikamp <dave.kleikamp@...cle.com>,
Jan Kara <jack@...e.cz>,
Luis de Bethencourt <luisbg@...nel.org>,
Marc Zyngier <marc.zyngier@....com>,
Rik van Riel <riel@...hat.com>,
Matthew Garrett <mjg59@...gle.com>,
linux-fsdevel@...r.kernel.org, linux-arch@...r.kernel.org,
netdev@...r.kernel.org, kernel-hardening@...ts.openwall.com,
Vlastimil Babka <vbabka@...e.cz>,
Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [kernel-hardening] [PATCH 09/38] usercopy: Mark kmalloc caches
as usercopy caches
On Tue, Nov 12, 2019 at 08:17:57AM +0100, Jiri Slaby wrote:
> On 11. 01. 18, 3:02, Kees Cook wrote:
> > From: David Windsor <dave@...lcore.net>
> >
> > Mark the kmalloc slab caches as entirely whitelisted. These caches
> > are frequently used to fulfill kernel allocations that contain data
> > to be copied to/from userspace. Internal-only uses are also common,
> > but are scattered in the kernel. For now, mark all the kmalloc caches
> > as whitelisted.
> >
> > This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
> > whitelisting code in the last public patch of grsecurity/PaX based on my
> > understanding of the code. Changes or omissions from the original code are
> > mine and don't reflect the original grsecurity/PaX code.
> >
> > Signed-off-by: David Windsor <dave@...lcore.net>
> > [kees: merged in moved kmalloc hunks, adjust commit log]
> > Cc: Pekka Enberg <penberg@...nel.org>
> > Cc: David Rientjes <rientjes@...gle.com>
> > Cc: Joonsoo Kim <iamjoonsoo.kim@....com>
> > Cc: Andrew Morton <akpm@...ux-foundation.org>
> > Cc: linux-mm@...ck.org
> > Cc: linux-xfs@...r.kernel.org
> > Signed-off-by: Kees Cook <keescook@...omium.org>
> > Acked-by: Christoph Lameter <cl@...ux.com>
> > ---
> > mm/slab.c | 3 ++-
> > mm/slab.h | 3 ++-
> > mm/slab_common.c | 10 ++++++----
> > 3 files changed, 10 insertions(+), 6 deletions(-)
> >
> > diff --git a/mm/slab.c b/mm/slab.c
> > index b9b0df620bb9..dd367fe17a4e 100644
> > --- a/mm/slab.c
> > +++ b/mm/slab.c
> ...
> > @@ -1098,7 +1099,8 @@ void __init setup_kmalloc_cache_index_table(void)
> > static void __init new_kmalloc_cache(int idx, slab_flags_t flags)
> > {
> > kmalloc_caches[idx] = create_kmalloc_cache(kmalloc_info[idx].name,
> > - kmalloc_info[idx].size, flags);
> > + kmalloc_info[idx].size, flags, 0,
> > + kmalloc_info[idx].size);
> > }
> >
> > /*
> > @@ -1139,7 +1141,7 @@ void __init create_kmalloc_caches(slab_flags_t flags)
> >
> > BUG_ON(!n);
> > kmalloc_dma_caches[i] = create_kmalloc_cache(n,
> > - size, SLAB_CACHE_DMA | flags);
> > + size, SLAB_CACHE_DMA | flags, 0, 0);
>
> Hi,
>
> was there any (undocumented) reason NOT to mark DMA caches as usercopy?
>
> We are seeing this on s390x:
>
> > usercopy: Kernel memory overwrite attempt detected to SLUB object
> 'dma-kmalloc-1k' (offset 0, size 11)!
> > ------------[ cut here ]------------
> > kernel BUG at mm/usercopy.c:99!
Interesting! I believe the rationale was that if the region is used for
DMA, allowing direct access to it from userspace could be prone to
races.
> See:
> https://bugzilla.suse.com/show_bug.cgi?id=1156053
For context from the bug, the trace is:
(<0000000000386c5a> usercopy_abort+0xa2/0xa8)
<000000000036097a> __check_heap_object+0x11a/0x120
<0000000000386b3a> __check_object_size+0x18a/0x208
<000000000079b4ba> skb_copy_datagram_from_iter+0x62/0x240
<000003ff804edd5c> iucv_sock_sendmsg+0x1fc/0x858 Ýaf_iucv¨
<0000000000785894> sock_sendmsg+0x54/0x90
<0000000000785944> sock_write_iter+0x74/0xa0
<000000000038a3f0> new_sync_write+0x110/0x180
<000000000038d42e> vfs_write+0xa6/0x1d0
<000000000038d748> ksys_write+0x60/0xe8
<000000000096a660> system_call+0xdc/0x2e0
I know Al worked on fixing up usercopy checking for iters. I wonder if
there is redundant checking happening here? i.e. haven't iters already
done object size verifications, so they're not needed during iter copy
helpers?
> This indeed fixes it:
> --- a/mm/slab_common.c
> +++ b/mm/slab_common.c
> @@ -1290,7 +1290,8 @@ void __init create_kmalloc_caches(slab_flags_t flags)
> kmalloc_caches[KMALLOC_DMA][i] =
> create_kmalloc_cache(
> kmalloc_info[i].name[KMALLOC_DMA],
> kmalloc_info[i].size,
> - SLAB_CACHE_DMA | flags, 0, 0);
> + SLAB_CACHE_DMA | flags, 0,
> + kmalloc_info[i].size);
> }
> }
> #endif
How is iucv the only network protocol that has run into this? Do others
use a bounce buffer?
--
Kees Cook
Powered by blists - more mailing lists