Received: by 10.213.65.68 with SMTP id h4csp1194333imn; Wed, 4 Apr 2018 14:27:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+Cr5LVnvOtQz7dbiJ8gQLyfZ62SAAviGtwMazhfPSIlYeTLCAAzagEF3acO96Q2+gv3cBT X-Received: by 10.98.60.4 with SMTP id j4mr14980539pfa.229.1522877244624; Wed, 04 Apr 2018 14:27:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522877244; cv=none; d=google.com; s=arc-20160816; b=LerVXHtfxz8wJUponwI/rzOGDVIIW6wPx5GjZxZZksh+QdpIhjBZOLa4OQTO4Ihwpl aXkb+ueG3q5NVQ8bhRH04uUibOAMXEV4qoqEUbJZDRGjEZgswwcowP1dKRkxSRWvEOgL YIMZNmYCIqH095MkitL61gmcBFnmMhXOjxeooCHaLsW7gaJCLo7ftiWrY+7AqubSpUv5 JXcW1T77iOH1dJpwgQ3w8apMIEMcfWiusIjMwSeubJvTfuOZiHj5M7LGeloEib+ZKGqL bz8yZw6SGCaASgXBimQTQuXiW/wxw9aM/xaoEo5R/cxkHLAdfzT+4OAjjOr9ilDag1Tm PZBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dkim-signature:dkim-signature:arc-authentication-results; bh=q0Sb/XGATaBNsLICdgbfoqJypPFSwRAajLxD2RONVcw=; b=jJ9dLX6aeh8+seb4PgwJKBtBSJ+J8aTR4CrSVqyuANx9WpN1GUr41nKtahGMnenghO ltEv0F9ACYKWCs9Q+IYpHShLEToGPFzNen5PTQsBWv5vPv9wAHClEw/3zB30LGERU5yq mdxs45vm4pfpIuYYCw9k6zHBWwideKzHw2EIl0Se9RVgfPYmVHnMx5TeDH0WPRMx4ehz 8zXe2ZMGjy6a3uHF5eN+3Q6tdspAgSiYQYStlP6byc+hw9gQHHwKShLM1Zstc0eS8D8b Z2n56E3d/fQ+ryVBkluP0im17F3vBKsTvYhUw9ZXGsIT1GNV/ZYZB2nDM6Zn22h99xTd 8iPg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=gF74UXDZ; dkim=fail header.i=@chromium.org header.s=google header.b=INQqV0Uy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 30-v6si6551612plb.316.2018.04.04.14.27.10; Wed, 04 Apr 2018 14:27:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=gF74UXDZ; dkim=fail header.i=@chromium.org header.s=google header.b=INQqV0Uy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752286AbeDDVZ4 (ORCPT + 99 others); Wed, 4 Apr 2018 17:25:56 -0400 Received: from mail-ua0-f196.google.com ([209.85.217.196]:34492 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751749AbeDDVZy (ORCPT ); Wed, 4 Apr 2018 17:25:54 -0400 Received: by mail-ua0-f196.google.com with SMTP id l21so14197933uak.1 for ; Wed, 04 Apr 2018 14:25:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=q0Sb/XGATaBNsLICdgbfoqJypPFSwRAajLxD2RONVcw=; b=gF74UXDZdkd2XuYtir17hFHH8MlLD5ouWe69K/o2H0CnK6Bph4IdgQMQ3ZgM+jjD3U X35RqJENHS5LP+yA7ZaXodmlNiUrAgm6NbshHpwrGjhV78Z1z2Cdd+KPY8xRh+E0VHVp 5bFyKlMcWCfaz4D9iM1T1U7w1jDUEVJeM6GPnL+dh+MC5GY2Z3hcYroXH3AQMINtKA0N rfZpZlXaHzIVEje8iDwYzaeDDZMYott6UCVz9Y1OdrDaa2PCMAEKaEfEAtHCEs1yiFkv Moj5SoorFpxw4X20Nllc6p4Tm9ZE2sr1sIHwuwPUp1B4Gv063rqN6R36ZFMqZe2qkwdt LP/A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=q0Sb/XGATaBNsLICdgbfoqJypPFSwRAajLxD2RONVcw=; b=INQqV0Uy/54ghHR5KDTwtJBjK8PmarmkhgCDybjRZukYy0eGYiK3T7w/7V/luquYOQ Kw81IvJFHIEcPO/qFjxbJFVGzEl6gXU/b/fh/fxo1GkzWDBPxo7ySJqAwEQGrRmXD9aT o+IhaMD2xftUaU6DMIEyVZMs9f4hMsJuEkvuM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=q0Sb/XGATaBNsLICdgbfoqJypPFSwRAajLxD2RONVcw=; b=C+brkqh/lK/+Wj9qSximYzGnNXKNAuGVzYohVd1jUZOE39KSmVTIzM+el+6Ol6MDCL 0y+/st/qHxhWRS2/aB9Yf4btbijwI2JmxBW3rJ8g95LS/zT2urDHZ8aHd9cVicSLqLy6 aVezjo0Dyt60IIiU10MoKJp++y1p2gish6itOW8VjN7zHmt1j9P2ap+SgwpgLFLD9ycT uxTGXvTo0HVZtU+7OT0p/j7EFGm7thw1Qzxu+wM19iWNRbq5eujO17iZoamZw6HNTEV+ pk1JgopSYvr9fd8hW66P/NsFAWFl3bW9Mh3H/eFADMc5uH11BY2bdrxDetv5bhzuboWe CNrA== X-Gm-Message-State: ALQs6tDqQad+GaEa5fKftOXi0bwBfhE9frpYWaZ3mfW/MrchYRgRJnzG GQmUMtxq2Hi8gMAxDhjdtEF1SEVoXzpdULS20tD6yw== X-Received: by 10.176.35.198 with SMTP id c6mr1214230uan.83.1522877153295; Wed, 04 Apr 2018 14:25:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Wed, 4 Apr 2018 14:25:51 -0700 (PDT) In-Reply-To: <3265889.eu5sbW8aRz@natalenko.name> References: <10360653.ov98egbaqx@natalenko.name> <3265889.eu5sbW8aRz@natalenko.name> From: Kees Cook Date: Wed, 4 Apr 2018 14:25:51 -0700 X-Google-Sender-Auth: 2VakgCmm7edjiGaWi1ywHDeok-o Message-ID: Subject: Re: usercopy whitelist woe in scsi_sense_cache To: Oleksandr Natalenko Cc: David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 1:49 PM, Oleksandr Natalenko wrote: > Hi. > > On st=C5=99eda 4. dubna 2018 22:21:53 CEST Kees Cook wrote: >> >> ... >> That means scsi_sense_cache should be 96 bytes in size? But a 22 byte >> read starting at offset 94 happened? That seems like a 20 byte read >> beyond the end of the SLUB object? Though if it were reading past the >> actual end of the object, I'd expect the hardened usercopy BUG (rather >> than the WARN) to kick in. Ah, it looks like >> /sys/kernel/slab/scsi_sense_cache/slab_size shows this to be 128 bytes >> of actual allocation, so the 20 bytes doesn't strictly overlap another >> object (hence no BUG): >> ... > > > Actually, I can trigger a BUG too: > > [ 129.259213] usercopy: Kernel memory exposure attempt detected from SLU= B > object 'scsi_sense_cache' (offset 119, size 22)! Wow, yeah, that's totally outside the slub object_size. How did you trigger this? Just luck or something specific? > [ 129.265167] ------------[ cut here ]------------ > [ 129.267579] kernel BUG at mm/usercopy.c:100! > > And also offset can be different, as you may see: > > [ 55.993224] Bad or missing usercopy whitelist? Kernel memory exposure > attempt detected from SLUB object 'scsi_sense_cache' (offset 76, size 22)= ! > [ 55.998678] WARNING: CPU: 0 PID: 1305 at mm/usercopy.c:81 usercopy_war= n > +0x7e/0xa0 > > It looks like only the size stays the same. I'd really like to understand how the buffer position can be changing... I'd expect that to break all kinds of things (i.e. free()ing the slab later would break too...) >> Can you send me your .config? What SCSI drivers are you using in the >> VM and on the real server? > > This is an Arch kernel with a config available here [1]. > > For both server and VM "lspci -vv" shows "ahci" in use. Is this what you = are > asking for? I think so, yeah. >> Are you able to see what ioctl()s smartctl is issuing? I'll try to >> reproduce this on my end... > > As per [2], strace shows "SG_IO" requests. Is this detailed enough? That's useful, yeah. I'll try Douglas's suggestion of "smartctl -r scsiioctl,3 ..." too. > Thanks for looking into it. Thanks for the report! I hope someone more familiar with sg_io() can help explain the changing buffer offset... :P -Kees --=20 Kees Cook Pixel Security