From patchwork Wed Sep 20 20:45:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9962433 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6850160208 for ; Wed, 20 Sep 2017 20:47:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 56A8829226 for ; Wed, 20 Sep 2017 20:47:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4862429229; Wed, 20 Sep 2017 20:47:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 6B2F929226 for ; Wed, 20 Sep 2017 20:47:54 +0000 (UTC) Received: (qmail 3697 invoked by uid 550); 20 Sep 2017 20:46:22 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 3518 invoked from network); 20 Sep 2017 20:46:18 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YR1l6qWujzM7MWpWfchbfi7KVYl2yAFGYY7ov7EK8AA=; b=OjV934sgbQCdk5NA8tj/znL/3A7nAQfsTaf93wbx9fSmOq4NkzNekmS1fLmzUCZIPb pplKoA9oSvsgSuSrQlvei7OwCMQXdQZajL9FQqce6ur9wWZXFesBYbgDOyK0sTG9ONuj QnugS0dmrvnmbPwTJwvOfyYSsGQ5uRFygFbPc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YR1l6qWujzM7MWpWfchbfi7KVYl2yAFGYY7ov7EK8AA=; b=I8L7AwU5eN45fnNEUsYMCgQ3ZlV60rf4XGOUyHs6gF/6TcWv1ZlXwo4WQR753iblO1 kiiUXi/i8g9UJX3XFNBunMuysnVXMptVEcc5JhpoOxeVJ6L86Nrccoo+Evbrg8MVbqjZ iYwBEayeQtz7SWNVw7alL2pDH6+pwMtJoy3ztufiw+LW4xDe4BWqOfpCRaMq0T2AqiX2 iLQsjmmB5c3fnnGutCotMKeqwEB5AI9PRHYACft/YnbweidCS1zWfF47fUqADmGr7NYH 6h6jqixV2v1MsAMikiOInI9sA9V5Suitg8T+aLobuVg/TRSTbGEf+9KSKHlsiLCCOP/r s0MQ== X-Gm-Message-State: AHPjjUgiOTpvQRanV96l8Zd8g+yWOnVfbrk9up0kz/+iAOBYlIj/HcFu UGGgami9EWY8vDLADDeY8pAiAw== X-Google-Smtp-Source: AOwi7QBzB+9Y9qmNJ0mBMHJ04EQ3RZW1ql3iHatix6aob/GXyJgcSnCzWgf43vHEzpyCLXLNvEwzgA== X-Received: by 10.99.50.3 with SMTP id y3mr3325340pgy.291.1505940366922; Wed, 20 Sep 2017 13:46:06 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , David Windsor , Dave Kleikamp , jfs-discussion@lists.sourceforge.net, linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 20 Sep 2017 13:45:15 -0700 Message-Id: <1505940337-79069-10-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org> References: <1505940337-79069-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH v3 09/31] jfs: Define usercopy region in jfs_ip slab cache X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor The jfs symlink pathnames, stored in struct jfs_inode_info.i_inline and therefore contained in the jfs_ip slab cache, need to be copied to/from userspace. cache object allocation: fs/jfs/super.c: jfs_alloc_inode(...): ... jfs_inode = kmem_cache_alloc(jfs_inode_cachep, GFP_NOFS); ... return &jfs_inode->vfs_inode; fs/jfs/jfs_incore.h: JFS_IP(struct inode *inode): return container_of(inode, struct jfs_inode_info, vfs_inode); fs/jfs/inode.c: jfs_iget(...): ... inode->i_link = JFS_IP(inode)->i_inline; example usage trace: readlink_copy+0x43/0x70 vfs_readlink+0x62/0x110 SyS_readlinkat+0x100/0x130 fs/namei.c: readlink_copy(..., link): ... copy_to_user(..., link, len); (inlined in vfs_readlink) generic_readlink(dentry, ...): struct inode *inode = d_inode(dentry); const char *link = inode->i_link; ... readlink_copy(..., link); In support of usercopy hardening, this patch defines a region in the jfs_ip slab cache in which userspace copy operations are allowed. This region is known as the slab cache's usercopy region. Slab caches can now check that each copy operation involving cache-managed memory falls entirely within the slab's usercopy region. This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor [kees: adjust commit log, provide usage trace] Cc: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net Signed-off-by: Kees Cook Acked-by: Dave Kleikamp --- fs/jfs/super.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/jfs/super.c b/fs/jfs/super.c index 2f14677169c3..e018412608d4 100644 --- a/fs/jfs/super.c +++ b/fs/jfs/super.c @@ -966,9 +966,11 @@ static int __init init_jfs_fs(void) int rc; jfs_inode_cachep = - kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0, - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT, - init_once); + kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info), + 0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT, + offsetof(struct jfs_inode_info, i_inline), + sizeof_field(struct jfs_inode_info, i_inline), + init_once); if (jfs_inode_cachep == NULL) return -ENOMEM;