From patchwork Wed Sep 20 20:45:29 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 9962539
Return-Path: 
 <kernel-hardening-return-9877-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4AEA860208 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:54:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3437329210
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:54:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2901029239; Wed, 20 Sep 2017 20:54:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 11ACF29210
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Wed, 20 Sep 2017 20:54:38 +0000 (UTC)
Received: (qmail 1639 invoked by uid 550); 20 Sep 2017 20:53:14 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 1380 invoked from network); 20 Sep 2017 20:53:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=0if4rIX91fPAV47WTytS8OAYSiAMbCu59dqyWRrIuW4=;
	b=TjPAkcI9cQKl5tPgfo1hQKHpqOgbGmVHBhQaZoi9kSpFr5XbwBmF3Uuf2/qgzwRtyE
	G2xJSeU/cDB+R3QL6aLCVSlj7H+RSkH+AvLrKgBU0/uA604n08IV4O50H/DuMnI8Y4Pi
	KG46uF3JSGoY6D+jlM3pzWl55N04xLfmrJ2Uk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=0if4rIX91fPAV47WTytS8OAYSiAMbCu59dqyWRrIuW4=;
	b=Cg4u6HoS6OorCBhrbOtdvwSgYNMLPfl8FUmuEBEqmCbDSb+Z1uccgrc9Xso/2GhgrX
	gcdXRQEPEiX7q6d8M1iUIZEQJYFmZyCc0tSAxbTg84abNRRQXuemjtL1QBni24wAwymx
	WdFHzWIp+ilnl/REEFotSg2QIwdr0F963pBEhr4sQp8Ma8ttbx4riM9icUM87q2+L9Fm
	GvChqYPh0acwRo/unJ1JI+yRmZO4We9Mvt915AKFmcA27k5qWN5nkzzWHHqm8ITymWNO
	iMbe7sD68wI85og6miH74LQZcwwplBlXHY4dWnxaMvKZnA96FqF1qNIMp1ymEGSGb5HL
	m4IQ==
X-Gm-Message-State: AHPjjUikMg0jJQO1Fwuvv7YQr6vG32HHsVlpBmYqSrRzCuW4ixc898VH
	c/p6fRSKNUeITYyPFsn9UXscJA==
X-Google-Smtp-Source: 
 AOwi7QAy2TPs1t5bsaVFeBGA3zd58nnNtaLFJO4ERRmbQYy8HZxMGz9WmElEMVTMA1L2Vdm4ey55Vg==
X-Received: by 10.98.134.194 with SMTP id x185mr3429318pfd.8.1505940774858;
	Wed, 20 Sep 2017 13:52:54 -0700 (PDT)
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>, Paolo Abeni <pabeni@redhat.com>,
	David Howells <dhowells@redhat.com>, netdev@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
	kernel-hardening@lists.openwall.com, David Windsor <dave@nullcore.net>
Date: Wed, 20 Sep 2017 13:45:29 -0700
Message-Id: <1505940337-79069-24-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org>
References: <1505940337-79069-1-git-send-email-keescook@chromium.org>
Subject: [kernel-hardening] [PATCH v3 23/31] net: Restrict unwhitelisted
	proto caches to size 0
X-Virus-Scanned: ClamAV using ClamSMTP

Now that protocols have been annotated (the copy of icsk_ca_ops->name
is of an ops field from outside the slab cache):

$ git grep 'copy_.*_user.*sk.*->'
caif/caif_socket.c: copy_from_user(&cf_sk->conn_req.param.data, ov, ol)) {
ipv4/raw.c:   if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
ipv4/raw.c:       copy_to_user(optval, &raw_sk(sk)->filter, len))
ipv4/tcp.c:       if (copy_to_user(optval, icsk->icsk_ca_ops->name, len))
ipv4/tcp.c:       if (copy_to_user(optval, icsk->icsk_ulp_ops->name, len))
ipv6/raw.c:       if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
ipv6/raw.c:           if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
sctp/socket.c: if (copy_from_user(&sctp_sk(sk)->subscribe, optval, optlen))
sctp/socket.c: if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
sctp/socket.c: if (copy_to_user(optval, &sctp_sk(sk)->initmsg, len))

we can switch the default proto usercopy region to size 0. Any protocols
needing to add whitelisted regions must annotate the fields with the
useroffset and usersize fields of struct proto.

This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: David Howells <dhowells@redhat.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 net/core/sock.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/core/sock.c b/net/core/sock.c
index 832dfb03102e..84cd0b362a02 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3168,9 +3168,7 @@ int proto_register(struct proto *prot, int alloc_slab)
 		prot->slab = kmem_cache_create_usercopy(prot->name,
 					prot->obj_size, 0,
 					SLAB_HWCACHE_ALIGN | prot->slab_flags,
-					prot->usersize ? prot->useroffset : 0,
-					prot->usersize ? prot->usersize
-						       : prot->obj_size,
+					prot->useroffset, prot->usersize,
 					NULL);
 
 		if (prot->slab == NULL) {