usercopy: WARN() on slab cache usercopy region violations

This patch adds checking of usercopy cache whitelisting, and is modified from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. The SLAB and SLUB allocators are modified to WARN() on all copy operations in which the kernel heap memory being modified falls outside of the cache's defined usercopy region. Based on an earlier patch from David Windsor. Cc: Christoph Lameter <cl@linux.com> Cc: Pekka Enberg <penberg@kernel.org> Cc: David Rientjes <rientjes@google.com> Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Laura Abbott <labbott@redhat.com> Cc: Ingo Molnar <mingo@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: linux-mm@kvack.org Cc: linux-xfs@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org>
author: Kees Cook <keescook@chromium.org> 2018-01-10 18:17:01 -0500
committer: Kees Cook <keescook@chromium.org> 2018-01-15 15:07:48 -0500
commit: afcc90f8621e289cd082ba97900e76f01afe778c (patch)
tree: 9a015154d31ad79d892f8eb14858e679d37a0e28 /mm/usercopy.c
parent: 8eb8284b412906181357c2b0110d879d5af95e52 (diff)
1 files changed, 18 insertions, 3 deletions
diff --git a/mm/usercopy.c b/mm/usercopy.c
index a562dd094ace..e9e9325f7638 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -59,13 +59,28 @@ static noinline int check_stack_object(const void *obj, unsigned long len)
 }
 /*
- * If this function is reached, then CONFIG_HARDENED_USERCOPY has found an
+ * If these functions are reached, then CONFIG_HARDENED_USERCOPY has found
- * unexpected state during a copy_from_user() or copy_to_user() call.
+ * an unexpected state during a copy_from_user() or copy_to_user() call.
 * There are several checks being performed on the buffer by the
 * __check_object_size() function. Normal stack buffer usage should never
 * trip the checks, and kernel text addressing will always trip the check.
- * For cache objects, copies must be within the object size.
+ * For cache objects, it is checking that only the whitelisted range of
+ * bytes for a given cache is being accessed (via the cache's usersize and
+ * useroffset fields). To adjust a cache whitelist, use the usercopy-aware
+ * kmem_cache_create_usercopy() function to create the cache (and
+ * carefully audit the whitelist range).
 */
+void usercopy_warn(const char *name, const char *detail, bool to_user,
+                   unsigned long offset, unsigned long len)
+{
+        WARN_ONCE(1, "Bad or missing usercopy whitelist? Kernel memory %s attempt detected %s %s%s%s%s (offset %lu, size %lu)!\n",
+                 to_user ? "exposure" : "overwrite",
+                 to_user ? "from" : "to",
+                 name ? : "unknown?!",
+                 detail ? " '" : "", detail ? : "", detail ? "'" : "",
+                 offset, len);
+}
 void __noreturn usercopy_abort(const char *name, const char *detail,
                               bool to_user, unsigned long offset,
                               unsigned long len)
author	Kees Cook <keescook@chromium.org>	2018-01-10 18:17:01 -0500
committer	Kees Cook <keescook@chromium.org>	2018-01-15 15:07:48 -0500
commit	afcc90f8621e289cd082ba97900e76f01afe778c (patch)
tree	9a015154d31ad79d892f8eb14858e679d37a0e28 /mm/usercopy.c
parent	8eb8284b412906181357c2b0110d879d5af95e52 (diff)

diff --git a/mm/usercopy.c b/mm/usercopy.c index a562dd094ace..e9e9325f7638 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c
@@ -59,13 +59,28 @@ static noinline int check_stack_object(const void *obj, unsigned long len)
59	}	59	}
60		60
61	/*	61	/*
62	* If this function is reached, then CONFIG_HARDENED_USERCOPY has found an	62	* If these functions are reached, then CONFIG_HARDENED_USERCOPY has found
63	* unexpected state during a copy_from_user() or copy_to_user() call.	63	* an unexpected state during a copy_from_user() or copy_to_user() call.
64	* There are several checks being performed on the buffer by the	64	* There are several checks being performed on the buffer by the
65	* __check_object_size() function. Normal stack buffer usage should never	65	* __check_object_size() function. Normal stack buffer usage should never
66	* trip the checks, and kernel text addressing will always trip the check.	66	* trip the checks, and kernel text addressing will always trip the check.
67	* For cache objects, copies must be within the object size.	67	* For cache objects, it is checking that only the whitelisted range of
		68	* bytes for a given cache is being accessed (via the cache's usersize and
		69	* useroffset fields). To adjust a cache whitelist, use the usercopy-aware
		70	* kmem_cache_create_usercopy() function to create the cache (and
		71	* carefully audit the whitelist range).
68	*/	72	*/
		73	void usercopy_warn(const char name, const char detail, bool to_user,
		74	unsigned long offset, unsigned long len)
		75	{
		76	WARN_ONCE(1, "Bad or missing usercopy whitelist? Kernel memory %s attempt detected %s %s%s%s%s (offset %lu, size %lu)!\n",
		77	to_user ? "exposure" : "overwrite",
		78	to_user ? "from" : "to",
		79	name ? : "unknown?!",
		80	detail ? " '" : "", detail ? : "", detail ? "'" : "",
		81	offset, len);
		82	}
		83
69	void __noreturn usercopy_abort(const char name, const char detail,	84	void __noreturn usercopy_abort(const char name, const char detail,
70	bool to_user, unsigned long offset,	85	bool to_user, unsigned long offset,
71	unsigned long len)	86	unsigned long len)