Received: by 10.213.65.68 with SMTP id h4csp1141709imn;
        Wed, 4 Apr 2018 13:23:21 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/6hlHwL1c0DuOiPVb9IGLhBb+Ydg8D97RcKtXgA/u6qcQyMi7UhATQXFnFyy6TSrD2PP2Z
X-Received: by 2002:a17:902:9308:: with SMTP id bc8-v6mr19975435plb.189.1522873401367;
        Wed, 04 Apr 2018 13:23:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522873401; cv=none;
        d=google.com; s=arc-20160816;
        b=Ssu1hCmwxhNSgQQF/5eBnhy5yHV8q5GN9b2rXM1UjBHB0nbRRoY77qPFWr27v4Taam
         hMi9JX6P4yrrQiksDExTW0g207Qfu9kMqUNweHN//eHccUl46nbgvV4XfrqXXUpUhPNM
         TcC/+toJY6i8bZVRzFq7IN7BdlQvXJtd7HnMja1Xh+OtBMVNjzIMQGqr9mezCQj2cvmi
         h3GafyZ5x74iaV48pWthmg6BTMPsrK6eWRlhz6GZuA4fc2KfoO5eyn1hR3dG0uatl+ql
         fiMqJdf4gv85KJMKnbpzCP58XLFPYSe6sE93PVMy1So09dqpGXFwQA+bIKlrbIe18Iey
         Ps2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=;
        b=hY6dLFYSsXWBktSYFl+Z2nwhAiZwhlnljtI++A66bLiYlZaFf0CZzBXxeJtWO1zeqF
         sidCSl+2+/XUTg2LaHeDa3LQlo7qOxUVF8v93m1WQG7mEgs5oyidgk9VN4EaSY7SZLmV
         WBkr2S9//Xxr1B1hvlQXIPs3szIo1lUnijWcUK9RbFCncOTl9RYeNWuBNiPc2Qr9MEWT
         8daRBtqh9Vl1rDzsN93lR9yA73Xh3HjOAYIjry/7AE/tWtSNi1eCHhC2JfhnxFO5KoH2
         SLos7X1ro3T2jhU364kkTW5+0Sbaow7y4opGBOSEvkCb7IjvSZyGZgBEXONwvKWqGK+P
         noXA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=PftEAPmI;
       dkim=fail header.i=@chromium.org header.s=google header.b=affAEzmN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i8-v6si6454076plt.6.2018.04.04.13.23.07;
        Wed, 04 Apr 2018 13:23:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=PftEAPmI;
       dkim=fail header.i=@chromium.org header.s=google header.b=affAEzmN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752158AbeDDUV5 (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 16:21:57 -0400
Received: from mail-vk0-f67.google.com ([209.85.213.67]:44193 "EHLO
        mail-vk0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751852AbeDDUVz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 16:21:55 -0400
Received: by mail-vk0-f67.google.com with SMTP id r184so13145716vke.11
        for <linux-kernel@vger.kernel.org>; Wed, 04 Apr 2018 13:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=;
        b=PftEAPmIGulfg2GW7JWf3+dT1e20JZmDXbVp00fqR+9UlroZId67mvOQ4n3hEBvj5I
         1iy0Uqwc+e9yXH0lUh5Z2R1Ynz1GaSBVF+INwmT0F6qcLy5/n87CvwCJmhe0agCNPxqY
         UrFLFgGO2AE60rSb49PnkYf8XKeCNJZ5/qeiE+bBeFhGqPsqCNeGXBzCldgViBvEetif
         9D316S3lHI+2m1cl+ysopW1S376mOnZazSTgDmVXFqM9q6aC1ZLhLEkDJ/cgvA+ZQQ1J
         RDDXO0g8WQZL9MYwi3oCefvlXeaUVOtdXSLVB+N/Mc/S52Y45Q2W0pFQYulKDKxsmIn7
         XuGA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=;
        b=affAEzmN3vey+ZXsbxHlanYrRoQWbBDH75dpLgMgMyFF9O2g/skdxwe2Ft7BZkAmTx
         DB3rMLRTkLM4EQneQYR3R/1yC+DHcnU2asY26/lvWkAH08Ch8pBu7HpnFZ/dGJroBNTK
         kLSxB6u0HBvxCZNHxNsRVvw0/gtDKLZWIwqYk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=NIzn8W+Kl36RI13bOY9lCEYJgkyq/XrO7lCJReIc3kg=;
        b=A8dbYNC/Yj7F6XnrW65ktY5q9/sSd6YzFcUc/Cb4BgyymSxrVEKByfYib/e9kDIIAB
         VgOLhUx+dS9TkjKXoKqHS5iiSDwoMgszdZqLg5SRR4Ci5opmOZDGyox7LxAr5AGTuerQ
         ECbsfCwlt4wRpeRyS+ifaoQulwpHLFbrnYizsTjU1kZkkcfGHvKX5FLnq4iqhOYakxI+
         up8zyi5TZDsbi3QHovC/MFTcuQHLhW7+yNGSeJj00cKMhl8k+PBYCfcKiREYb81g1KaO
         7b1AmCQnRnz3FfECQ7XqRcr0uMAlOTNphRyo3b9eSJrVwEGMnSzlD/sqg9v2qbPIhtoU
         A9Tg==
X-Gm-Message-State: ALQs6tAksgfQk1ZmDG9VW6BnJMzlRq8w/6V9biJuvdfbO23JxRXPSpsi
        z5r+ZsoeCOudLFdz6qT3E/OfOOrOmWqVSUSA4gGOmA==
X-Received: by 10.31.24.149 with SMTP id 143mr11718189vky.123.1522873314267;
 Wed, 04 Apr 2018 13:21:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.164.81 with HTTP; Wed, 4 Apr 2018 13:21:53 -0700 (PDT)
In-Reply-To: <10360653.ov98egbaqx@natalenko.name>
References: <10360653.ov98egbaqx@natalenko.name>
From:   Kees Cook <keescook@chromium.org>
Date:   Wed, 4 Apr 2018 13:21:53 -0700
X-Google-Sender-Auth: lmkkBB_ij2dEV-tP0s6zS52ebrI
Message-ID: <CAGXu5jLwyot++C2EXs+032Lz5WdG65GsEJ-Q55rfhSbkG1Nh+A@mail.gmail.com>
Subject: Re: usercopy whitelist woe in scsi_sense_cache
To:     Oleksandr Natalenko <oleksandr@natalenko.name>
Cc:     David Windsor <dave@nullcore.net>,
        "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>,
        linux-scsi@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 4, 2018 at 12:07 PM, Oleksandr Natalenko
<oleksandr@natalenko.name> wrote:
> With v4.16 I get the following dump while using smartctl:
> [...]
> [  261.262135] Bad or missing usercopy whitelist? Kernel memory exposure
> attempt detected from SLUB object 'scsi_sense_cache' (offset 94, size 22)!
> [...]
> [  261.345976] Call Trace:
> [  261.350620]  __check_object_size+0x130/0x1a0
> [  261.355775]  sg_io+0x269/0x3f0
> [  261.360729]  ? path_lookupat+0xaa/0x1f0
> [  261.364027]  ? current_time+0x18/0x70
> [  261.366684]  scsi_cmd_ioctl+0x257/0x410
> [  261.369871]  ? xfs_bmapi_read+0x1c3/0x340 [xfs]
> [  261.372231]  sd_ioctl+0xbf/0x1a0 [sd_mod]
> [  261.375456]  blkdev_ioctl+0x8ca/0x990
> [  261.381156]  ? read_null+0x10/0x10
> [  261.384984]  block_ioctl+0x39/0x40
> [  261.388739]  do_vfs_ioctl+0xa4/0x630
> [  261.392624]  ? vfs_write+0x164/0x1a0
> [  261.396658]  SyS_ioctl+0x74/0x80
> [  261.399563]  do_syscall_64+0x74/0x190
> [  261.402685]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2

This is:

sg_io+0x269/0x3f0:
blk_complete_sghdr_rq at block/scsi_ioctl.c:280
 (inlined by) sg_io at block/scsi_ioctl.c:376

which is:

        if (req->sense_len && hdr->sbp) {
                int len = min((unsigned int) hdr->mx_sb_len, req->sense_len);

                if (!copy_to_user(hdr->sbp, req->sense, len))
                        hdr->sb_len_wr = len;
                else
                        ret = -EFAULT;
        }

> [...]
> I can easily reproduce it with a qemu VM and 2 virtual SCSI disks by calling
> smartctl in a loop and doing some usual background I/O. The warning is
> triggered within 3 minutes or so (not instantly).
>
> Initially, it was produced on my server after a kernel update (because disks
> are monitored with smartctl via Zabbix).
>
> Looks like the thing was introduced with
> 0afe76e88c57d91ef5697720aed380a339e3df70.
>
> Any idea how to deal with this please? If needed, I can provide any additional
> info, and also I'm happy/ready to test any proposed patches.

Interesting, and a little confusing. So, what's strange here is that
the scsi_sense_cache already has a full whitelist:

                       kmem_cache_create_usercopy("scsi_sense_cache",
                               SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN,
                               0, SCSI_SENSE_BUFFERSIZE, NULL);

Arg 2 is the buffer size, arg 5 is the whitelist offset (0), and the
whitelist size (same as arg2). In other words, the entire buffer
should be whitelisted.

include/scsi/scsi_cmnd.h says:

#define SCSI_SENSE_BUFFERSIZE  96

That means scsi_sense_cache should be 96 bytes in size? But a 22 byte
read starting at offset 94 happened? That seems like a 20 byte read
beyond the end of the SLUB object? Though if it were reading past the
actual end of the object, I'd expect the hardened usercopy BUG (rather
than the WARN) to kick in. Ah, it looks like
/sys/kernel/slab/scsi_sense_cache/slab_size shows this to be 128 bytes
of actual allocation, so the 20 bytes doesn't strictly overlap another
object (hence no BUG):

/sys/kernel/slab/scsi_sense_cache# grep . object_size usersize slab_size
object_size:96
usersize:96
slab_size:128

Ah, right, due to SLAB_HWCACHE_ALIGN, the allocation is rounded up to
the next cache line size, so there's 32 bytes of padding to reach 128.

James or Martin, is this over-read "expected" behavior? i.e. does the
sense cache buffer usage ever pull the ugly trick of silently
expanding its allocation into the space the slab allocator has given
it? If not, this looks like a real bug.

What I don't see is how req->sense is _not_ at offset 0 in the
scsi_sense_cache object...

-Kees

-- 
Kees Cook
Pixel Security