From patchwork Mon Aug 28 21:34:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9926289
Return-Path: 
 <kernel-hardening-return-9591-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	49ADD603B4 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 28 Aug 2017 21:38:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3EA5A287D2
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 28 Aug 2017 21:38:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 334C9287E8; Mon, 28 Aug 2017 21:38:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED, T_DKIM_INVALID,
	URIBL_BLACK autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 2B70E287DC
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Mon, 28 Aug 2017 21:38:56 +0000 (UTC)
Received: (qmail 13540 invoked by uid 550); 28 Aug 2017 21:35:46 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 12212 invoked from network); 28 Aug 2017 21:35:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=06ejyKdGNW60YmWyzmFavD/Yq+eFZBckuaHUSmzU5A0=;
	b=DNyiWvDiKtULrO44Tg9aybCiqRygTMXm5p/3/eTnL5G2Kje5klG4nd9PAbSmhNcfSe
	I6urF5gJC+kylm8/y0ZEyjEcdZVl1adlnSzclIfPQzEoI97XIGIX6RAXwvmIOGT5xxi+
	hUgW9BKGSsHg01XC0yy14zl+IA0Cao/ov6Igg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=06ejyKdGNW60YmWyzmFavD/Yq+eFZBckuaHUSmzU5A0=;
	b=eq08wbfr3YIBKmq4jFf7Vg+3Txjl2TaXSZKicyRI8gE8dkcPbCMxskxgAPoWLIio7U
	Yf5h+T2wWdGEy3ZAe8epV5dOdNCD9fG4vTgASH37vok8pUoQyCy/My+b/f4hWmIiD9x4
	nZXwoM01vtKiKBT4ZTp0Eg4gW4YliyxSmhRjZYS4MQDAGkurZ3/O7ojDfLZFPlbs93fO
	96L/9fXY+FeYXSRhUD3vJjLNUNWA1Yxg+bMQe4gPbDkx16rz9ePo7BcNK8jYKNR01g9r
	AYdW+uf/iNMeV6iwMray1h7v3c9sv5kr6au8OCMGjqjlIrHCbnmfJaPkaFcwgZFQxXhi
	VbFQ==
X-Gm-Message-State: AHYfb5gh0mKIuXUr+arFSt0xFNTQiUsI7/7BvNWldly59PEDj0m4nSmR
	DQ6kg53SY6tkikr4
X-Received: by 10.84.229.79 with SMTP id d15mr2398041pln.408.1503956126480;
	Mon, 28 Aug 2017 14:35:26 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>, David Windsor <dave@nullcore.net>,
	"James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	linux-scsi@vger.kernel.org, linux-mm@kvack.org,
	kernel-hardening@lists.openwall.com
Date: Mon, 28 Aug 2017 14:34:58 -0700
Message-Id: <1503956111-36652-18-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1503956111-36652-1-git-send-email-keescook@chromium.org>
References: <1503956111-36652-1-git-send-email-keescook@chromium.org>
Subject: [kernel-hardening] [PATCH v2 17/30] scsi: Define usercopy region in
	scsi_sense_cache slab cache
X-Virus-Scanned: ClamAV using ClamSMTP

From: David Windsor <dave@nullcore.net>

SCSI sense buffers, stored in struct scsi_cmnd.sense and therefore
contained in the scsi_sense_cache slab cache, need to be copied to/from
userspace.

cache object allocation:
    drivers/scsi/scsi_lib.c:
        scsi_select_sense_cache(...):
            return ... ? scsi_sense_isadma_cache : scsi_sense_cache

        scsi_alloc_sense_buffer(...):
            return kmem_cache_alloc_node(scsi_select_sense_cache(), ...);

        scsi_init_request(...):
            ...
            cmd->sense_buffer = scsi_alloc_sense_buffer(...);
            ...
            cmd->req.sense = cmd->sense_buffer

example usage trace:

    block/scsi_ioctl.c:
        (inline from sg_io)
        blk_complete_sghdr_rq(...):
            struct scsi_request *req = scsi_req(rq);
            ...
            copy_to_user(..., req->sense, len)

        scsi_cmd_ioctl(...):
            sg_io(...);

In support of usercopy hardening, this patch defines a region in
the scsi_sense_cache slab cache in which userspace copy operations
are allowed.

This region is known as the slab cache's usercopy region.  Slab
caches can now check that each copy operation involving cache-managed
memory falls entirely within the slab's usercopy region.

Signed-off-by: David Windsor <dave@nullcore.net>
[kees: adjust commit log, provide usage trace]
Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 drivers/scsi/scsi_lib.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index f6097b89d5d3..f1c6bd56dd5b 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -77,14 +77,15 @@ int scsi_init_sense_cache(struct Scsi_Host *shost)
 	if (shost->unchecked_isa_dma) {
 		scsi_sense_isadma_cache =
 			kmem_cache_create("scsi_sense_cache(DMA)",
-			SCSI_SENSE_BUFFERSIZE, 0,
-			SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL);
+				SCSI_SENSE_BUFFERSIZE, 0,
+				SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL);
 		if (!scsi_sense_isadma_cache)
 			ret = -ENOMEM;
 	} else {
 		scsi_sense_cache =
-			kmem_cache_create("scsi_sense_cache",
-			SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN, NULL);
+			kmem_cache_create_usercopy("scsi_sense_cache",
+				SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN,
+				0, SCSI_SENSE_BUFFERSIZE, NULL);
 		if (!scsi_sense_cache)
 			ret = -ENOMEM;
 	}