From patchwork Wed Sep 20 20:45:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9962551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1F94F60208 for ; Wed, 20 Sep 2017 20:55:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 12F9C2920C for ; Wed, 20 Sep 2017 20:55:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 07C6B29224; Wed, 20 Sep 2017 20:55:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id EE1672920C for ; Wed, 20 Sep 2017 20:55:24 +0000 (UTC) Received: (qmail 2003 invoked by uid 550); 20 Sep 2017 20:53:24 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 1589 invoked from network); 20 Sep 2017 20:53:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=fJBCTYrvupc81/kSBPbTUYwbynzllz2b1+/Rc+B9MZ8=; b=ICQLYooqJJeIN7aSoOC/pYxI3kOF+AwYe7uqAeRUAKWj/tzcJ5z9AoxeiU7S72kgkg +iFF+bHaGteLNHOW0Wi2Nhh7vXyXK4VrLxpiatpExP7vYnWyBKihQ/goz55xn/ZwALZi 5prk3pXs6vYJ1IYOAkyBbG8NNOsKvEzDLGOno= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fJBCTYrvupc81/kSBPbTUYwbynzllz2b1+/Rc+B9MZ8=; b=cFwZowd0q2i/s4R59ZG6T4JEIao6GKy2wIkca+2W9j2jz7Fa35T0wPAc9+ABLWu171 HuPs0rkjUy60kOxvfADNEWjAbL+uDnsThl7d81l/orVb4Y5bzJCd23NqYTgcFV7DaqBw N5vLKvssiait5Uc1WaszBhVd8d2oBpEC5Tt4Gxo7e2swBL92aFxDgfgEJCBW1D28ZXTG PVr6aXQiRkIELoGRB1XoqtyHfCpPMcFzjTTGsZupZLodGYujLmY8eDJoRF0IbbhMVdhR 1fEkxZu3cmYVZvuZyH5j8+JP/t9uxNwGyqIVFQ6UA7f/u4vtuns5Kd+5fdK5PxzrogpH TaMQ== X-Gm-Message-State: AHPjjUgV8OZf7fOX6L3Df2VXPLd4gM1BScen0T+TxPda2bdaWo2VgQo3 3I9vX987GaFfz0Gl8uIrqdeeV39cBDo= X-Google-Smtp-Source: AOwi7QBJgmhuhN1d8VGYRjmrUZ1YruSUlaFSqGCaO+RnIh81DX5QMhiGowgCZMO2HlG/PmQ8IettrQ== X-Received: by 10.84.238.130 with SMTP id v2mr3335868plk.175.1505940781329; Wed, 20 Sep 2017 13:53:01 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , David Windsor , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 20 Sep 2017 13:45:27 -0700 Message-Id: <1505940337-79069-22-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org> References: <1505940337-79069-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH v3 21/31] sctp: Define usercopy region in SCTP proto slab cache X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor The SCTP socket event notification subscription information need to be copied to/from userspace. In support of usercopy hardening, this patch defines a region in the struct proto slab cache in which userspace copy operations are allowed. Additionally moves the usercopy fields to be adjacent for the region to cover both. example usage trace: net/sctp/socket.c: sctp_getsockopt_events(...): ... copy_to_user(..., &sctp_sk(sk)->subscribe, len) sctp_setsockopt_events(...): ... copy_from_user(&sctp_sk(sk)->subscribe, ..., optlen) sctp_getsockopt_initmsg(...): ... copy_to_user(..., &sctp_sk(sk)->initmsg, len) This region is known as the slab cache's usercopy region. Slab caches can now check that each copy operation involving cache-managed memory falls entirely within the slab's usercopy region. This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor [kees: split from network patch, move struct member adjacent, provide usage] Cc: Vlad Yasevich Cc: Neil Horman Cc: "David S. Miller" Cc: linux-sctp@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook --- include/net/sctp/structs.h | 9 +++++++-- net/sctp/socket.c | 4 ++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 0477945de1a3..f2da107983d9 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -202,12 +202,17 @@ struct sctp_sock { /* Flags controlling Heartbeat, SACK delay, and Path MTU Discovery. */ __u32 param_flags; - struct sctp_initmsg initmsg; struct sctp_rtoinfo rtoinfo; struct sctp_paddrparams paddrparam; - struct sctp_event_subscribe subscribe; struct sctp_assocparams assocparams; + /* + * These two structures must be grouped together for the usercopy + * whitelist region. + */ + struct sctp_event_subscribe subscribe; + struct sctp_initmsg initmsg; + int user_frag; __u32 autoclose; diff --git a/net/sctp/socket.c b/net/sctp/socket.c index d4730ada7f32..aa4f86d64545 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -8246,6 +8246,10 @@ struct proto sctp_prot = { .unhash = sctp_unhash, .get_port = sctp_get_port, .obj_size = sizeof(struct sctp_sock), + .useroffset = offsetof(struct sctp_sock, subscribe), + .usersize = offsetof(struct sctp_sock, initmsg) - + offsetof(struct sctp_sock, subscribe) + + sizeof_field(struct sctp_sock, initmsg), .sysctl_mem = sysctl_sctp_mem, .sysctl_rmem = sysctl_sctp_rmem, .sysctl_wmem = sysctl_sctp_wmem,