From patchwork Thu Jan 11 02:03:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Kees Cook <keescook@chromium.org>
X-Patchwork-Id: 10156683
Return-Path: 
 <kernel-hardening-return-11178-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5C7D5605F5 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 11 Jan 2018 02:20:02 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 466162874E
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 11 Jan 2018 02:20:02 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3A08828750; Thu, 11 Jan 2018 02:20:02 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 2A1C52874E
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu, 11 Jan 2018 02:20:00 +0000 (UTC)
Received: (qmail 28434 invoked by uid 550); 11 Jan 2018 02:19:49 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 28347 invoked from network); 11 Jan 2018 02:19:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=chromium.org; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=;
	b=JTlptZy8c0LOaSOQbOk9QARwV52WMBRg6T5pDn/IfHt3o8axPrIvjhyz/v7Fa7xRVE
	isgnEWTxdpoaZXpMxeun2H8RW3QyKjnxaJKpvtm274jgvETS8sWI6Ydo2lHWVgATzRqG
	UR4ACQ38gDcWmbz38Bawcfn4CHMAuvqB/RiiA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=egztmSnqWTsWRsR+CBZrBrCh5AF9XONRxMOOkE6+X/0=;
	b=hVFacNdNJ6sMoKOSNZxMgpq7tFopKA+qTmS84D+jc/GFaGBYTUpzKkNsBwgUZyE/bx
	SViFU6yUNV+rEHBCyPtdqAoyn3oP95GkpAqzc6mIDs1mt92uoRQkNafJlmj+iAZn/hYi
	N7PvKmfV4JHfy73jXn4VQ96POfDHXGLPBJD6e/iC9IF2wByGsqwVshjeQAB4/IXR1+9r
	zozVDN5uuxJ/90gO/Z8r4h4uuC+uyVrE5ksqV1cVjAMMEbALa/G0SXsaDdqqtVgLJzSs
	8zCrqOk8VarHiSXlpN3YGdqX5E1Gy5CMihmyVADoyzzUPHJaN2m1EPoHl79wjVqHR+b7
	OVNA==
X-Gm-Message-State: AKGB3mKvvcq90JY0N4Pqg4w4aDA6O+oym1s/VlJR28wVebtr+ugY6Iu3
	oxj8Rd9PnHR39/a3enS+7ajPVQ==
X-Google-Smtp-Source: 
 ACJfBosY3jfUbaE/EQIyBkHfxLjutv6k5hqHGCcjebynQV0LlqniiUPjjtu2D8Q26ZCW08IAuw+Qww==
X-Received: by 10.101.93.79 with SMTP id e15mr8655050pgt.129.1515637174710;
	Wed, 10 Jan 2018 18:19:34 -0800 (PST)
From: Kees Cook <keescook@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>, Paolo Bonzini <pbonzini@redhat.com>,
	kernel-hardening@lists.openwall.com,
	Christian Borntraeger <borntraeger@redhat.com>,
	Christoffer Dall <cdall@linaro.org>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	David Windsor <dave@nullcore.net>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Andy Lutomirski <luto@kernel.org>, Christoph Hellwig <hch@infradead.org>,
	Christoph Lameter <cl@linux.com>,
	"David S. Miller" <davem@davemloft.net>,
	Laura Abbott <labbott@redhat.com>, Mark Rutland <mark.rutland@arm.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Christoffer Dall <christoffer.dall@linaro.org>,
	Dave Kleikamp <dave.kleikamp@oracle.com>, Jan Kara <jack@suse.cz>,
	Luis de Bethencourt <luisbg@kernel.org>,
	Marc Zyngier <marc.zyngier@arm.com>, Rik van Riel <riel@redhat.com>,
	Matthew Garrett <mjg59@google.com>, linux-fsdevel@vger.kernel.org,
	linux-arch@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org
Date: Wed, 10 Jan 2018 18:03:07 -0800
Message-Id: <1515636190-24061-36-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1515636190-24061-1-git-send-email-keescook@chromium.org>
References: <1515636190-24061-1-git-send-email-keescook@chromium.org>
MIME-Version: 1.0
Subject: [kernel-hardening] [PATCH 35/38] kvm: whitelist struct kvm_vcpu_arch
X-Virus-Scanned: ClamAV using ClamSMTP

From: Paolo Bonzini <pbonzini@redhat.com>

On x86, ARM and s390, struct kvm_vcpu_arch has a usercopy region
that is read and written by the KVM_GET/SET_CPUID2 ioctls (x86)
or KVM_GET/SET_ONE_REG (ARM/s390).  Without whitelisting the area,
KVM is completely broken on those architectures with usercopy hardening
enabled.

For now, allow writing to the entire struct on all architectures.
The KVM tree will not refine this to an architecture-specific
subset of struct kvm_vcpu_arch.

Cc: kernel-hardening@lists.openwall.com
Cc: Kees Cook <keescook@chromium.org>
Cc: Christian Borntraeger <borntraeger@redhat.com>
Cc: Christoffer Dall <cdall@linaro.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Christoffer Dall <christoffer.dall@linaro.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 virt/kvm/kvm_main.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index c422c10cd1dd..96689967f5c3 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -4029,8 +4029,12 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
 	/* A kmem cache lets us meet the alignment requirements of fx_save. */
 	if (!vcpu_align)
 		vcpu_align = __alignof__(struct kvm_vcpu);
-	kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size, vcpu_align,
-					   SLAB_ACCOUNT, NULL);
+	kvm_vcpu_cache =
+		kmem_cache_create_usercopy("kvm_vcpu", vcpu_size, vcpu_align,
+					   SLAB_ACCOUNT,
+					   offsetof(struct kvm_vcpu, arch),
+					   sizeof_field(struct kvm_vcpu, arch),
+					   NULL);
 	if (!kvm_vcpu_cache) {
 		r = -ENOMEM;
 		goto out_free_3;