Received: by 10.213.65.68 with SMTP id h4csp1141709imn; Wed, 4 Apr 2018 13:23:21 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/6hlHwL1c0DuOiPVb9IGLhBb+Ydg8D97RcKtXgA/u6qcQyMi7UhATQXFnFyy6TSrD2PP2Z X-Received: by 2002:a17:902:9308:: with SMTP id bc8-v6mr19975435plb.189.1522873401367; Wed, 04 Apr 2018 13:23:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522873401; cv=none; d=google.com; s=arc-20160816; b=Ssu1hCmwxhNSgQQF/5eBnhy5yHV8q5GN9b2rXM1UjBHB0nbRRoY77qPFWr27v4Taam hMi9JX6P4yrrQiksDExTW0g207Qfu9kMqUNweHN//eHccUl46nbgvV4XfrqXXUpUhPNM TcC/+toJY6i8bZVRzFq7IN7BdlQvXJtd7HnMja1Xh+OtBMVNjzIMQGqr9mezCQj2cvmi h3GafyZ5x74iaV48pWthmg6BTMPsrK6eWRlhz6GZuA4fc2KfoO5eyn1hR3dG0uatl+ql fiMqJdf4gv85KJMKnbpzCP58XLFPYSe6sE93PVMy1So09dqpGXFwQA+bIKlrbIe18Iey Ps2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=; b=hY6dLFYSsXWBktSYFl+Z2nwhAiZwhlnljtI++A66bLiYlZaFf0CZzBXxeJtWO1zeqF sidCSl+2+/XUTg2LaHeDa3LQlo7qOxUVF8v93m1WQG7mEgs5oyidgk9VN4EaSY7SZLmV WBkr2S9//Xxr1B1hvlQXIPs3szIo1lUnijWcUK9RbFCncOTl9RYeNWuBNiPc2Qr9MEWT 8daRBtqh9Vl1rDzsN93lR9yA73Xh3HjOAYIjry/7AE/tWtSNi1eCHhC2JfhnxFO5KoH2 SLos7X1ro3T2jhU364kkTW5+0Sbaow7y4opGBOSEvkCb7IjvSZyGZgBEXONwvKWqGK+P noXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=PftEAPmI; dkim=fail header.i=@chromium.org header.s=google header.b=affAEzmN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i8-v6si6454076plt.6.2018.04.04.13.23.07; Wed, 04 Apr 2018 13:23:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=PftEAPmI; dkim=fail header.i=@chromium.org header.s=google header.b=affAEzmN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752158AbeDDUV5 (ORCPT + 99 others); Wed, 4 Apr 2018 16:21:57 -0400 Received: from mail-vk0-f67.google.com ([209.85.213.67]:44193 "EHLO mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751852AbeDDUVz (ORCPT ); Wed, 4 Apr 2018 16:21:55 -0400 Received: by mail-vk0-f67.google.com with SMTP id r184so13145716vke.11 for ; Wed, 04 Apr 2018 13:21:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=; b=PftEAPmIGulfg2GW7JWf3+dT1e20JZmDXbVp00fqR+9UlroZId67mvOQ4n3hEBvj5I 1iy0Uqwc+e9yXH0lUh5Z2R1Ynz1GaSBVF+INwmT0F6qcLy5/n87CvwCJmhe0agCNPxqY UrFLFgGO2AE60rSb49PnkYf8XKeCNJZ5/qeiE+bBeFhGqPsqCNeGXBzCldgViBvEetif 9D316S3lHI+2m1cl+ysopW1S376mOnZazSTgDmVXFqM9q6aC1ZLhLEkDJ/cgvA+ZQQ1J RDDXO0g8WQZL9MYwi3oCefvlXeaUVOtdXSLVB+N/Mc/S52Y45Q2W0pFQYulKDKxsmIn7 XuGA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=; b=affAEzmN3vey+ZXsbxHlanYrRoQWbBDH75dpLgMgMyFF9O2g/skdxwe2Ft7BZkAmTx DB3rMLRTkLM4EQneQYR3R/1yC+DHcnU2asY26/lvWkAH08Ch8pBu7HpnFZ/dGJroBNTK kLSxB6u0HBvxCZNHxNsRVvw0/gtDKLZWIwqYk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=; b=A8dbYNC/Yj7F6XnrW65ktY5q9/sSd6YzFcUc/Cb4BgyymSxrVEKByfYib/e9kDIIAB VgOLhUx+dS9TkjKXoKqHS5iiSDwoMgszdZqLg5SRR4Ci5opmOZDGyox7LxAr5AGTuerQ ECbsfCwlt4wRpeRyS+ifaoQulwpHLFbrnYizsTjU1kZkkcfGHvKX5FLnq4iqhOYakxI+ up8zyi5TZDsbi3QHovC/MFTcuQHLhW7+yNGSeJj00cKMhl8k+PBYCfcKiREYb81g1KaO 7b1AmCQnRnz3FfECQ7XqRcr0uMAlOTNphRyo3b9eSJrVwEGMnSzlD/sqg9v2qbPIhtoU A9Tg== X-Gm-Message-State: ALQs6tAksgfQk1ZmDG9VW6BnJMzlRq8w/6V9biJuvdfbO23JxRXPSpsi z5r+ZsoeCOudLFdz6qT3E/OfOOrOmWqVSUSA4gGOmA== X-Received: by 10.31.24.149 with SMTP id 143mr11718189vky.123.1522873314267; Wed, 04 Apr 2018 13:21:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Wed, 4 Apr 2018 13:21:53 -0700 (PDT) In-Reply-To: <10360653.ov98egbaqx@natalenko.name> References: <10360653.ov98egbaqx@natalenko.name> From: Kees Cook Date: Wed, 4 Apr 2018 13:21:53 -0700 X-Google-Sender-Auth: lmkkBB_ij2dEV-tP0s6zS52ebrI Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 12:07 PM, Oleksandr Natalenko wrote: > With v4.16 I get the following dump while using smartctl: > [...] > [ 261.262135] Bad or missing usercopy whitelist? Kernel memory exposure > attempt detected from SLUB object 'scsi_sense_cache' (offset 94, size 22)! > [...] > [ 261.345976] Call Trace: > [ 261.350620] __check_object_size+0x130/0x1a0 > [ 261.355775] sg_io+0x269/0x3f0 > [ 261.360729] ? path_lookupat+0xaa/0x1f0 > [ 261.364027] ? current_time+0x18/0x70 > [ 261.366684] scsi_cmd_ioctl+0x257/0x410 > [ 261.369871] ? xfs_bmapi_read+0x1c3/0x340 [xfs] > [ 261.372231] sd_ioctl+0xbf/0x1a0 [sd_mod] > [ 261.375456] blkdev_ioctl+0x8ca/0x990 > [ 261.381156] ? read_null+0x10/0x10 > [ 261.384984] block_ioctl+0x39/0x40 > [ 261.388739] do_vfs_ioctl+0xa4/0x630 > [ 261.392624] ? vfs_write+0x164/0x1a0 > [ 261.396658] SyS_ioctl+0x74/0x80 > [ 261.399563] do_syscall_64+0x74/0x190 > [ 261.402685] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 This is: sg_io+0x269/0x3f0: blk_complete_sghdr_rq at block/scsi_ioctl.c:280 (inlined by) sg_io at block/scsi_ioctl.c:376 which is: if (req->sense_len && hdr->sbp) { int len = min((unsigned int) hdr->mx_sb_len, req->sense_len); if (!copy_to_user(hdr->sbp, req->sense, len)) hdr->sb_len_wr = len; else ret = -EFAULT; } > [...] > I can easily reproduce it with a qemu VM and 2 virtual SCSI disks by calling > smartctl in a loop and doing some usual background I/O. The warning is > triggered within 3 minutes or so (not instantly). > > Initially, it was produced on my server after a kernel update (because disks > are monitored with smartctl via Zabbix). > > Looks like the thing was introduced with > 0afe76e88c57d91ef5697720aed380a339e3df70. > > Any idea how to deal with this please? If needed, I can provide any additional > info, and also I'm happy/ready to test any proposed patches. Interesting, and a little confusing. So, what's strange here is that the scsi_sense_cache already has a full whitelist: kmem_cache_create_usercopy("scsi_sense_cache", SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN, 0, SCSI_SENSE_BUFFERSIZE, NULL); Arg 2 is the buffer size, arg 5 is the whitelist offset (0), and the whitelist size (same as arg2). In other words, the entire buffer should be whitelisted. include/scsi/scsi_cmnd.h says: #define SCSI_SENSE_BUFFERSIZE 96 That means scsi_sense_cache should be 96 bytes in size? But a 22 byte read starting at offset 94 happened? That seems like a 20 byte read beyond the end of the SLUB object? Though if it were reading past the actual end of the object, I'd expect the hardened usercopy BUG (rather than the WARN) to kick in. Ah, it looks like /sys/kernel/slab/scsi_sense_cache/slab_size shows this to be 128 bytes of actual allocation, so the 20 bytes doesn't strictly overlap another object (hence no BUG): /sys/kernel/slab/scsi_sense_cache# grep . object_size usersize slab_size object_size:96 usersize:96 slab_size:128 Ah, right, due to SLAB_HWCACHE_ALIGN, the allocation is rounded up to the next cache line size, so there's 32 bytes of padding to reach 128. James or Martin, is this over-read "expected" behavior? i.e. does the sense cache buffer usage ever pull the ugly trick of silently expanding its allocation into the space the slab allocator has given it? If not, this looks like a real bug. What I don't see is how req->sense is _not_ at offset 0 in the scsi_sense_cache object... -Kees -- Kees Cook Pixel Security