Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp872845imm; Fri, 3 Aug 2018 13:07:50 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfknv2fhjWHm+ZOGosap/PfRHT8GZKRxYSItaye9n7Gs8++I+I8EbnwgAcXjtnG7SVu2ZHW X-Received: by 2002:a63:c80e:: with SMTP id z14-v6mr5015278pgg.77.1533326870731; Fri, 03 Aug 2018 13:07:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533326870; cv=none; d=google.com; s=arc-20160816; b=t8G6UdJ014WV9Lw/kRUF4q3CNkEvutLoeCBVsKVIQz8nvOcKd15z7ykTq/ogyPyMoy R/NTlBGi28QuHIyt/TG3V5pwyjAAhtqOi5bPIDKl/+yg5t8x9Nzsto4/JBtruhzjyw3P ySi7rsk3wOYWV6yYiHzRlVnbEXmc4SFgUJnm10hNdkLHCFsvFM9ca3M6TMfZVU/HyYmw RrBXt/rm2fVteFFhY/fXbljEgUerkUoVyhiM3A4LlyDlHqNkAV/kP1I6KP8+rc8dvKTJ tAVI9CLrOG5N0aaq9ijG0f8r5ptiWbAkFdb/+xF1Xfd2b+daj4CgpCFhJFuGGcir0DAh veqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=fMl4keZacjr3/81Re7fuIcoioPCl/zqH9IlP1LWeJZw=; b=FjXoJHGdIp2B0eu5YjNMqiD/pvw0Ly4oXU0R06xe5t1kyOp+jfxWFxes2kXDeCwqyH 76toZqrtKqvKdGnN/XlznEOfkTrsLdycu+KvEvALjxF9qiQJfFp9fYZuGqWbWWkF6the PKal+j5KhlGnxR2NGIfxjngOFrQwmplxinAmf/0Qe5oNxiFaB1k8/3VIcdSz0F0DT2NZ J/9vFphQfYh4dqkNN81U47wtK2oUvZ4RTsSX2cHV/qhWMH4GRIDhqO96pF1MdA+acwsD ZKNa5JuGc0Dnez/KJp9CvxZsY5P7pePT0SFw+4Biq+nqnRqL0kWRyMvJiDbmQ+QkhRyl 7Zjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JxZ1ew8c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y14-v6si5653519pgg.76.2018.08.03.13.07.35; Fri, 03 Aug 2018 13:07:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=JxZ1ew8c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732266AbeHCWDl (ORCPT + 99 others); Fri, 3 Aug 2018 18:03:41 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:45350 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732236AbeHCWDk (ORCPT ); Fri, 3 Aug 2018 18:03:40 -0400 Received: by mail-pf1-f195.google.com with SMTP id i26-v6so3774487pfo.12 for ; Fri, 03 Aug 2018 13:05:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=fMl4keZacjr3/81Re7fuIcoioPCl/zqH9IlP1LWeJZw=; b=JxZ1ew8cvsECrRbHwK1ejo3G1dtoj3ZlFqB2kx2tiE8Lm+MIWqkRDz/gI2sjYcrpCr XjwhqI1y3F553YnVbRuwPZZfJF2fvwG/ah1PIYWUs7sxSrd3PO1gigxaWda4htazh4QE Ih0dtBLrZ3rGHDBVwMaQnUmh44d5RjFGp8kZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=fMl4keZacjr3/81Re7fuIcoioPCl/zqH9IlP1LWeJZw=; b=T9HFiFqtPTZS2Wat+0US779wzdD1i5YiNJe8ZVql/+LWOt9/90/jfWTnu3RW8guDHA HvS+OTkELzn89OfGEFbLbGbPmRsYAX4LBTrf5eARx8UaohUjMkI/vQkF3WUfd4kPzHlJ QitPbytMWbGsY3j7O44yrF4AaKoUy6CBr3jZPm7sFHJrW/Ez0mbo3P7X8Mq0EOICofvk dLaHedJGPV5JAAf//oBtAqfE/SAgtk5fHMDiwG8mK+VRHhNun/5V1h+KIGzFf33VGRYr 5fQrel1XlE0vGQDSR9OP9f7DHDjDgnKmR9b4Aqnk7/ipuMTlfXfGMHeXfMuNzgqCZNv1 pS+A== X-Gm-Message-State: AOUpUlFI/xW8TI3KhheMQWhbG++yAzACDd8bChwKXw6jmb2hedExgtwV VPx7clgS8whY8rs0Bri8gmqqcA== X-Received: by 2002:a62:8559:: with SMTP id u86-v6mr6164636pfd.32.1533326754249; Fri, 03 Aug 2018 13:05:54 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id f20-v6sm5326810pgv.27.2018.08.03.13.05.52 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 03 Aug 2018 13:05:52 -0700 (PDT) Date: Fri, 3 Aug 2018 13:05:51 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Bart Massey , Dave Kleikamp , jfs-discussion@lists.sourceforge.net, David Windsor Subject: [PATCH] jfs: Expand usercopy whitelist for inline inode data Message-ID: <20180803200551.GA47157@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Bart Massey reported what turned out to be a usercopy whitelist false positive in JFS when symlink contents exceeded 128 bytes. The inline inode data (i_inline) is actually designed to overflow into the "extended area" following it when needed. So the whitelist needed to be expanded to include i_inline_ea (the whole size of which is calculated internally using IDATASIZE, 256, instead of sizeof(i_inline), 128). $ cd /mnt/jfs $ touch $(perl -e 'print "B" x 250') $ ln -s B* b $ ls -l >/dev/null [ 249.436410] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'jfs_ip' (offset 616, size 250)! Reported-by: Bart Massey Fixes: 8d2704d382a9 ("jfs: Define usercopy region in jfs_ip slab cache") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook --- I intend this to land via the usercopy tree... --- fs/jfs/jfs_dinode.h | 7 +++++++ fs/jfs/jfs_incore.h | 1 + fs/jfs/super.c | 3 +-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/jfs/jfs_dinode.h b/fs/jfs/jfs_dinode.h index 395c4c0d0f06..1682a87c00b2 100644 --- a/fs/jfs/jfs_dinode.h +++ b/fs/jfs/jfs_dinode.h @@ -115,6 +115,13 @@ struct dinode { dxd_t _dxd; /* 16: */ union { __le32 _rdev; /* 4: */ + /* + * The fast symlink area + * is expected to overflow + * into _inlineea when + * needed (which will clear + * INLINEEA). + */ u8 _fastsymlink[128]; } _u; u8 _inlineea[128]; diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h index 1f26d1910409..9940a1e04cbf 100644 --- a/fs/jfs/jfs_incore.h +++ b/fs/jfs/jfs_incore.h @@ -87,6 +87,7 @@ struct jfs_inode_info { struct { unchar _unused[16]; /* 16: */ dxd_t _dxd; /* 16: */ + /* _inline may overflow into _inline_ea when needed */ unchar _inline[128]; /* 128: inline symlink */ /* _inline_ea may overlay the last part of * file._xtroot if maxentry = XTROOTINITSLOT diff --git a/fs/jfs/super.c b/fs/jfs/super.c index 1b9264fd54b6..f08571433aba 100644 --- a/fs/jfs/super.c +++ b/fs/jfs/super.c @@ -967,8 +967,7 @@ static int __init init_jfs_fs(void) jfs_inode_cachep = kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info), 0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT, - offsetof(struct jfs_inode_info, i_inline), - sizeof_field(struct jfs_inode_info, i_inline), + offsetof(struct jfs_inode_info, i_inline), IDATASIZE, init_once); if (jfs_inode_cachep == NULL) return -ENOMEM; -- 2.17.1 -- Kees Cook Pixel Security