Received: by 10.223.176.5 with SMTP id f5csp2376761wra; Thu, 8 Feb 2018 13:02:37 -0800 (PST) X-Google-Smtp-Source: AH8x225UI4x5xq9Q1yHvvZxiPTgDnNM3Dd56VZCgWqw669CYKPBhp36Fip36oK13nXZ3iEIdJUYc X-Received: by 2002:a17:902:b43:: with SMTP id 61-v6mr299020plq.127.1518123757032; Thu, 08 Feb 2018 13:02:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518123756; cv=none; d=google.com; s=arc-20160816; b=PFk6E9bDIGMc1K5/Djrjw3qdRBR3B7HYlsq05+Cbq+p97tbqmLkgLjoPQMpSKr2qsB nrW0fBOfM7EErFT0yYk3KCoMKi78pN2/v6TeSaxmCG3ma6aNBUqDouR1CL4DH53vMVsv GgrGBYPgg/AFOkA6fgF8rt8L4gQOsLct1n01w9DxZdcxt95OrSSGb4RrdjDF9HGdK+LI l3vQ9hEycdT1qW1XrPUZJ+uyuqoelRSfNRpX2TBpS+ERtFW/p+RVcT4+kzEdf2jMDQgw qjUd1/+ofeXZ71cUx8JkvgGGHJTw+fxACDvNDwYAE4QtwTEL9gQGs9JfqK1edrn02eti Ynfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=EgVzRX30sQoYzz0tR746WfwEcMgwemtG9ReHF/zzAjE=; b=ERQVwoLpVl32yV7W9+YR6At/bmxFsPEhRSPJM7MVYQOyGzHcqn05bz39++jnDn9yqB i0l58PVwXZxazt9GUTVlpQUjF7l3MvGtCYq14jJivBm0IpAg0cgX7WcKwphaqYTI6S8q 0yyzG+i4Pgm8j+CBiiW93e7WRXr8JPBFqUeibcqzZ0IcDWig5HLZBepfUjTUfx7fuZ7F 8eUbgjP0luUlSqOn2dqtJie+CucyKi2QpDLKoYytmua7F6jfUkNvJhFKWWk+p4CurM5U jbNzuqxDnAHvZ3rtEK0Ea1XjmXiS5r89BKlAsv+KPAuM6ZZL3EJ8hcm3N2HsKG3R2LsY bXAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TUt0gNyx; dkim=fail header.i=@chromium.org header.s=google header.b=mKoiGGq1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 68-v6si484665ple.371.2018.02.08.13.02.04; Thu, 08 Feb 2018 13:02:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=TUt0gNyx; dkim=fail header.i=@chromium.org header.s=google header.b=mKoiGGq1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752268AbeBHVBS (ORCPT + 99 others); Thu, 8 Feb 2018 16:01:18 -0500 Received: from mail-vk0-f44.google.com ([209.85.213.44]:42241 "EHLO mail-vk0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752054AbeBHVBQ (ORCPT ); Thu, 8 Feb 2018 16:01:16 -0500 Received: by mail-vk0-f44.google.com with SMTP id t4so3595540vkb.9 for ; Thu, 08 Feb 2018 13:01:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=EgVzRX30sQoYzz0tR746WfwEcMgwemtG9ReHF/zzAjE=; b=TUt0gNyxm1reROpQd01407wM0z4kRWriEjuTPgfTOdxQJj3OPvUjsjeRWlmbhq8Az/ pENXjzqbYoqQMfbM3L7LiEuCk6ycsbBJPM0+EOWLfpGoHxJHzhj1qD+cu4UpvX3RGckb juz4AzTP1hxmeN+rvqKx3VUaXe4ANnNX1C5Ly3IfczkDTiniMeR/8c/b57bkSQPdCsAp v2bM/ovkZUTZnIjbSlK8tT6rUyb4EpQu2pd8vwERZTZdquic2MaGiTpurKFxfv/oZ2e5 wrx3GkDnScQM2OzELoSP+DUUY7D5La/FKOXZfcn6/gVZioQff5Jy8auaPNcEvURSKU3/ sy2g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=EgVzRX30sQoYzz0tR746WfwEcMgwemtG9ReHF/zzAjE=; b=mKoiGGq1dtLf7pYBiSTx6lL5qaeIV7zPDbfV0467JlgBNxHXyi48CfGDlI2qMGRNBV oveOpmRWVJPna68TuTp1E9x5VoPVyibF3o+2oOUeKyPVUkDEr3Sy2R87ew+2y6/Z+tqZ GqLWkrb16PNSB3yr0yGUtj9k4gdEMc8kgGjBo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=EgVzRX30sQoYzz0tR746WfwEcMgwemtG9ReHF/zzAjE=; b=GGCzyebvGhs5O1cknOG6DqxAe8dkXPxz4BuXDMxwncHx8FvijVwN8AGAzXMMBLpSrt PazIyZOB7qaztL4F+4DGqd89MW/8NkIv3CVIJCdPQ3UWWKBpHt7sZWt85lfk/eeuvFJX WVgZCWH+b8sMG/HKY/ipY4/7p3g0Nf8CMllyWqMhYxuUDubLllVj7FNTk7gwb2KiLNMA 5Sb01BLSOss1fZPKwR/2ztBBSGgn7BenMvItA3MjBhA+Auwk+XZQ5TA3hEUcFmZYpn/9 3F69o3VuAHvwXFJ5BoRT54FWj7FcGTXpzgn/JEgTj4n1kwBC11nEZzE1vHtc4ZiCsy6f 4ilg== X-Gm-Message-State: APf1xPCVVpoHpgQZZidlT1MF+MiUH463ZzEIqpaA78bsAHKUYIu0gbB8 vZ2g6A8/Rj7sV2YlNib9h4HDhsRiwCa7uh1sSffskA== X-Received: by 10.31.164.69 with SMTP id n66mr383255vke.49.1518123673733; Thu, 08 Feb 2018 13:01:13 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.67.196 with HTTP; Thu, 8 Feb 2018 13:01:12 -0800 (PST) In-Reply-To: <20180208.151621.581060088482890871.davem@davemloft.net> References: <20180208014438.GA12186@beast> <20180208.151621.581060088482890871.davem@davemloft.net> From: Kees Cook Date: Fri, 9 Feb 2018 08:01:12 +1100 X-Google-Sender-Auth: _uIMICAl5dNdIClJDOwPs9noFEU Message-ID: Subject: Re: [PATCH] net: Whitelist the skbuff_head_cache "cb" field To: David Miller Cc: syzbot , LKML , Network Development , Eric Biggers , James Morse , keun-o.park@darkmatter.ae, Laura Abbott , Linux-MM Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 9, 2018 at 7:16 AM, David Miller wrote: > From: Kees Cook > Date: Wed, 7 Feb 2018 17:44:38 -0800 > >> Most callers of put_cmsg() use a "sizeof(foo)" for the length argument. >> Within put_cmsg(), a copy_to_user() call is made with a dynamic size, as a >> result of the cmsg header calculations. This means that hardened usercopy >> will examine the copy, even though it was technically a fixed size and >> should be implicitly whitelisted. All the put_cmsg() calls being built >> from values in skbuff_head_cache are coming out of the protocol-defined >> "cb" field, so whitelist this field entirely instead of creating per-use >> bounce buffers, for which there are concerns about performance. >> >> Original report was: > ... >> Reported-by: syzbot+e2d6cfb305e9f3911dea@syzkaller.appspotmail.com >> Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0") >> Signed-off-by: Kees Cook >> --- >> I tried the inlining, it was awful. Splitting put_cmsg() was awful. So, >> instead, whitelist the "cb" field as the least bad option if bounce >> buffers are unacceptable. Dave, do you want to take this through net, or >> should I take it through the usercopy tree? > > Thanks Kees, I'll take this through my 'net' tree. Cool, thanks. And just to be clear, if it's not already obvious, this patch needs kmem_cache_create_usercopy() which just landed in Linus's tree last week, in case you've not merged yet. -Kees -- Kees Cook Pixel Security