From patchwork Tue Jan  9 20:56:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10153409
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	51AF860223 for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue,  9 Jan 2018 21:03:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4917B2018F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue,  9 Jan 2018 21:03:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3D426204C4; Tue,  9 Jan 2018 21:03:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DD9172018F
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Tue,  9 Jan 2018 21:03:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751853AbeAIVDQ (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Tue, 9 Jan 2018 16:03:16 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:45096 "EHLO
	mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758196AbeAIU5N (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 9 Jan 2018 15:57:13 -0500
Received: by mail-pf0-f194.google.com with SMTP id u19so9417617pfa.12
	for <linux-fsdevel@vger.kernel.org>;
	Tue, 09 Jan 2018 12:57:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=;
	b=J37AQjDxXbXt942x8cocKFfQ/lwXg6fhQbs71aAX+ev1eI3TDx/oUgxhby8ApiAQyE
	DW1N/Q8ohFn3OkS2+RuW7bsEMcG6Qu3UDDwgoNMkHTqEnmAzgydSyMqk1Q1eiOrXfGEb
	QcY2TjlaZY2J2vIjghTw3SSPP2q3N3rMTFewU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=;
	b=FQzS93vcVOVPjrDigCEeMoFdtOX8GzBYO9eChV3k6lVK9VmG32X7SerYvJzEAwILUM
	npFBn2OpvmiyCsV91h7uipvEZD9U4BkUg6n9Vr2zlqTLASIl7XKO58bHVWFKtoDajaRs
	VvBTdoBqF531nCG62ur/z6rGffq0UJdLsmkdBh/M9Iw8vVTknz5/T3jjPAXxu7wG20D2
	YJOgFVxnkdDAXCux0FJJVjiJqNG02AAoW9mek5V04bHS7k68xJy5AuKQV612NjwtiNmP
	b3t7Dp8k0nvig5BKC6gBtqYmPFPDtN/aC3fqO6AuQr6BRzMVRfbnUmFFmxmen22Ou04+
	2tZg==
X-Gm-Message-State: AKGB3mIJ7pVKyi+nm0NfBN/xzUB4iuF7Z0f4HjrVsTyWmDzWVyH9cwOC
	/yiEpZfRXl95umlP5/uXsawYzQ==
X-Google-Smtp-Source: 
 ACJfBov4PZBAH8sWiWMVsea7YeCyBf1CJ7s+eeQdDkR36nW5Kr+PUooDBjwY08TGXpPSOrAoeO5PKQ==
X-Received: by 10.101.82.205 with SMTP id z13mr12995775pgp.29.1515531432595;
	Tue, 09 Jan 2018 12:57:12 -0800 (PST)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	i20sm32771398pfj.58.2018.01.09.12.57.06
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 09 Jan 2018 12:57:10 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>, Paolo Bonzini <pbonzini@redhat.com>,
	kernel-hardening@lists.openwall.com,
	Christian Borntraeger <borntraeger@redhat.com>,
	Christoffer Dall <cdall@linaro.org>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	David Windsor <dave@nullcore.net>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@kernel.org>, Christoph Hellwig <hch@infradead.org>,
	Christoph Lameter <cl@linux.com>,
	"David S. Miller" <davem@davemloft.net>,
	Laura Abbott <labbott@redhat.com>, Mark Rutland <mark.rutland@arm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Christoffer Dall <christoffer.dall@linaro.org>,
	Dave Kleikamp <dave.kleikamp@oracle.com>, Jan Kara <jack@suse.cz>,
	Luis de Bethencourt <luisbg@kernel.org>,
	Marc Zyngier <marc.zyngier@arm.com>, Rik van Riel <riel@redhat.com>,
	Matthew Garrett <mjg59@google.com>,
	linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org,
	netdev@vger.kernel.org, linux-mm@kvack.org
Subject: [PATCH 32/36] kvm: whitelist struct kvm_vcpu_arch
Date: Tue,  9 Jan 2018 12:56:01 -0800
Message-Id: <1515531365-37423-33-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1515531365-37423-1-git-send-email-keescook@chromium.org>
References: <1515531365-37423-1-git-send-email-keescook@chromium.org>
MIME-Version: 1.0
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Paolo Bonzini <pbonzini@redhat.com>

On x86, ARM and s390, struct kvm_vcpu_arch has a usercopy region
that is read and written by the KVM_GET/SET_CPUID2 ioctls (x86)
or KVM_GET/SET_ONE_REG (ARM/s390).  Without whitelisting the area,
KVM is completely broken on those architectures with usercopy hardening
enabled.

For now, allow writing to the entire struct on all architectures.
The KVM tree will not refine this to an architecture-specific
subset of struct kvm_vcpu_arch.

Cc: kernel-hardening@lists.openwall.com
Cc: Kees Cook <keescook@chromium.org>
Cc: Christian Borntraeger <borntraeger@redhat.com>
Cc: Christoffer Dall <cdall@linaro.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 virt/kvm/kvm_main.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index c422c10cd1dd..96689967f5c3 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -4029,8 +4029,12 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
 	/* A kmem cache lets us meet the alignment requirements of fx_save. */
 	if (!vcpu_align)
 		vcpu_align = __alignof__(struct kvm_vcpu);
-	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
-					   SLAB_ACCOUNT, NULL);
+	kvm_vcpu_cache =
+		kmem_cache_create_usercopy("kvm_vcpu", vcpu_size, vcpu_align,
+					   SLAB_ACCOUNT,
+					   offsetof(struct kvm_vcpu, arch),
+					   sizeof_field(struct kvm_vcpu, arch),
+					   NULL);
 	if (!kvm_vcpu_cache) {
 		r = -ENOMEM;
 		goto out_free_3;