From patchwork Mon Jun 19 23:36:32 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9798113
Return-Path: 
 <kernel-hardening-return-8667-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7636260381 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 19 Jun 2017 23:44:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 735A726C9B
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 19 Jun 2017 23:44:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 67E7827F93; Mon, 19 Jun 2017 23:44:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED, T_DKIM_INVALID,
	URIBL_BLACK autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 0C42926C9B
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 19 Jun 2017 23:44:20 +0000 (UTC)
Received: (qmail 6028 invoked by uid 550); 19 Jun 2017 23:43:38 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 5447 invoked from network); 19 Jun 2017 23:43:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=t+nhEuKkWkJ9K89WqqUDQpBFABC8Jr5V36ohBz3+xfE=;
	b=DEBDMqA6yk2dpMmcWN/OvgUPRgAfhsyDfhKdiNqCNFyqF1y4ZS1b17lteHvllc50Yb
	r2PJQo6ClUhOfI5IkrdctNQxh0FIkTg7kZrDBXoMI2s1DMSLDv3nzAPLLehA9W78Mk9d
	5RT18FFo1iNaDf856AZiKXaMSbJXQaW7FB0LQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=t+nhEuKkWkJ9K89WqqUDQpBFABC8Jr5V36ohBz3+xfE=;
	b=DhP8ZE2FAiVmfDw864ZPHnyxRYXkVIYcmkNYwdNIOHrSAwSMoRLvTtj1klYi8DD+O1
	qnWL2+W0BsMzAv0v64e0U0UEYEJGsF+zgJrnHopO7k9I9CTXjam7fhNdz1ZVYNUK3ppL
	AzX7meqNRXagXFL2/3FB8KF3+raPQJhraW80rlMIN6sM7/MMoWvemhE6nizsBYBxBk8L
	cbgJZ8X4hrKGg4GwQN41KtWUZ/qCuPfAv9mOIp5AVy56dBmzal8IQprRn5QjTBqyvi0d
	t4SOC3nO7WtMU634IW9ZMbTmOq4ikel3ZWEpp9DG4J0Tq3MraTzHoHZ8sYCFEhq01Mk3
	I7bA==
X-Gm-Message-State: AKS2vOypHXdL/FurFSIMuIvPwyjw9bzt6N9IYtud92uO53NwJltCnyLv
	NWrF8FaT2rg2zBwO
X-Received: by 10.84.216.71 with SMTP id f7mr26207634plj.266.1497915799458;
	Mon, 19 Jun 2017 16:43:19 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: kernel-hardening@lists.openwall.com
Cc: Kees Cook <keescook@chromium.org>, David Windsor <dave@nullcore.net>,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Date: Mon, 19 Jun 2017 16:36:32 -0700
Message-Id: <1497915397-93805-19-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1497915397-93805-1-git-send-email-keescook@chromium.org>
References: <1497915397-93805-1-git-send-email-keescook@chromium.org>
Subject: [kernel-hardening] [PATCH 18/23] scsi: define usercopy region in
	scsi_sense_cache slab cache
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Windsor <dave@nullcore.net>

SCSI sense buffers, stored in struct scsi_cmnd.sense and therefore
contained in the scsi_sense_cache slab cache, need to be copied to/from
userspace.

In support of usercopy hardening, this patch defines a region in
the scsi_sense_cache slab cache in which userspace copy operations
are allowed.

This region is known as the slab cache's usercopy region.  Slab
caches can now check that each copy operation involving cache-managed
memory falls entirely within the slab's usercopy region.

Signed-off-by: David Windsor <dave@nullcore.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/scsi_lib.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index 99e16ac479e3..fc5052aded84 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -77,14 +77,15 @@ int scsi_init_sense_cache(struct Scsi_Host *shost)
 	if (shost->unchecked_isa_dma) {
 		scsi_sense_isadma_cache =
 			kmem_cache_create("scsi_sense_cache(DMA)",
-			SCSI_SENSE_BUFFERSIZE, 0,
-			SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL);
+				SCSI_SENSE_BUFFERSIZE, 0,
+				SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL);
 		if (!scsi_sense_isadma_cache)
 			ret = -ENOMEM;
 	} else {
 		scsi_sense_cache =
-			kmem_cache_create("scsi_sense_cache",
-			SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN, NULL);
+			kmem_cache_create_usercopy("scsi_sense_cache",
+				SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN,
+				0, SCSI_SENSE_BUFFERSIZE, NULL);
 		if (!scsi_sense_cache)
 			ret = -ENOMEM;
 	}