Received: by 10.223.176.5 with SMTP id f5csp2337766wra; Thu, 8 Feb 2018 12:17:49 -0800 (PST) X-Google-Smtp-Source: AH8x227CYvjK7zRRYH7vWfrDkwAIDnlAhsnvrhcur4Ci8qsU18XI9JA8K6S+nZ59WNjM8RW5boW2 X-Received: by 2002:a17:902:6c41:: with SMTP id h1-v6mr206190pln.25.1518121069376; Thu, 08 Feb 2018 12:17:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518121069; cv=none; d=google.com; s=arc-20160816; b=r9eB3vk/JGe2jSc7/UoMjIoYHk0zpkrhparqAky6wjaAYl9iV25G6/Q2pxu82hKkFn OGoV5izuZ8lel39eOLqliYvhcU9MIqENihOX8KX2uTaayIQwYAr4hdHfiryA3bu44niq bzVM96GmIZ3xExXr2Wtj5KIZ2vSDjTVVacNu88tSoKhILhyOYF5htJ2NDodZ9YajVNNI ES76dlsJJ4ZzRjeZVQGwRBzQlgTLhIwaPYZiuTONnrKBINUov3AgxL7jbM7p4MyGWzlS 1WROj9FWCMJZcUmzFFDGxb4/8KGwJeyBuvmCfH3vwY/xdH6bfgtMAX88VBmCt49DCyJD y26A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :arc-authentication-results; bh=mSkmLYQbfqX4TQVSvJX8PG1Kvw5soL/xLnBk9PeStTI=; b=Cdhwh2eSmAtnKDAPhYuZ+upgcW4LCh6k9EWebKcOPUhYdbUEwooq2nBZg6sYIO263O HdEggElMsPHu63jzB6VUUsVKsDPnof8FEI1KsGHF5Y5oAgLWZwOqR4Antq1mLdCnwfn5 YwOXTHPymgLYjwISsWILjHkWWfXVS6Bya81DEl5IfHMV/5CnbQu/J1ahq0yGW/B17S+H RMDbttwCmq3d7wY35XviaL+XJd8ky6wApEWDzVGyHoDG6nJPaqC0KG7/irDeTklH3Yzp LxhlIZpYqy2tbTPlLN3xjxrqL+td17k6gZrNLove4lKjhicPwDJnF7gxZ2fNHKBR3wDu nt5Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3-v6si426001pld.110.2018.02.08.12.17.28; Thu, 08 Feb 2018 12:17:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752465AbeBHUQZ (ORCPT + 99 others); Thu, 8 Feb 2018 15:16:25 -0500 Received: from shards.monkeyblade.net ([184.105.139.130]:48942 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751700AbeBHUQX (ORCPT ); Thu, 8 Feb 2018 15:16:23 -0500 Received: from localhost (67.110.78.66.ptr.us.xo.net [67.110.78.66]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 6C95F11D69852; Thu, 8 Feb 2018 12:16:22 -0800 (PST) Date: Thu, 08 Feb 2018 15:16:21 -0500 (EST) Message-Id: <20180208.151621.581060088482890871.davem@davemloft.net> To: keescook@chromium.org Cc: syzbot+e2d6cfb305e9f3911dea@syzkaller.appspotmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, ebiggers3@gmail.com, james.morse@arm.com, keun-o.park@darkmatter.ae, labbott@redhat.com, linux-mm@kvack.org Subject: Re: [PATCH] net: Whitelist the skbuff_head_cache "cb" field From: David Miller In-Reply-To: <20180208014438.GA12186@beast> References: <20180208014438.GA12186@beast> X-Mailer: Mew version 6.7 on Emacs 25.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 08 Feb 2018 12:16:23 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook Date: Wed, 7 Feb 2018 17:44:38 -0800 > Most callers of put_cmsg() use a "sizeof(foo)" for the length argument. > Within put_cmsg(), a copy_to_user() call is made with a dynamic size, as a > result of the cmsg header calculations. This means that hardened usercopy > will examine the copy, even though it was technically a fixed size and > should be implicitly whitelisted. All the put_cmsg() calls being built > from values in skbuff_head_cache are coming out of the protocol-defined > "cb" field, so whitelist this field entirely instead of creating per-use > bounce buffers, for which there are concerns about performance. > > Original report was: ... > Reported-by: syzbot+e2d6cfb305e9f3911dea@syzkaller.appspotmail.com > Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") > Signed-off-by: Kees Cook > --- > I tried the inlining, it was awful. Splitting put_cmsg() was awful. So, > instead, whitelist the "cb" field as the least bad option if bounce > buffers are unacceptable. Dave, do you want to take this through net, or > should I take it through the usercopy tree? Thanks Kees, I'll take this through my 'net' tree.