Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2357285imm; Mon, 28 May 2018 06:39:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqCXO11pbZ8Gm/8nqe16s+nh7QkcZZ8vwN0IkviX8AimLqkKkGnMJZf+pKbwR3VazkQ2uvg X-Received: by 2002:a17:902:507:: with SMTP id 7-v6mr13864463plf.259.1527514765653; Mon, 28 May 2018 06:39:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527514765; cv=none; d=google.com; s=arc-20160816; b=djNkW7F/U60g/5yy8xaJxwQGKvhcz2HuWPFuLNbROlIQIR6H69TCItDE34kAncaaTm nyCpHyu0wo0FRz9G0su/IG0yQCGPyGdGKuVAEdJbXWhaF9W9uoI5qU40Zcta6FBdt2Sh pbsWAYzWhH6rVhJDJDt+xLkL5s4qlnevO32C8Qfv5qU6xs+XlPCnQAeTLfkYbbwUZnjH 3lUQuCxaN1skzuqh+eqAyCIQ/8yJk0+Dpe2fJPk5Od3hDm6N1vLLvOStfjhJHfysbF5h YWuyJqjRft8+4sYxSl0wfh2//CA1M/HZYiBtACJAu8Dsc+cXPENdsKdt8Bb/0tj/pCmZ hpOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=ZlSyGVsz0Ckd/hUPG7SEk1XYLDRQaUnFaRIbwW9oZ/g=; b=AKmJG2SSo7QBmiGky3jE4mmHkOIInzgWibBD29NgFpXExIw3dY3/RX/OxUhTJJw9el dnI//khiNsNUBkEJ1D73c2+4r8Sy3zeKx4/unsaTtUFwqXHEYRqVZoL3PeYgy/JWANLC E4O2hVKeUjI2caVQmg13wsqINDipZYHmXIw+VL1UPQA6E2y52laWMTkUOXADg8riVDNO I5JYUWLU29S/OoHwBUGEY9Jw7SiPBBsjztn9GJdQgrTYlT2D3K6aQ7nDy0EypVulTMQk NsrHgIynehWg4eKyUBLFzCgpuSSGQrquxwK2qiZ3aaEj7H0jJan/0sulgmpTvDKiLZi6 hnNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VMWc2y++; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si29870727ply.226.2018.05.28.06.39.11; Mon, 28 May 2018 06:39:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VMWc2y++; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937698AbeE1KpC (ORCPT + 99 others); Mon, 28 May 2018 06:45:02 -0400 Received: from mail.kernel.org ([198.145.29.99]:35540 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163048AbeE1Koy (ORCPT ); Mon, 28 May 2018 06:44:54 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5EB3820844; Mon, 28 May 2018 10:44:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527504293; bh=ihAUKpicIpRZ5jwUSMoJ19QpvMPbRqMJJ/SHs92dhDo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VMWc2y++uF6gHVl3w/+JZLNzEYt0V4WZjAnbnCUKsatE6DiMGtqZpgwEJsTH20bkI V3XRgDTyB9CueUsQi81OCo8AXGPr5EeaymDG7fw4ntpjJSG1HGWmxkVsf0AGUTx5Mq yOYQB6a0Rj9s5eLgAR8qvI74Th0LtxiS0KLmMwXU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jonathan Billings , David Howells , Kees Cook , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 086/496] rxrpc: Work around usercopy check Date: Mon, 28 May 2018 11:57:51 +0200 Message-Id: <20180528100323.424942628@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100319.498712256@linuxfoundation.org> References: <20180528100319.498712256@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: David Howells [ Upstream commit a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d ] Due to a check recently added to copy_to_user(), it's now not permitted to copy from slab-held data to userspace unless the slab is whitelisted. This affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID control message in the userspace control message buffer. A warning is generated by usercopy_warn() because the source is the copy of the user_call_ID retained in the rxrpc_call struct. Work around the issue by copying the user_call_ID to a variable on the stack and passing that to put_cmsg(). The warning generated looks like: Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)! WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0 ... RIP: 0010:usercopy_warn+0x7e/0xa0 ... Call Trace: __check_object_size+0x9c/0x1a0 put_cmsg+0x98/0x120 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc] ? finish_wait+0x80/0x80 ___sys_recvmsg+0xf8/0x240 ? __clear_rsb+0x25/0x3d ? __clear_rsb+0x15/0x3d ? __clear_rsb+0x25/0x3d ? __clear_rsb+0x15/0x3d ? __clear_rsb+0x25/0x3d ? __clear_rsb+0x15/0x3d ? __clear_rsb+0x25/0x3d ? __clear_rsb+0x15/0x3d ? finish_task_switch+0xa6/0x2b0 ? trace_hardirqs_on_caller+0xed/0x180 ? _raw_spin_unlock_irq+0x29/0x40 ? __sys_recvmsg+0x4e/0x90 __sys_recvmsg+0x4e/0x90 do_syscall_64+0x7a/0x220 entry_SYSCALL_64_after_hwframe+0x26/0x9b Reported-by: Jonathan Billings Signed-off-by: David Howells Acked-by: Kees Cook Tested-by: Jonathan Billings Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/rxrpc/recvmsg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/net/rxrpc/recvmsg.c +++ b/net/rxrpc/recvmsg.c @@ -513,9 +513,10 @@ try_again: ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, sizeof(unsigned int), &id32); } else { + unsigned long idl = call->user_call_ID; + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, - sizeof(unsigned long), - &call->user_call_ID); + sizeof(unsigned long), &idl); } if (ret < 0) goto error_unlock_call;