| Message ID | 1472221903-31181-1-git-send-email-mark.rutland@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Fri, Aug 26, 2016 at 10:31 AM, Mark Rutland <mark.rutland@arm.com> wrote: > The strncpy_from_user() accessor is effectively a copy_from_user() > specialised to copy strings, terminating early at a NUL byte if > possible. In other respects it is identical, and can be used to copy an > arbitrarily large buffer from userspace into the kernel. Conceptually, > it exposes a similar attack surface. > > As with copy_from_user(), we check the destination range when the kernel > is built with KASAN, but unlike copy_from_user() we do not check the > destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() > calls get_user() in a loop, we must call check_object_size() explicitly. > > This patch adds this instrumentation to strncpy_from_user(), per the > same rationale as with the regular copy_from_user(). In the absence of > hardened usercopy this will have no impact as the instrumentation > expands to an empty static inline function. > > Signed-off-by: Mark Rutland <mark.rutland@arm.com> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Kees Cook <keescook@chromium.org> > --- > lib/strncpy_from_user.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c > index 9c5fe81..7e35fc4 100644 > --- a/lib/strncpy_from_user.c > +++ b/lib/strncpy_from_user.c > @@ -1,6 +1,7 @@ > #include <linux/compiler.h> > #include <linux/export.h> > #include <linux/kasan-checks.h> > +#include <linux/thread_info.h> > #include <linux/uaccess.h> > #include <linux/kernel.h> > #include <linux/errno.h> > @@ -111,6 +112,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) > long retval; > > kasan_check_write(dst, count); > + check_object_size(dst, count, false); > user_access_begin(); > retval = do_strncpy_from_user(dst, src, count, max); > user_access_end(); > -- > 2.7.4 > Ah, yes, good catch! (And to repeat what you mentioned to me in passing in the hall: there appear to be other users of get_user() in a loop in other places in the kernel that will likely need some attention too.) I'll get this into the hardened usercopy tree when I get back from the Security Summit. This will likely need to grow knowledge about builtin-const "count" arguments like we need to the architectures that are missing them in the copy_*_user calls. Thanks! -Kees
On Fri, Aug 26, 2016 at 02:57:58PM -0400, Kees Cook wrote: > On Fri, Aug 26, 2016 at 10:31 AM, Mark Rutland <mark.rutland@arm.com> wrote: > > The strncpy_from_user() accessor is effectively a copy_from_user() > > specialised to copy strings, terminating early at a NUL byte if > > possible. In other respects it is identical, and can be used to copy an > > arbitrarily large buffer from userspace into the kernel. Conceptually, > > it exposes a similar attack surface. > > > > As with copy_from_user(), we check the destination range when the kernel > > is built with KASAN, but unlike copy_from_user() we do not check the > > destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() > > calls get_user() in a loop, we must call check_object_size() explicitly. > > > > This patch adds this instrumentation to strncpy_from_user(), per the > > same rationale as with the regular copy_from_user(). In the absence of > > hardened usercopy this will have no impact as the instrumentation > > expands to an empty static inline function. [...] > Ah, yes, good catch! (And to repeat what you mentioned to me in > passing in the hall: there appear to be other users of get_user() in a > loop in other places in the kernel that will likely need some > attention too.) I was reminded of this as it just hit mainline; is it worth dropping a TODO on the KSPP wiki? I suspect I won't have the time to delve much further into this in the near term, and it might be a good intro task for someone. Thanks, Mark.
On Mon, Oct 17, 2016 at 5:04 PM, Mark Rutland <mark.rutland@arm.com> wrote: > On Fri, Aug 26, 2016 at 02:57:58PM -0400, Kees Cook wrote: >> On Fri, Aug 26, 2016 at 10:31 AM, Mark Rutland <mark.rutland@arm.com> wrote: >> > The strncpy_from_user() accessor is effectively a copy_from_user() >> > specialised to copy strings, terminating early at a NUL byte if >> > possible. In other respects it is identical, and can be used to copy an >> > arbitrarily large buffer from userspace into the kernel. Conceptually, >> > it exposes a similar attack surface. >> > >> > As with copy_from_user(), we check the destination range when the kernel >> > is built with KASAN, but unlike copy_from_user() we do not check the >> > destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() >> > calls get_user() in a loop, we must call check_object_size() explicitly. >> > >> > This patch adds this instrumentation to strncpy_from_user(), per the >> > same rationale as with the regular copy_from_user(). In the absence of >> > hardened usercopy this will have no impact as the instrumentation >> > expands to an empty static inline function. > > [...] > >> Ah, yes, good catch! (And to repeat what you mentioned to me in >> passing in the hall: there appear to be other users of get_user() in a >> loop in other places in the kernel that will likely need some >> attention too.) > > I was reminded of this as it just hit mainline; is it worth dropping a > TODO on the KSPP wiki? I suspect I won't have the time to delve much > further into this in the near term, and it might be a good intro task > for someone. > > Thanks, > Mark. Yes. I believe that it is.
On Mon, Oct 17, 2016 at 6:04 AM, Mark Rutland <mark.rutland@arm.com> wrote: > On Fri, Aug 26, 2016 at 02:57:58PM -0400, Kees Cook wrote: >> On Fri, Aug 26, 2016 at 10:31 AM, Mark Rutland <mark.rutland@arm.com> wrote: >> > The strncpy_from_user() accessor is effectively a copy_from_user() >> > specialised to copy strings, terminating early at a NUL byte if >> > possible. In other respects it is identical, and can be used to copy an >> > arbitrarily large buffer from userspace into the kernel. Conceptually, >> > it exposes a similar attack surface. >> > >> > As with copy_from_user(), we check the destination range when the kernel >> > is built with KASAN, but unlike copy_from_user() we do not check the >> > destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() >> > calls get_user() in a loop, we must call check_object_size() explicitly. >> > >> > This patch adds this instrumentation to strncpy_from_user(), per the >> > same rationale as with the regular copy_from_user(). In the absence of >> > hardened usercopy this will have no impact as the instrumentation >> > expands to an empty static inline function. > > [...] > >> Ah, yes, good catch! (And to repeat what you mentioned to me in >> passing in the hall: there appear to be other users of get_user() in a >> loop in other places in the kernel that will likely need some >> attention too.) > > I was reminded of this as it just hit mainline; is it worth dropping a > TODO on the KSPP wiki? I suspect I won't have the time to delve much > further into this in the near term, and it might be a good intro task > for someone. Ah, right. I've updated the kernserc TODO list with this (recently the csum_* routines were pointed out), and added a bunch more TODOs that were in my notes. -Kees
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c index 9c5fe81..7e35fc4 100644 --- a/lib/strncpy_from_user.c +++ b/lib/strncpy_from_user.c @@ -1,6 +1,7 @@ #include <linux/compiler.h> #include <linux/export.h> #include <linux/kasan-checks.h> +#include <linux/thread_info.h> #include <linux/uaccess.h> #include <linux/kernel.h> #include <linux/errno.h> @@ -111,6 +112,7 @@ long strncpy_from_user(char *dst, const char __user *src, long count) long retval; kasan_check_write(dst, count); + check_object_size(dst, count, false); user_access_begin(); retval = do_strncpy_from_user(dst, src, count, max); user_access_end();
The strncpy_from_user() accessor is effectively a copy_from_user() specialised to copy strings, terminating early at a NUL byte if possible. In other respects it is identical, and can be used to copy an arbitrarily large buffer from userspace into the kernel. Conceptually, it exposes a similar attack surface. As with copy_from_user(), we check the destination range when the kernel is built with KASAN, but unlike copy_from_user() we do not check the destination buffer when using HARDENED_USERCOPY. As strncpy_from_user() calls get_user() in a loop, we must call check_object_size() explicitly. This patch adds this instrumentation to strncpy_from_user(), per the same rationale as with the regular copy_from_user(). In the absence of hardened usercopy this will have no impact as the instrumentation expands to an empty static inline function. Signed-off-by: Mark Rutland <mark.rutland@arm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Kees Cook <keescook@chromium.org> --- lib/strncpy_from_user.c | 2 ++ 1 file changed, 2 insertions(+)