From patchwork Thu Mar  1 10:19:50 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: kpark3469@gmail.com
X-Patchwork-Id: 10250841
Return-Path: 
 <kernel-hardening-return-12058-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A0CF960211 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  1 Mar 2018 10:32:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F5DA285B6
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  1 Mar 2018 10:32:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8401328630; Thu,  1 Mar 2018 10:32:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id B8F57285C9
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  1 Mar 2018 10:32:52 +0000 (UTC)
Received: (qmail 22258 invoked by uid 550); 1 Mar 2018 10:32:39 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Delivered-To: moderator for kernel-hardening@lists.openwall.com
Received: (qmail 13374 invoked from network); 1 Mar 2018 10:22:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/9dknsPpzHrX+55ihBZm5MVlrEVJHT2PICtRivikmUw=;
	b=gvHA2T9eximW3uFViVnpogHBzwlA4JCcFvNGnMQ8wNA/kMfWJaUlJ3RqoydUOam0IS
	XbvJMmeN49t94fAls0FZQOxoeihhuMxEfY396/ol/UIGM2AyWlBy6NF263AVjc8LCIZq
	iE37uUrX9I+si1Mh0ohmfBRUXOd84cQK7O+2QB3TqmyTnGzeVElbZJpkvaQwo1GVbpbJ
	yundbh6CUUXZDu/+xO8mokM6EXwoxPTIEbJ9PaCLXmHUGORK9LU5pmpWmY3IuBzwYrWM
	chcQDUAMhHrKHiYnsTKUGsCUrh3Ax92F4Q8vQy4lnBJ4sl7EqBKJAGOAt62bUPMCZlzy
	WMQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=/9dknsPpzHrX+55ihBZm5MVlrEVJHT2PICtRivikmUw=;
	b=PEm7LW0P2iNk2Wnj/D5LkG8I4BaQoHlv7qiVtvVVNPLdxBRUx0+dfjLYYbFC7G30ac
	x2MmgmtBZCOC0wJxE+G4aISbGYFILhMjTQqPAwBiWZ5a7FXMA2jSwQtMaULIoSYzZaop
	7ozQg7Dml7Ujwsrj29mhBxcFGGHNVjukbFd23fBwA4257GOrOWUNNRF7Udiu8t8gwalu
	zNKq1ZeweICYJyt6B0l1RWLTdOcCHHEH4bmnzKnxgs8Ps7irSkgLWonpZ8/cPmOcQdui
	6AJddLRbgimUeqDO/CGJkEoctd+WKfOCjDsNYwvyg64zQR1Kkd64fkAKFjQuz+4DCexb
	CKMA==
X-Gm-Message-State: APf1xPBf1lweEOo1SR4jL+ETLhemXI/SphvUWLDjDHU0VHj13T9qF/VV
	kCfWC9P09Nm21znwlA36O1Mewg==
X-Google-Smtp-Source: 
 AG47ELv5glAmkuI3xYSwry/82ev5boiFZq/WRxr9X0Vxv7le8NXNxLh4m174z+xLCTQqbnye3NQ7/A==
X-Received: by 10.80.142.152 with SMTP id w24mr2132194edw.35.1519899752978;
	Thu, 01 Mar 2018 02:22:32 -0800 (PST)
From: kpark3469@gmail.com
To: kernel-hardening@lists.openwall.com
Cc: keescook@chromium.org, james.morse@arm.com, catalin.marinas@arm.com,
	will.deacon@arm.com, mark.rutland@arm.com, keun-o.park@darkmatter.ae
Subject: [PATCH 3/4] arm64: usercopy: consider dynamic array stack variable
Date: Thu,  1 Mar 2018 14:19:50 +0400
Message-Id: <1519899591-29761-4-git-send-email-kpark3469@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1519899591-29761-3-git-send-email-kpark3469@gmail.com>
References: <1519899591-29761-1-git-send-email-kpark3469@gmail.com>
	<1519899591-29761-2-git-send-email-kpark3469@gmail.com>
	<1519899591-29761-3-git-send-email-kpark3469@gmail.com>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Sahara <keun-o.park@darkmatter.ae>

When an array is dynamically declared, the array may be placed
at next frame. If this variable is used for usercopy, then it
will cause an Oops because the current check code does not allow
this exceptional case.

 low -----------------------------------------------------> high
 [__check_object_size fp][lr][args][local vars][caller_fp][lr]
                             ^----------------^
                     dynamically allocated stack variable of
                     caller frame copies are allowed within here

 < example code snippet >
 array_size = get_random_int() & 0x0f;
 if (to_user) {
         unsigned char array[array_size];
         if (copy_to_user((void __user *)user_addr, array,
                          unconst + sizeof(array))) {

Signed-off-by: Sahara <keun-o.park@darkmatter.ae>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
 arch/arm64/kernel/stacktrace.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/stacktrace.c b/arch/arm64/kernel/stacktrace.c
index 6d37fad..75a8f20 100644
--- a/arch/arm64/kernel/stacktrace.c
+++ b/arch/arm64/kernel/stacktrace.c
@@ -162,8 +162,13 @@ int arch_within_stack_frames(const void *stack,
 	 * Skip 4 non-inlined frames: <fake frame>,
 	 * arch_within_stack_frames(), check_stack_object() and
 	 * __check_object_size().
+	 *
+	 * From Akashi's report, an object may be placed between next caller's
+	 * frame, when the object is created as dynamic array.
+	 * Setting the discard_frames to 3 is proper to catch this exceptional
+	 * case.
 	 */
-	arg.discard_frames = 4;
+	arg.discard_frames = 3;
 
 	walk_stackframe(current, &frame, check_frame, &arg);