Merge tag 'usercopy-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull hardened usercopy whitelisting from Kees Cook:
 "Currently, hardened usercopy performs dynamic bounds checking on slab
  cache objects. This is good, but still leaves a lot of kernel memory
  available to be copied to/from userspace in the face of bugs.

  To further restrict what memory is available for copying, this creates
  a way to whitelist specific areas of a given slab cache object for
  copying to/from userspace, allowing much finer granularity of access
  control.

  Slab caches that are never exposed to userspace can declare no
  whitelist for their objects, thereby keeping them unavailable to
  userspace via dynamic copy operations. (Note, an implicit form of
  whitelisting is the use of constant sizes in usercopy operations and
  get_user()/put_user(); these bypass all hardened usercopy checks since
  these sizes cannot change at runtime.)

  This new check is WARN-by-default, so any mistakes can be found over
  the next several releases without breaking anyone's system.

  The series has roughly the following sections:
   - remove %p and improve reporting with offset
   - prepare infrastructure and whitelist kmalloc
   - update VFS subsystem with whitelists
   - update SCSI subsystem with whitelists
   - update network subsystem with whitelists
   - update process memory with whitelists
   - update per-architecture thread_struct with whitelists
   - update KVM with whitelists and fix ioctl bug
   - mark all other allocations as not whitelisted
   - update lkdtm for more sensible test overage"

* tag 'usercopy-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (38 commits)
  lkdtm: Update usercopy tests for whitelisting
  usercopy: Restrict non-usercopy caches to size 0
  kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
  kvm: whitelist struct kvm_vcpu_arch
  arm: Implement thread_struct whitelist for hardened usercopy
  arm64: Implement thread_struct whitelist for hardened usercopy
  x86: Implement thread_struct whitelist for hardened usercopy
  fork: Provide usercopy whitelisting for task_struct
  fork: Define usercopy region in thread_stack slab caches
  fork: Define usercopy region in mm_struct slab caches
  net: Restrict unwhitelisted proto caches to size 0
  sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
  sctp: Define usercopy region in SCTP proto slab cache
  caif: Define usercopy region in caif proto slab cache
  ip: Define usercopy region in IP proto slab cache
  net: Define usercopy region in struct proto slab cache
  scsi: Define usercopy region in scsi_sense_cache slab cache
  cifs: Define usercopy region in cifs_request slab cache
  vxfs: Define usercopy region in vxfs_inode slab cache
  ufs: Define usercopy region in ufs_inode_cache slab cache
  ...

1 files changed, 26 insertions, 5 deletions

diff --git a/kernel/fork.c b/kernel/fork.c
index 5e6cf0dd031c..5c372c954f3b 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -283,8 +283,9 @@ static void free_thread_stack(struct task_struct *tsk)
 
 void thread_stack_cache_init(void)
 {
-        thread_stack_cache = kmem_cache_create("thread_stack", THREAD_SIZE,
-                                              THREAD_SIZE, 0, NULL);
+        thread_stack_cache = kmem_cache_create_usercopy("thread_stack",
+                                        THREAD_SIZE, THREAD_SIZE, 0, 0,
+                                        THREAD_SIZE, NULL);
         BUG_ON(thread_stack_cache == NULL);
 }
 # endif
@@ -693,6 +694,21 @@ static void set_max_threads(unsigned int max_threads_suggested)
 int arch_task_struct_size __read_mostly;
 #endif
 
+static void task_struct_whitelist(unsigned long *offset, unsigned long *size)
+{
+        /* Fetch thread_struct whitelist for the architecture. */
+        arch_thread_struct_whitelist(offset, size);
+
+        /*
+         * Handle zero-sized whitelist or empty thread_struct, otherwise
+         * adjust offset to position of thread_struct in task_struct.
+         */
+        if (unlikely(*size == 0))
+                *offset = 0;
+        else
+                *offset += offsetof(struct task_struct, thread);
+}
+
 void __init fork_init(void)
 {
         int i;
@@ -701,11 +717,14 @@ void __init fork_init(void)
 #define ARCH_MIN_TASKALIGN      0
 #endif
         int align = max_t(int, L1_CACHE_BYTES, ARCH_MIN_TASKALIGN);
+        unsigned long useroffset, usersize;
 
         /* create a slab on which task_structs can be allocated */
-        task_struct_cachep = kmem_cache_create("task_struct",
+        task_struct_whitelist(&useroffset, &usersize);
+        task_struct_cachep = kmem_cache_create_usercopy("task_struct",
                         arch_task_struct_size, align,
-                        SLAB_PANIC|SLAB_ACCOUNT, NULL);
+                        SLAB_PANIC|SLAB_ACCOUNT,
+                        useroffset, usersize, NULL);
 #endif
 
         /* do the arch specific task caches init */
@@ -2248,9 +2267,11 @@ void __init proc_caches_init(void)
          * maximum number of CPU's we can ever have.  The cpumask_allocation
          * is at the end of the structure, exactly for that reason.
          */
-        mm_cachep = kmem_cache_create("mm_struct",
+        mm_cachep = kmem_cache_create_usercopy("mm_struct",
                         sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
                         SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT,
+                        offsetof(struct mm_struct, saved_auxv),
+                        sizeof_field(struct mm_struct, saved_auxv),
                         NULL);
         vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT);
         mmap_init();