From patchwork Wed Sep 20 20:45:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9962547
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3871160208 for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:55:10 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A97E2920C
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:55:10 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1F70529224; Wed, 20 Sep 2017 20:55:10 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,RCVD_IN_DNSWL_HI,URIBL_BLACK autolearn=ham
	version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B2CCE2920C
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:55:09 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752013AbdITUyx (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 20 Sep 2017 16:54:53 -0400
Received: from mail-pf0-f170.google.com ([209.85.192.170]:50062 "EHLO
	mail-pf0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751958AbdITUxB (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 20 Sep 2017 16:53:01 -0400
Received: by mail-pf0-f170.google.com with SMTP id l188so2116393pfc.6
	for <linux-fsdevel@vger.kernel.org>;
	Wed, 20 Sep 2017 13:53:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=fJBCTYrvupc81/kSBPbTUYwbynzllz2b1+/Rc+B9MZ8=;
	b=ICQLYooqJJeIN7aSoOC/pYxI3kOF+AwYe7uqAeRUAKWj/tzcJ5z9AoxeiU7S72kgkg
	+iFF+bHaGteLNHOW0Wi2Nhh7vXyXK4VrLxpiatpExP7vYnWyBKihQ/goz55xn/ZwALZi
	5prk3pXs6vYJ1IYOAkyBbG8NNOsKvEzDLGOno=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=fJBCTYrvupc81/kSBPbTUYwbynzllz2b1+/Rc+B9MZ8=;
	b=n9YZC5Ru43fUa9oaxCqT5Euz6Y0QiNzn3bQnW4hlRsHd0e/MYIogbo6Fi+DWO1cZFk
	SiVeMFRBxnuiaeFFQ+GUty93S8T5AK7mZfhPgYKcyJdQhvIoK1UltLPM74kt/h13ctQf
	WaKbegJtCRGggS09zCixtLG4V7Ootg9cGHh4GZytEQmZFRETQBcwACb+Z4kxibH3qEM8
	+FGwYsqmI2VJ7COKUo+7+IJFAK4ONGUhCfFle41reXogmM+v6Svx78mBJ2FtkcWi7OFa
	CRJzMvGQzVSHn5EwptU98/Ne436XFjdzEeBG9uU60XMSCmMfzY1v6rAMaBiGzW6zoUi7
	LQ/w==
X-Gm-Message-State: AHPjjUhG9cOyQRDTPe61oWJFC4+nIsGjxKWnJebXCuei8Bh4pVwVco8j
	4bFBg9kOpI09v2nMiMdpxIxKwA==
X-Google-Smtp-Source: 
 AOwi7QBJgmhuhN1d8VGYRjmrUZ1YruSUlaFSqGCaO+RnIh81DX5QMhiGowgCZMO2HlG/PmQ8IettrQ==
X-Received: by 10.84.238.130 with SMTP id v2mr3335868plk.175.1505940781329;
	Wed, 20 Sep 2017 13:53:01 -0700 (PDT)
Received: from www.outflux.net
	(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
	by smtp.gmail.com with ESMTPSA id
	p88sm10812218pfi.174.2017.09.20.13.52.52
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 20 Sep 2017 13:52:53 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>, David Windsor <dave@nullcore.net>,
	Vlad Yasevich <vyasevich@gmail.com>, Neil Horman <nhorman@tuxdriver.com>,
	"David S. Miller" <davem@davemloft.net>,
	linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	kernel-hardening@lists.openwall.com
Subject: [PATCH v3 21/31] sctp: Define usercopy region in SCTP proto slab
	cache
Date: Wed, 20 Sep 2017 13:45:27 -0700
Message-Id: <1505940337-79069-22-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org>
References: <1505940337-79069-1-git-send-email-keescook@chromium.org>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Windsor <dave@nullcore.net>

The SCTP socket event notification subscription information need to be
copied to/from userspace. In support of usercopy hardening, this patch
defines a region in the struct proto slab cache in which userspace copy
operations are allowed. Additionally moves the usercopy fields to be
adjacent for the region to cover both.

example usage trace:

    net/sctp/socket.c:
        sctp_getsockopt_events(...):
            ...
            copy_to_user(..., &sctp_sk(sk)->subscribe, len)

        sctp_setsockopt_events(...):
            ...
            copy_from_user(&sctp_sk(sk)->subscribe, ..., optlen)

        sctp_getsockopt_initmsg(...):
            ...
            copy_to_user(..., &sctp_sk(sk)->initmsg, len)

This region is known as the slab cache's usercopy region. Slab caches can
now check that each copy operation involving cache-managed memory falls
entirely within the slab's usercopy region.

This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.

Signed-off-by: David Windsor <dave@nullcore.net>
[kees: split from network patch, move struct member adjacent, provide usage]
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 include/net/sctp/structs.h | 9 +++++++--
 net/sctp/socket.c          | 4 ++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 0477945de1a3..f2da107983d9 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -202,12 +202,17 @@ struct sctp_sock {
 	/* Flags controlling Heartbeat, SACK delay, and Path MTU Discovery. */
 	__u32 param_flags;
 
-	struct sctp_initmsg initmsg;
 	struct sctp_rtoinfo rtoinfo;
 	struct sctp_paddrparams paddrparam;
-	struct sctp_event_subscribe subscribe;
 	struct sctp_assocparams assocparams;
 
+	/*
+	 * These two structures must be grouped together for the usercopy
+	 * whitelist region.
+	 */
+	struct sctp_event_subscribe subscribe;
+	struct sctp_initmsg initmsg;
+
 	int user_frag;
 
 	__u32 autoclose;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index d4730ada7f32..aa4f86d64545 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8246,6 +8246,10 @@ struct proto sctp_prot = {
 	.unhash      =	sctp_unhash,
 	.get_port    =	sctp_get_port,
 	.obj_size    =  sizeof(struct sctp_sock),
+	.useroffset  =  offsetof(struct sctp_sock, subscribe),
+	.usersize    =  offsetof(struct sctp_sock, initmsg) -
+				offsetof(struct sctp_sock, subscribe) +
+				sizeof_field(struct sctp_sock, initmsg),
 	.sysctl_mem  =  sysctl_sctp_mem,
 	.sysctl_rmem =  sysctl_sctp_rmem,
 	.sysctl_wmem =  sysctl_sctp_wmem,