From patchwork Tue Nov 23 05:16:54 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Collingbourne <pcc@google.com>
X-Patchwork-Id: 12693404
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 154E3C433F5
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 23 Nov 2021 05:18:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:References:
	Mime-Version:Message-Id:In-Reply-To:Date:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=1sEo4cwITZ7Xp/wUj0qP66yzTiO2zW+C/Zf6Zw4SYkA=; b=q+kTtd0KqByoLNoLiyYLx/LcJI
	nanoaeAlLf17+bZPWZx+Je+TnHOG7g5PDhgnnzG6e3cJTBKhaiyvY6ZiK/hH/qe8h2pDKChyZ4yNq
	pf8sLUEeIqwaRNmMKrUnwCTs25+jLpYbHV5DV/ZNvJlEAdYx+u8phQ6eyK3zI34uUvxFQ1x9D9/uj
	q7lX5g0Uzpa2GyxcfMIREmIwaBBSLc+g81sdaVUxsdEmsaTfSHohvma3QnVX0DMuep9tQRB+BcMOG
	WfPUuEqC4P5E0Vm7bynnr6EMTAJTQ/y0JrQ+Ho2BGGsJGSZe9B5W5EiuxBNowCEFCEZ1aN27xtiG/
	/FBXc5BQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1mpOBM-000psG-IW; Tue, 23 Nov 2021 05:17:28 +0000
Received: from mail-pf1-x44a.google.com ([2607:f8b0:4864:20::44a])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1mpOB6-000pkS-OP
 for linux-arm-kernel@lists.infradead.org; Tue, 23 Nov 2021 05:17:14 +0000
Received: by mail-pf1-x44a.google.com with SMTP id
 x14-20020a627c0e000000b0049473df362dso11101785pfc.12
 for <linux-arm-kernel@lists.infradead.org>;
 Mon, 22 Nov 2021 21:17:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=20210112;
 h=date:in-reply-to:message-id:mime-version:references:subject:from:to
 :cc; bh=NFXAGR/xc49oqhNC41J0AQLDYJfxO7+Jxraub53Emyc=;
 b=ey7cdPuXo53FwDLmzr6OCkG/WgkXsyr7tpMu5mUd6CjU6Aiu5BGVyYKwf7ZRGqKNkW
 XCJvfuxbdEtqOUBqhjgOJkeGLjrf0FWukN82g40hpufMkzHuIrh/LLe/cILZp2xvU/mQ
 +oZZ0IzOAPAnSQVm6xLuBThCj3bV7b9Zt9T1Ldv9PpZUW15NXdxa4hMIKKEjMXqbNGxQ
 lpE+m1hXxc8ppyMpxBughfEowTTd2+zEdQnJAO+07UCh1VU52n2qC2xY4DQioiMtX6GX
 WJSeeIvpchw+UeeV8z87iFesRr5KFS+mO+4c6V6WVidi0rxrBjBucNuBqEv+8l7+yBb9
 iJ5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:in-reply-to:message-id:mime-version
 :references:subject:from:to:cc;
 bh=NFXAGR/xc49oqhNC41J0AQLDYJfxO7+Jxraub53Emyc=;
 b=RmBc+O/k+nh91DzNSpB0dsPgmYbTuaJPuqYBoHJlFXZ6XjZkggsMgqNRGpVUGrWfI7
 DxWDrcggc9RwRIl3XxCZfhph4Q4ewE9x06f/zZAExX3ospErC6ur2ADC5IihQQJ3s+A6
 eilB48xUGO3/FKBS9qM/JZPIAsTotL0HDbVZOuALEZMrlaxcepiipO7NcwEvGRbCvlBD
 7RXEgMKjHb5mZXPT217wXJv+KDf5ae06BRpg9OEKA9LeVUFrEvRRSpEefugCOUsFrzQr
 dOdN6w8LKVLlNDAqnIg0hObgQoI607XR2v+UE5gFYIrlP44UtlxDxPN0L2dHG64ESv4h
 HGmg==
X-Gm-Message-State: AOAM530AEVH9XlcMFIIt5byE1fE6MpBNGF5MG54y7qml1PR72H0x10tb
 VavJThVq6QwOjeAUWPmiyaenJVQ=
X-Google-Smtp-Source: 
 ABdhPJzxQakGABdjIJCQjLa7F4VRbS3dyTefpbTS5bC19PmFmcSwZH41uUXPqwC9QBE4HVmcOu0sevE=
X-Received: from pcc-desktop.svl.corp.google.com
 ([2620:15c:2ce:200:a876:2e6a:b5f:3d90])
 (user=pcc job=sendgmr) by 2002:a63:1d13:: with SMTP id
 d19mr1879264pgd.383.1637644628236;
 Mon, 22 Nov 2021 21:17:08 -0800 (PST)
Date: Mon, 22 Nov 2021 21:16:54 -0800
In-Reply-To: <20211123051658.3195589-1-pcc@google.com>
Message-Id: <20211123051658.3195589-2-pcc@google.com>
Mime-Version: 1.0
References: <20211123051658.3195589-1-pcc@google.com>
X-Mailer: git-send-email 2.34.0.rc2.393.gf8c9666880-goog
Subject: [PATCH v2 1/5] fs: use raw_copy_from_user() to copy mount() data
From: Peter Collingbourne <pcc@google.com>
To: Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>,
 Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>,
 Juri Lelli <juri.lelli@redhat.com>,
 Vincent Guittot <vincent.guittot@linaro.org>,
 Dietmar Eggemann <dietmar.eggemann@arm.com>,
 Steven Rostedt <rostedt@goodmis.org>,
 Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
 Daniel Bristot de Oliveira <bristot@redhat.com>,
 Thomas Gleixner <tglx@linutronix.de>,
 Andy Lutomirski <luto@kernel.org>, Kees Cook <keescook@chromium.org>,
 Andrew Morton <akpm@linux-foundation.org>,
 Masahiro Yamada <masahiroy@kernel.org>,
 Sami Tolvanen <samitolvanen@google.com>, YiFei Zhu <yifeifz2@illinois.edu>,
 Colin Ian King <colin.king@canonical.com>,
 Mark Rutland <mark.rutland@arm.com>,
 Frederic Weisbecker <frederic@kernel.org>,
 Viresh Kumar <viresh.kumar@linaro.org>,
 Andrey Konovalov <andreyknvl@gmail.com>,
 Peter Collingbourne <pcc@google.com>,
 Gabriel Krisman Bertazi <krisman@collabora.com>,
 Chris Hyser <chris.hyser@oracle.com>,
 Daniel Vetter <daniel.vetter@ffwll.ch>,
 Chris Wilson <chris@chris-wilson.co.uk>,
 Arnd Bergmann <arnd@arndb.de>, Dmitry Vyukov <dvyukov@google.com>,
 Christian Brauner <christian.brauner@ubuntu.com>,
 "Eric W. Biederman" <ebiederm@xmission.com>,
 Alexey Gladkov <legion@kernel.org>, Ran Xiaokai <ran.xiaokai@zte.com.cn>,
 David Hildenbrand <david@redhat.com>, Xiaofeng Cao <caoxiaofeng@yulong.com>,
 Cyrill Gorcunov <gorcunov@gmail.com>,
 Thomas Cedeno <thomascedeno@google.com>,
 Marco Elver <elver@google.com>, Alexander Potapenko <glider@google.com>
Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 Evgenii Stepanov <eugenis@google.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20211122_211712_821284_4AFBEE31 
X-CRM114-Status: GOOD (  18.30  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

With uaccess logging the contract is that the kernel must not report
accessing more data than necessary, as this can lead to false positive
reports in downstream consumers. This generally works out of the box
when instrumenting copy_{from,to}_user(), but with the data argument
to mount() we use copy_from_user() to copy PAGE_SIZE bytes (or as
much as we can, if the PAGE_SIZE sized access failed) and figure out
later how much we actually need.

To prevent this from leading to a false positive report, use
raw_copy_from_user(), which will prevent the access from being logged.
Recall that it is valid for the kernel to report accessing less
data than it actually accessed, as uaccess logging is a best-effort
mechanism for reporting uaccesses.

Link: https://linux-review.googlesource.com/id/I5629b92a725c817acd9a861288338dd605cafee6
Signed-off-by: Peter Collingbourne <pcc@google.com>
---
 fs/namespace.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 659a8f39c61a..695b30e391f0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -3197,7 +3197,12 @@ static void *copy_mount_options(const void __user * data)
 	if (!copy)
 		return ERR_PTR(-ENOMEM);
 
-	left = copy_from_user(copy, data, PAGE_SIZE);
+	/*
+	 * Use raw_copy_from_user to avoid reporting overly large accesses in
+	 * the uaccess buffer, as this can lead to false positive reports in
+	 * downstream consumers.
+	 */
+	left = raw_copy_from_user(copy, data, PAGE_SIZE);
 
 	/*
 	 * Not all architectures have an exact copy_from_user(). Resort to