From patchwork Wed Sep 20 20:45:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9962443 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3782060208 for ; Wed, 20 Sep 2017 20:48:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A3E729226 for ; Wed, 20 Sep 2017 20:48:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1EBBC29229; Wed, 20 Sep 2017 20:48:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 0B94B29226 for ; Wed, 20 Sep 2017 20:48:16 +0000 (UTC) Received: (qmail 3853 invoked by uid 550); 20 Sep 2017 20:46:29 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 3561 invoked from network); 20 Sep 2017 20:46:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ZD70sgZJcUbeGG5tGfV/yFB0j+7o6bDSFDi/MC59qys=; b=furlNcR31jAI0t3DtZj/zoyjN7EperexIzBi0oBZw93xK6x/naHuLTqRcFADD/5MsE 4whg2r8VsYUkHVolFrh3lTOv/Qfe1fLi6hmk/gueYjMCATMcNBmnOjBktvLZcK46qN93 nIqjRP6fHLk4+E/qPze0rgy+v0jFPO0tn3RuM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ZD70sgZJcUbeGG5tGfV/yFB0j+7o6bDSFDi/MC59qys=; b=kBtg8SC8Z+hXJeGvbNMW59lsbdYWtdWEu8gF25rUoQIA+KXDnf9jt8brEFzm4D0ks3 0JVc4T5jM7v9C/dV5E1dgLAgVcGVBBrmQF1bLNbAzFJV673JhYBvMbD3SVN/aii5O3w0 6eqHS+2z09EL4PxbDWBwVDx4+pvB0onk8cHLXxAmU4ZtkGspD0I73zSViiuCRKoLpyOY B62RuKA2GDeEUKqC/rOn1NZ4Z5rIvarl3e/7W/BfPTyH1W8JhKWzsZmZCTu+PUH+h/CG 9fMB2bt4qG4UfCvnOKP6gO+EdWF3VIULR80yezN2nE9fY78brqsrgtTgQx7kq5GUF5DN OCuw== X-Gm-Message-State: AHPjjUi47bNI4d41si1z2lydeqHuQsFMdsTuaai0pGIH0wujenf+rA9+ 2N5ZfAXJII6eZECxRTgtovxwyQ== X-Google-Smtp-Source: AOwi7QDopldAOLVNl6Fxd3dAtyJ6TNpYyjkXbxPqIra0a2+az8IAUz7EjvoC2aGnW4CZOs1pEaH/Sg== X-Received: by 10.98.100.69 with SMTP id y66mr3441176pfb.337.1505940367932; Wed, 20 Sep 2017 13:46:07 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , David Windsor , Luis de Bethencourt , Salah Triki , linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 20 Sep 2017 13:45:16 -0700 Message-Id: <1505940337-79069-11-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org> References: <1505940337-79069-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH v3 10/31] befs: Define usercopy region in befs_inode_cache slab cache X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor befs symlink pathnames, stored in struct befs_inode_info.i_data.symlink and therefore contained in the befs_inode_cache slab cache, need to be copied to/from userspace. cache object allocation: fs/befs/linuxvfs.c: befs_alloc_inode(...): ... bi = kmem_cache_alloc(befs_inode_cachep, GFP_KERNEL); ... return &bi->vfs_inode; befs_iget(...): ... strlcpy(befs_ino->i_data.symlink, raw_inode->data.symlink, BEFS_SYMLINK_LEN); ... inode->i_link = befs_ino->i_data.symlink; example usage trace: readlink_copy+0x43/0x70 vfs_readlink+0x62/0x110 SyS_readlinkat+0x100/0x130 fs/namei.c: readlink_copy(..., link): ... copy_to_user(..., link, len); (inlined in vfs_readlink) generic_readlink(dentry, ...): struct inode *inode = d_inode(dentry); const char *link = inode->i_link; ... readlink_copy(..., link); In support of usercopy hardening, this patch defines a region in the befs_inode_cache slab cache in which userspace copy operations are allowed. This region is known as the slab cache's usercopy region. Slab caches can now check that each copy operation involving cache-managed memory falls entirely within the slab's usercopy region. This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor [kees: adjust commit log, provide usage trace] Cc: Luis de Bethencourt Cc: Salah Triki Signed-off-by: Kees Cook Acked-by: Luis de Bethencourt --- fs/befs/linuxvfs.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/fs/befs/linuxvfs.c b/fs/befs/linuxvfs.c index a92355cc453b..e5dcd26003dc 100644 --- a/fs/befs/linuxvfs.c +++ b/fs/befs/linuxvfs.c @@ -444,11 +444,15 @@ static struct inode *befs_iget(struct super_block *sb, unsigned long ino) static int __init befs_init_inodecache(void) { - befs_inode_cachep = kmem_cache_create("befs_inode_cache", - sizeof (struct befs_inode_info), - 0, (SLAB_RECLAIM_ACCOUNT| - SLAB_MEM_SPREAD|SLAB_ACCOUNT), - init_once); + befs_inode_cachep = kmem_cache_create_usercopy("befs_inode_cache", + sizeof(struct befs_inode_info), 0, + (SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD| + SLAB_ACCOUNT), + offsetof(struct befs_inode_info, + i_data.symlink), + sizeof_field(struct befs_inode_info, + i_data.symlink), + init_once); if (befs_inode_cachep == NULL) return -ENOMEM;