Received: by 10.213.65.68 with SMTP id h4csp292893imn;
        Fri, 23 Mar 2018 04:55:47 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuB5UAb1m8Ccwum6HbfwIYHQQI/k7ac9twWXYTFccSVE5XWxpYS/n8IrZwj/GegyJxDG7Zo
X-Received: by 10.99.153.17 with SMTP id d17mr9646950pge.62.1521806147818;
        Fri, 23 Mar 2018 04:55:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521806147; cv=none;
        d=google.com; s=arc-20160816;
        b=S3Czx+igjUuZs+BHsFXhCiF0+m4hi88L01i2VgBY24OON6OZtyt/8CZJJ1ZdVKyI8r
         fFQbmjbnZiej62vLBLWJLhoBng3RBzHj6OB5G/x2pgprjoQERsvho9lVTDoFFj4G26Mt
         HZaJlh8mtOEUPio079s9fGYWvnF2LLiOCOUUULUXM2SRUHFOIE2PAOW9QPtzFQEaNVBD
         Tfz+1HFTqoRlbaDDbTcCES/JLh+PU5WoYHEJfu7EJmxySKU8DeTPvbbQSkB6BTIqgQUu
         Vgnm9qjSSdIV61UwSYdjujeQgXUUMXMjsgBh06DZkgY7iTVfTOq/aqWZ+yX8BDutXBWU
         OEPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=IfE+8hQ2yer3s1DypasDxI+qMOgHv4JzSPkctgXe8YE=;
        b=aNdvo2oR7A1AjttknKlsCxqDjF+rbNk1kXWCuneGRfliBEDgGUVNX6QzCAyX88ziDC
         zGHbdTS6IgNR8J0YnDE59HZmjDhaBDqMl/f2daSjJTPwHCxklQsTqf5KvNZHWGMSyAyu
         RcpSVIejsKqKDVDb9KE9cr/T/I+W2MvYSdNdXsiJgPbfKV59obuqhv7GjmOsylhAwbIx
         lF3U7ihzfI9XWaeepOqkEbhKorZiCEYZSCGDU7mRgIkWE7jqW+NC1Abnt3z+jf3eL42y
         nGqh1fr4qC1YC+qtARPqWhtf6BC86JfR9Z/T0lrMSWF1I3SnT9Hshb6xTlCP8EfgtaeE
         xoLg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t23-v6si4453790ply.482.2018.03.23.04.55.33;
        Fri, 23 Mar 2018 04:55:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753885AbeCWKBV (ORCPT <rfc822;chrisloverchio@gmail.com>
        + 99 others); Fri, 23 Mar 2018 06:01:21 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:37750 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753865AbeCWKBT (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Mar 2018 06:01:19 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 43B981206;
        Fri, 23 Mar 2018 10:01:18 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Michael Holzheu <holzheu@linux.vnet.ibm.com>,
        Kees Cook <keescook@chromium.org>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 29/77] /dev/mem: Add bounce buffer for copy-out
Date:   Fri, 23 Mar 2018 10:54:03 +0100
Message-Id: <20180323094144.174719457@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180323094142.260022880@linuxfoundation.org>
References: <20180323094142.260022880@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@chromium.org>


[ Upstream commit 22ec1a2aea73b9dfe340dff7945bd85af4cc6280 ]

As done for /proc/kcore in

  commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")

this adds a bounce buffer when reading memory via /dev/mem. This
is needed to allow kernel text memory to be read out when built with
CONFIG_HARDENED_USERCOPY (which refuses to read out kernel text) and
without CONFIG_STRICT_DEVMEM (which would have refused to read any RAM
contents at all).

Since this build configuration isn't common (most systems with
CONFIG_HARDENED_USERCOPY also have CONFIG_STRICT_DEVMEM), this also tries
to inform Kconfig about the recommended settings.

This patch is modified from Brad Spengler/PaX Team's changes to /dev/mem
code in the last public patch of grsecurity/PaX based on my understanding
of the code. Changes or omissions from the original code are mine and
don't reflect the original grsecurity/PaX code.

Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/mem.c |   27 ++++++++++++++++++++++-----
 security/Kconfig   |    1 +
 2 files changed, 23 insertions(+), 5 deletions(-)

--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -107,6 +107,8 @@ static ssize_t read_mem(struct file *fil
 	phys_addr_t p = *ppos;
 	ssize_t read, sz;
 	void *ptr;
+	char *bounce;
+	int err;
 
 	if (p != *ppos)
 		return 0;
@@ -129,15 +131,22 @@ static ssize_t read_mem(struct file *fil
 	}
 #endif
 
+	bounce = kmalloc(PAGE_SIZE, GFP_KERNEL);
+	if (!bounce)
+		return -ENOMEM;
+
 	while (count > 0) {
 		unsigned long remaining;
 		int allowed;
 
 		sz = size_inside_page(p, count);
 
+		err = -EPERM;
 		allowed = page_is_allowed(p >> PAGE_SHIFT);
 		if (!allowed)
-			return -EPERM;
+			goto failed;
+
+		err = -EFAULT;
 		if (allowed == 2) {
 			/* Show zeros for restricted memory. */
 			remaining = clear_user(buf, sz);
@@ -149,24 +158,32 @@ static ssize_t read_mem(struct file *fil
 			 */
 			ptr = xlate_dev_mem_ptr(p);
 			if (!ptr)
-				return -EFAULT;
-
-			remaining = copy_to_user(buf, ptr, sz);
+				goto failed;
 
+			err = probe_kernel_read(bounce, ptr, sz);
 			unxlate_dev_mem_ptr(p, ptr);
+			if (err)
+				goto failed;
+
+			remaining = copy_to_user(buf, bounce, sz);
 		}
 
 		if (remaining)
-			return -EFAULT;
+			goto failed;
 
 		buf += sz;
 		p += sz;
 		count -= sz;
 		read += sz;
 	}
+	kfree(bounce);
 
 	*ppos += read;
 	return read;
+
+failed:
+	kfree(bounce);
+	return err;
 }
 
 static ssize_t write_mem(struct file *file, const char __user *buf,
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -154,6 +154,7 @@ config HARDENED_USERCOPY
 	bool "Harden memory copies between kernel and userspace"
 	depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
 	select BUG
+	imply STRICT_DEVMEM
 	help
 	  This option checks for obviously wrong memory regions when
 	  copying memory to/from the kernel (via copy_to_user() and