From patchwork Tue Jan 9 20:56:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10153393 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2B63860223 for ; Tue, 9 Jan 2018 21:02:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2314525404 for ; Tue, 9 Jan 2018 21:02:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2170F26247; Tue, 9 Jan 2018 21:02:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 3689C260CD for ; Tue, 9 Jan 2018 21:02:32 +0000 (UTC) Received: (qmail 9874 invoked by uid 550); 9 Jan 2018 20:57:40 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 9319 invoked from network); 9 Jan 2018 20:57:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=; b=J37AQjDxXbXt942x8cocKFfQ/lwXg6fhQbs71aAX+ev1eI3TDx/oUgxhby8ApiAQyE DW1N/Q8ohFn3OkS2+RuW7bsEMcG6Qu3UDDwgoNMkHTqEnmAzgydSyMqk1Q1eiOrXfGEb QcY2TjlaZY2J2vIjghTw3SSPP2q3N3rMTFewU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=; b=ksl40lEpTJaYR5fjDzH0a0VrTxnliwxK662tcRy5esQEr3jQgJDJXXYw8hh/HrIQZk SmLLv8cfk7FodoT+cdANkMnVypCrhlxu7kdmhsAIvCbTKdF0XpcMRZ8RdDQMR//mbIjl G7lNYCggSgJNKmB03SOY7GpUZ1wh2WuuvN6YmWblxXeK26ygP5V82zoxCQCZBW0nrbya 4lu0/xQ4jcxYHuIOp6cz+qB7Yt4g1N+lMEBx/5bb5DUeOPAXNTrEuudKx4hnbmR7N0Aj THe1H4fu5FPxg8cL1qZLlKS6pdmE8Zjn6UC1lBZXqVwpM0GPk6ypheeUjzQYybi+p2Ok /Fuw== X-Gm-Message-State: AKGB3mJ/EjZ0SpgyUeblr7yDiUO+y+++zOSGwWU7elSYu0MGROUjT3yK N4ObUbA30zUsQFV5deViINlMoQ== X-Google-Smtp-Source: ACJfBov4PZBAH8sWiWMVsea7YeCyBf1CJ7s+eeQdDkR36nW5Kr+PUooDBjwY08TGXpPSOrAoeO5PKQ== X-Received: by 10.101.82.205 with SMTP id z13mr12995775pgp.29.1515531432595; Tue, 09 Jan 2018 12:57:12 -0800 (PST) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Paolo Bonzini , kernel-hardening@lists.openwall.com, Christian Borntraeger , Christoffer Dall , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Linus Torvalds , David Windsor , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org Date: Tue, 9 Jan 2018 12:56:01 -0800 Message-Id: <1515531365-37423-33-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1515531365-37423-1-git-send-email-keescook@chromium.org> References: <1515531365-37423-1-git-send-email-keescook@chromium.org> MIME-Version: 1.0 Subject: [kernel-hardening] [PATCH 32/36] kvm: whitelist struct kvm_vcpu_arch X-Virus-Scanned: ClamAV using ClamSMTP From: Paolo Bonzini On x86, ARM and s390, struct kvm_vcpu_arch has a usercopy region that is read and written by the KVM_GET/SET_CPUID2 ioctls (x86) or KVM_GET/SET_ONE_REG (ARM/s390). Without whitelisting the area, KVM is completely broken on those architectures with usercopy hardening enabled. For now, allow writing to the entire struct on all architectures. The KVM tree will not refine this to an architecture-specific subset of struct kvm_vcpu_arch. Cc: kernel-hardening@lists.openwall.com Cc: Kees Cook Cc: Christian Borntraeger Cc: Christoffer Dall Cc: Radim Krčmář Signed-off-by: Paolo Bonzini Acked-by: Christoffer Dall Acked-by: Marc Zyngier Acked-by: Christian Borntraeger Signed-off-by: Kees Cook --- virt/kvm/kvm_main.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index c422c10cd1dd..96689967f5c3 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4029,8 +4029,12 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, /* A kmem cache lets us meet the alignment requirements of fx_save. */ if (!vcpu_align) vcpu_align = __alignof__(struct kvm_vcpu); - kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align, - SLAB_ACCOUNT, NULL); + kvm_vcpu_cache = + kmem_cache_create_usercopy("kvm_vcpu", vcpu_size, vcpu_align, + SLAB_ACCOUNT, + offsetof(struct kvm_vcpu, arch), + sizeof_field(struct kvm_vcpu, arch), + NULL); if (!kvm_vcpu_cache) { r = -ENOMEM; goto out_free_3;