Received: by 10.223.185.116 with SMTP id b49csp5963582wrg;
        Wed, 7 Mar 2018 22:46:35 -0800 (PST)
X-Google-Smtp-Source: AG47ELv7LsnH08KeLKuIDiinxGXv9B9SU0bA7u/JDRGtWn5l8PVeNlxrEnltyIotkpHLBT1K6Mct
X-Received: by 10.99.67.1 with SMTP id q1mr3976321pga.365.1520491594876;
        Wed, 07 Mar 2018 22:46:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520491594; cv=none;
        d=google.com; s=arc-20160816;
        b=pzsyHGaFlizT44mzJGIEBT+jrtD7twRVc+qOPmaIccd4GkOQ881/BpEKdqpeaNU416
         rD+K5u3stBhygDk7e3MMPucVYT+hlaBS2KGKJF4AL171IrP18XbDkT85Oh70dRRbv0bM
         2gCWOT0UzNsgTVz/grwJtfOWf1uOoY1H3spvesEBLXvhl6x6VeHNz3KOJJk0USxe7yJO
         5Bt5vO6gD0rJKFJ1flr5rHAXqxR9kE5G/4ORX+3sTN9c0jmkZtxajf1kQTfz6orYRBgY
         fbIojC0vPIhBa69qPw4ft4E4KTxMdD3mESQKUXQrW44WaFQINP40Pswbwk8SmSVNv5Jw
         8Eaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :spamdiagnosticmetadata:spamdiagnosticoutput:content-language
         :accept-language:in-reply-to:references:message-id:date:thread-index
         :thread-topic:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=2XdQnpZe3yIpXDGeVY6g4s0pKgUP+KAmsyrl5xQYAcs=;
        b=LVyVQc2F2S2MWHnWHqsObVcuPw1bmsO85b9Cmao4xI2Dqlci5iWpxXR7No5yDx/Prs
         QvM+WSvPQx78MQEjhWNpQ9dvhKIiqcbfRYIIobHuTyrdfnoPeDbLXwhsc7gN/DB93hnO
         JZgSwQogsouG4ne0da/RLCz2SKmTzgMkiYZKEW7lEjxkjo1ednlz2GyXm5aBZ1jxTFzJ
         pwTNeFAF1hqBpEevkDkXUvftkETH5tfC6R9vBlm6XpfG0nVPWMfKf5HkBqFS0ZOGfebH
         Uf0z1sX/TW7YKvqnc2DQFQ8SjDTfcz8esQ3Oj2/oHnY3PNTJ/XPFEwN18+zxtXC1SSNS
         Z8lA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector1 header.b=iGNGSmOB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y101-v6si14264010plh.419.2018.03.07.22.46.20;
        Wed, 07 Mar 2018 22:46:34 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@microsoft.com header.s=selector1 header.b=iGNGSmOB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935399AbeCHGpY (ORCPT <rfc822;ttoukan.linux@gmail.com>
        + 99 others); Thu, 8 Mar 2018 01:45:24 -0500
Received: from mail-by2nam03on0101.outbound.protection.outlook.com ([104.47.42.101]:17968
        "EHLO NAM03-BY2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S935138AbeCHE61 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Mar 2018 23:58:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=2XdQnpZe3yIpXDGeVY6g4s0pKgUP+KAmsyrl5xQYAcs=;
 b=iGNGSmOB4zu13Zho8Knhh95pnLdGbJGQ8sbCHvbcr6QZlyJbJx6On8C3+NKLSBLIX3+O11BgYnpywOcl+rHCVrWtir0htLRgJq1jjh2XwwvWSHl1XV2bJ1SDyMmt89RLgMd+uo+C4zlepGUTJXhUu6huooTQR3vq1x3WU0aaFh0=
Received: from DM5PR2101MB1032.namprd21.prod.outlook.com (52.132.128.13) by
 DM5PR2101MB0808.namprd21.prod.outlook.com (10.167.110.156) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.588.1; Thu, 8 Mar 2018 04:58:19 +0000
Received: from DM5PR2101MB1032.namprd21.prod.outlook.com
 ([fe80::8063:c68a:b210:7446]) by DM5PR2101MB1032.namprd21.prod.outlook.com
 ([fe80::8063:c68a:b210:7446%2]) with mapi id 15.20.0588.008; Thu, 8 Mar 2018
 04:58:19 +0000
From:   Sasha Levin <Alexander.Levin@microsoft.com>
To:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
CC:     Kees Cook <keescook@chromium.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 30/67] /dev/mem: Add bounce buffer for
 copy-out
Thread-Topic: [PATCH AUTOSEL for 4.14 30/67] /dev/mem: Add bounce buffer for
 copy-out
Thread-Index: AQHTtpn+M4lycXwz4U6ejCg7vjTWag==
Date:   Thu, 8 Mar 2018 04:57:44 +0000
Message-ID: <20180308045641.7814-30-alexander.levin@microsoft.com>
References: <20180308045641.7814-1-alexander.levin@microsoft.com>
In-Reply-To: <20180308045641.7814-1-alexander.levin@microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [52.168.54.252]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;DM5PR2101MB0808;20:8T+6X2pc0X6Am5XacTYZR1wcYKw3xl2x76b4X4YSriPnjKDwgueZHA6LZOWG45yFQeFz+H21U0ByNk2vcT3ql/kKZr3DNq38C916FeqhzCE2AXyN4xSOG+Vrd1MpCV5/lPunt5YIkTFJfzam+ArS65EygFVlwjasjR150dSddE4=
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 464ebb8b-fcc2-487c-92a9-08d584b1364f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020);SRVR:DM5PR2101MB0808;
x-ms-traffictypediagnostic: DM5PR2101MB0808:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=Alexander.Levin@microsoft.com; 
x-microsoft-antispam-prvs: <DM5PR2101MB0808D206DD0B02AA87D9E880FBDF0@DM5PR2101MB0808.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(192374486261705)(104084551191319);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231220)(944501244)(52105095)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011);SRVR:DM5PR2101MB0808;BCL:0;PCL:0;RULEID:;SRVR:DM5PR2101MB0808;
x-forefront-prvs: 060503E79B
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39380400002)(396003)(39860400002)(366004)(376002)(346002)(199004)(189003)(22452003)(99286004)(76176011)(2906002)(105586002)(3846002)(86612001)(478600001)(72206003)(14454004)(2900100001)(8676002)(102836004)(68736007)(5660300001)(316002)(6116002)(54906003)(26005)(6506007)(575784001)(59450400001)(1076002)(86362001)(36756003)(186003)(10090500001)(110136005)(106356001)(4326008)(6512007)(6486002)(7736002)(5250100002)(3280700002)(3660700001)(2501003)(6666003)(81166006)(2950100002)(305945005)(53936002)(107886003)(8936002)(6436002)(81156014)(66066001)(25786009)(10290500003)(97736004)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR2101MB0808;H:DM5PR2101MB1032.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: MiIR6mS/H/kwBYzsNxKSAhOqI+JWLLJqPkvhvYvPwTX48dgOUTbLUM3lw04VWkwe+xEYL5wSYjOmWC8tnGPXQZJQIhD8aC1DuXjJtFpyjp6k3OEpBaZSazhffUGVDiGjc5pTjv9hlNZj5fXOlTPQTrMsUzgoO+9fOVBV/67iArqBv9JqMv0U/iCMFbOriADp9RlqR18YvPZ1lOUB3N45E9UirGv10vcJoLwyf64ETqdOpk5T9TBvO8CoESsQhrO4zsymkx31G5a02wo1S1Xm643C+mMvBPm2Pyuu8A7odz9f7JMKrsHR4O/vvNS+/KhRhHsqLDylZqa+wq+R4VabZw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 464ebb8b-fcc2-487c-92a9-08d584b1364f
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2018 04:57:44.7020
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB0808
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 22ec1a2aea73b9dfe340dff7945bd85af4cc6280 ]

As done for /proc/kcore in

  commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")

this adds a bounce buffer when reading memory via /dev/mem. This
is needed to allow kernel text memory to be read out when built with
CONFIG_HARDENED_USERCOPY (which refuses to read out kernel text) and
without CONFIG_STRICT_DEVMEM (which would have refused to read any RAM
contents at all).

Since this build configuration isn't common (most systems with
CONFIG_HARDENED_USERCOPY also have CONFIG_STRICT_DEVMEM), this also tries
to inform Kconfig about the recommended settings.

This patch is modified from Brad Spengler/PaX Team's changes to /dev/mem
code in the last public patch of grsecurity/PaX based on my understanding
of the code. Changes or omissions from the original code are mine and
don't reflect the original grsecurity/PaX code.

Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/char/mem.c | 27 ++++++++++++++++++++++-----
 security/Kconfig   |  1 +
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 970e1242a282..3a70dba2c645 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -107,6 +107,8 @@ static ssize_t read_mem(struct file *file, char __user =
*buf,
 	phys_addr_t p =3D *ppos;
 	ssize_t read, sz;
 	void *ptr;
+	char *bounce;
+	int err;
=20
 	if (p !=3D *ppos)
 		return 0;
@@ -129,15 +131,22 @@ static ssize_t read_mem(struct file *file, char __use=
r *buf,
 	}
 #endif
=20
+	bounce =3D kmalloc(PAGE_SIZE, GFP_KERNEL);
+	if (!bounce)
+		return -ENOMEM;
+
 	while (count > 0) {
 		unsigned long remaining;
 		int allowed;
=20
 		sz =3D size_inside_page(p, count);
=20
+		err =3D -EPERM;
 		allowed =3D page_is_allowed(p >> PAGE_SHIFT);
 		if (!allowed)
-			return -EPERM;
+			goto failed;
+
+		err =3D -EFAULT;
 		if (allowed =3D=3D 2) {
 			/* Show zeros for restricted memory. */
 			remaining =3D clear_user(buf, sz);
@@ -149,24 +158,32 @@ static ssize_t read_mem(struct file *file, char __use=
r *buf,
 			 */
 			ptr =3D xlate_dev_mem_ptr(p);
 			if (!ptr)
-				return -EFAULT;
-
-			remaining =3D copy_to_user(buf, ptr, sz);
+				goto failed;
=20
+			err =3D probe_kernel_read(bounce, ptr, sz);
 			unxlate_dev_mem_ptr(p, ptr);
+			if (err)
+				goto failed;
+
+			remaining =3D copy_to_user(buf, bounce, sz);
 		}
=20
 		if (remaining)
-			return -EFAULT;
+			goto failed;
=20
 		buf +=3D sz;
 		p +=3D sz;
 		count -=3D sz;
 		read +=3D sz;
 	}
+	kfree(bounce);
=20
 	*ppos +=3D read;
 	return read;
+
+failed:
+	kfree(bounce);
+	return err;
 }
=20
 static ssize_t write_mem(struct file *file, const char __user *buf,
diff --git a/security/Kconfig b/security/Kconfig
index b5c2b5d0c6c0..87f2a6f842fd 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -154,6 +154,7 @@ config HARDENED_USERCOPY
 	bool "Harden memory copies between kernel and userspace"
 	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
 	select BUG
+	imply STRICT_DEVMEM
 	help
 	  This option checks for obviously wrong memory regions when
 	  copying memory to/from the kernel (via copy_to_user() and
--=20
2.14.1