| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200203074644.GD8731@bombadil.infradead.org>
Date: Sun, 2 Feb 2020 23:46:44 -0800
From: Matthew Wilcox <willy@...radead.org>
To: Jann Horn <jannh@...gle.com>
Cc: Kees Cook <keescook@...omium.org>,
Christian Borntraeger <borntraeger@...ibm.com>,
Christoph Hellwig <hch@...radead.org>,
Christopher Lameter <cl@...ux.com>,
Jiri Slaby <jslaby@...e.cz>,
Julian Wiedmann <jwi@...ux.ibm.com>,
Ursula Braun <ubraun@...ux.ibm.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
kernel list <linux-kernel@...r.kernel.org>,
David Windsor <dave@...lcore.net>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Linux-MM <linux-mm@...ck.org>, linux-xfs@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Laura Abbott <labbott@...hat.com>,
Mark Rutland <mark.rutland@....com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Paolo Bonzini <pbonzini@...hat.com>,
Dave Kleikamp <dave.kleikamp@...cle.com>,
Jan Kara <jack@...e.cz>, Marc Zyngier <marc.zyngier@....com>,
Matthew Garrett <mjg59@...gle.com>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
linux-arch <linux-arch@...r.kernel.org>,
Network Development <netdev@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Vlastimil Babka <vbabka@...e.cz>,
Michal Kubecek <mkubecek@...e.cz>
Subject: Re: [kernel-hardening] [PATCH 09/38] usercopy: Mark kmalloc caches
as usercopy caches
On Sat, Feb 01, 2020 at 08:27:49PM +0100, Jann Horn wrote:
> FWIW, as far as I understand, usercopy doesn't actually have any
> effect on drivers that use the modern, proper APIs, since those don't
> use the slab allocator at all - as I pointed out in my last mail, the
> dma-kmalloc* slabs are used very rarely. (Which is good, because
> putting objects from less-than-page-size slabs into iommu entries is a
> terrible idea from a security and reliability perspective because it
> gives the hardware access to completely unrelated memory.) Instead,
> they get pages from the page allocator, and these pages may e.g. be
> allocated from the DMA, DMA32 or NORMAL zones depending on the
> restrictions imposed by hardware. So I think the usercopy restriction
> only affects a few oddball drivers (like this s390 stuff), which is
> why you're not seeing more bug reports caused by this.
Getting pages from the page allocator is true for dma_alloc_coherent()
and friends. But it's not true for streaming DMA mappings (dma_map_*)
for which the memory usually comes from kmalloc(). If this is something
we want to fix (and I have an awful feeling we're going to regret it
if we say "no, we trust the hardware"), we're going to have to come up
with a new memory allocation API for these cases. Or bounce bugger the
memory for devices we don't trust.
The problem with the dma_map_* API is that memory might end up being
allocated once and then used multiple times by different drivers. eg if
I allocate an NFS packet, it might get sent first to eth0, then (when the
route fails) sent to eth1. Similarly in storage, a RAID-5 driver might
map the same memory several times to send to different disk controllers.
Powered by blists - more mailing lists