Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1032056imm; Fri, 15 Jun 2018 10:03:38 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKIpPiGEDOwyU1f8sZq+BBg04n9cLbJhv9i1bbn4Pq1B4Or+DECxwsG0Gp96JofcYPc+Wpe X-Received: by 2002:a65:6147:: with SMTP id o7-v6mr2344775pgv.163.1529082218838; Fri, 15 Jun 2018 10:03:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529082218; cv=none; d=google.com; s=arc-20160816; b=OJkwVvigJb0j2ggb+2pQqmOefvr8AKz7C1ODXJCV77MyShHqFZF0olGYUBT5SraS4u +2iKxuz8h8YMBSPFbMehgyTYMwy63AAZGTnsrnGcyC3HY2ZM1DaFjBkyKtdaGitrexoL dC3gPBZzMV0+Dc570/2O0d3ToIvt9VU7wlVoGCqfPyW/DVhcEgVQ/WeqP5rzonTVniqM I9nEWy6bZ6IBTXpFTWbXIunn18gJMIrt/R351McJM/uuWyjelllmeHaUuH/Gr8MOa4BO qUtzidKDqbFcBVnXnjTv+937kDAsn2q8kipAEi1AmSB0ByMzTQg9H7AHzMP5FHgdaQQP 7I3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=pRl2Fgx/Y865bWO6X/pDMIZgVKps8TK7GnU+XZooaHs=; b=FgjEHXnMFzzQLLDP5FQfrUwTIo1yhcLl5tSUE6ozfRI/IDLhlqXVYutMG3d998Uext 0YRLF7/SEBBBzHd4sPk12BcUBA6Yi0SShop1h23LAwjnLXA0kdvzyPudan0iUgFSTH1J nYaBGkw7btMfeGDftIHpPTfv3tu7tZgVx8gCLkywfmX1lU19RqSYETvJjlX0DlgcCjks +qSHPr45m65mbTw6x/+vjcbtg0QAQWAqxMQieaRa3iqS8NYL7hfhY7RUQg1rw5XTp+cg 8dYfB9kZIltsm3IG7EGRr5OTboALt04HWSL2qinICTxRTCKhThDHU6QngEpZTBxFPPd5 1QCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=psnzJ+k1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k2-v6si8206863plt.374.2018.06.15.10.03.23; Fri, 15 Jun 2018 10:03:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=psnzJ+k1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756261AbeFORC7 (ORCPT + 99 others); Fri, 15 Jun 2018 13:02:59 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:44373 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755310AbeFORC4 (ORCPT ); Fri, 15 Jun 2018 13:02:56 -0400 Received: by mail-oi0-f65.google.com with SMTP id c128-v6so9386389oig.11 for ; Fri, 15 Jun 2018 10:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pRl2Fgx/Y865bWO6X/pDMIZgVKps8TK7GnU+XZooaHs=; b=psnzJ+k1ktGfoIh7S9p5VdQY+IVfMmpd5mGh9o6+6oP75sDYnwQBZf138AqSI0vlTD Sv2na0qusiCufw9aoWWK1E4HwAOOAqNd2CM8JWHRzHFw76tTzonvrTjuCY86Ox59xpRN bHhbKbZfNHZvzflkK8o9qsc77qa60t9gbgTH3cwcldb9H5xU1fcEDUGZYcQJbIa2pvl4 kS5ri99G0/s7ZCojBGaiviQnl6IpU39uZgT/XMxKdKAdR3Lkt4/yziJmsQd+bH1EFYIF lbu3DhyXxOvO73TdmGQAI1tp4KH5KlipI+HOzyz/48LkgbXClNDyat5RAJPzIUxi608q u6qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pRl2Fgx/Y865bWO6X/pDMIZgVKps8TK7GnU+XZooaHs=; b=rj74lwaXlCvkYejq1OtnJZ6x4X+RB+nkM5rh4yNhj4j6ia5tb4P8hMte7D7fg3NkoL Y+IP5sIv7nTlYdUDV7lDPBQQ3okX83cEXagbhUsnQ7g5dE4leeqBBov6T9I9YtW5GTC8 5ACthH1jTdKpnou2gwaqUn+xVcT4L8ty0l/xN0RfjcB3/S05cy/ioaj3zSk8Y8gbOzs3 We8VAQKJmUKKETnjfn86fbYvRPXcD+N2O8lJQ1y/5w3nFWXKYSwmIO7kRHIw9/qGCAWB Rujc+Am17+RF0k8e46RUixmBqdGmj0x9ANx0JosjRLAJnzpMYHsRe7SJWUh4EuMq+q7w SULg== X-Gm-Message-State: APt69E1pafWFRSKWyaIX01/VudhuQNGBDPR3o5S9p3i4yTks/liVs6LR WhZ9DfPPM4qzF2av+cdRPDeCeBnhsOQH4dlBQdlV1w== X-Received: by 2002:aca:6b03:: with SMTP id g3-v6mr1246948oic.219.1529082175956; Fri, 15 Jun 2018 10:02:55 -0700 (PDT) MIME-Version: 1.0 References: <20180615152335.208202-1-jannh@google.com> <20180615164930.GE30522@ZenIV.linux.org.uk> In-Reply-To: From: Jann Horn Date: Fri, 15 Jun 2018 19:02:44 +0200 Message-ID: Subject: Re: [PATCH] sg, bsg: mitigate read/write abuse, block uaccess in release To: Al Viro Cc: axboe@kernel.dk, fujita.tomonori@lab.ntt.co.jp, dgilbert@interlog.com, jejb@linux.vnet.ibm.com, martin.petersen@oracle.com, linux-block@vger.kernel.org, linux-scsi@vger.kernel.org, kernel list , Kernel Hardening , security@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 15, 2018 at 6:58 PM Jann Horn wrote: > > On Fri, Jun 15, 2018 at 6:49 PM Al Viro wrote: > > > > On Fri, Jun 15, 2018 at 05:23:35PM +0200, Jann Horn wrote: > > > As Al Viro noted in commit 128394eff343 ("sg_write()/bsg_write() is not fit > > > to be called under KERNEL_DS"), sg and bsg improperly access userspace > > > memory outside the provided buffer, permitting kernel memory corruption via > > > splice(). > > > But they don't just do it on ->write(), also on ->read() and (in the case > > > of bsg) even on ->release(). > > > > > > As a band-aid, make sure that the ->read() and ->write() handlers can not > > > be called in weird contexts (kernel context or credentials different from > > > file opener), like for ib_safe_file_access(). > > > Also, completely prevent user memory accesses from ->release(). > > > > Band-aid it is, and a bloody awful one, at that. What the hell is going on > > in bsg_put_device() and can it _ever_ hit that call chain? I.e. > > bsg_release() > > bsg_put_device() > > blk_complete_sgv4_hdr_rq() > > ->complete_rq() > > copy_to_user() > > If it can, the whole thing is FUBAR by design - ->release() may bloody well > > be called in a context that has no userspace at all. > > > > This is completely insane; what's going on there? > > Perhaps I should have split my patch into two parts; it consists of > two somewhat related changes. > > The first change is that ->read() and ->write() violate the normal > contract and, as a band-aid, should not be called in uaccess_kernel() > context or with changed creds. > > The second change is an actual fix: AFAICS ->release() accidentally > accessed userspace, which I've fixed using the added "cleaning_up" > parameter. FWIW, the demo code I'm using to test this in a QEMU VM: $ cat test.c #define _GNU_SOURCE #include #include #include #include #include #include int main(void) { int fd = open("/dev/bsg/0:0:0:0", O_RDWR); if (fd == -1) err(1, "foo"); __u8 buf1[255]; __u8 request[10] = { [0] = 0x5a, // MODE_SENSE_10 [2] = 0x41, [8] = 0x10 }; __u8 sense[32]; memset(sense, 'A', sizeof(sense)); memset(buf1, 'A', sizeof(buf1)); struct sg_io_v4 req = { .guard = 'Q', .protocol = BSG_PROTOCOL_SCSI, .subprotocol = BSG_SUB_PROTOCOL_SCSI_CMD, .request_len = sizeof(request), .request = (__u64)request, .max_response_len = sizeof(sense), .response = (__u64)sense, .din_xfer_len = sizeof(buf1), .din_xferp = (__u64)buf1, .timeout = 1000 }; if (write(fd, &req, sizeof(req)) != sizeof(req)) err(1, "write"); printf("sense[0] after write: 0x%02hhx\n", sense[0]); /* struct sg_io_v4 resp; if (splice(fd, NULL, pipe_fds[1], NULL, sizeof(struct sg_io_v4), 0) != sizeof(struct sg_io_v4)) err(1, "splice"); */ sleep(1); printf("sense[0] after sleep: 0x%02hhx\n", sense[0]); close(fd); printf("sense[0] after close: 0x%02hhx\n", sense[0]); } $ gcc -o test test.c -Wall && sudo ./test sense[0] after write: 0x41 sense[0] after sleep: 0x41 sense[0] after close: 0xf0 $ uname -a Linux debian 4.17.0+ #10 SMP Fri Jun 15 14:48:42 CEST 2018 x86_64 GNU/Linux