Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1280194imm;
        Fri, 17 Aug 2018 15:24:34 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPysXuIui8mW/8bCRCgMOj23AEYvR804Sf7EbSV+USZvPzsJZzMLrieiOASatXYEtDomkAiy
X-Received: by 2002:a63:9f0a:: with SMTP id g10-v6mr34630766pge.324.1534544674400;
        Fri, 17 Aug 2018 15:24:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534544674; cv=none;
        d=google.com; s=arc-20160816;
        b=h2vEn0oKV1yjmn6RWRigCHuN0BJUl5IcrHp6UC7ctOrh/fJHVsRIXvTzly0/iQKiU4
         ZFbHsTMQ+IvGBPvMKn3nhjRzltxUkwR0BrmsnBMRDzTeSa9YXoVCIenE20ZidDYeMG2b
         aBD9yVSgeOapf0E0sBhYb7PvZHLHtpas/1MPYkwo91Nf13AK9iicNHDruDVwd65IqDx0
         TgzLec2kP4pAGTPv2huL1lL/Isq5C/mK7SKmrmA4f4gYkaqfAMEQFoRADCu+1YkIA/Nw
         58JDcQ5leb8ouyh4n7GpTI2POQpR04EVi7fBnm3JS82/2aF6nLdUjQBaW8C6xXEkPpwN
         X3EQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Dvvu7vM6+o7lDZ5Qtwu4fua/KLlx9gRIYgPpT3R8G3U=;
        b=MHPR+KwS7sGDbtYHIjchydvWA4Uz0yFhPps3+2S4RG+NhUxlBeIEhl1xcPHMLvKK1d
         F/LCxLW6uraIoeRLXsf90cJT9dcFaT+dqjVj+B4Gaz9+uzRqqGFCNequjFzJVJVdETcM
         0B9Rm15CBnDrvOMgW/ZyEKS/ZdF3oXc6L77QrZ/GRtWfs/EjBi7LhQw96vDkDWsv5q7j
         hPiixwi4WskvjloQouzJikM9QA2/BAdJZktXSGbMk8HR0Qzl4Va+jXCYA3GLSwAYntvu
         2C85/2S3OpmYrIKpn+PQYKeVprz/qMLK5LnlsRwiYRX6Gg/um5GrVyhB17Q8B6oYBGpW
         1E3Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=FmZyzup1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e6-v6si3151670pgh.50.2018.08.17.15.24.18;
        Fri, 17 Aug 2018 15:24:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=FmZyzup1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727517AbeHRB2X (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Fri, 17 Aug 2018 21:28:23 -0400
Received: from mail-yw1-f66.google.com ([209.85.161.66]:44105 "EHLO
        mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726712AbeHRB2X (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 17 Aug 2018 21:28:23 -0400
Received: by mail-yw1-f66.google.com with SMTP id l9-v6so4919692ywc.11
        for <linux-kernel@vger.kernel.org>; Fri, 17 Aug 2018 15:23:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=Dvvu7vM6+o7lDZ5Qtwu4fua/KLlx9gRIYgPpT3R8G3U=;
        b=FmZyzup1JUp4TDNQtenQ76Lb30L41N8iKbB3YVdOWq6YDm4iNkRFQXy140S0BPsOqW
         cJMgiZx9llQ7JlBm84/ApY/lcucmC1ebRTNpMm7ISjeYm+i8BknKR6k5KNUQRec3uqUj
         TU2T8WUHmT2/MZKG56JiO9tqAdu1lKdPQ8PSA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=Dvvu7vM6+o7lDZ5Qtwu4fua/KLlx9gRIYgPpT3R8G3U=;
        b=foFikM9mVT4eXc9b0u7eeVw0e1kIOUaIau6K7utxK/e03TiuqlFRd27sq60pcQgbG0
         9gBP1MS6J6bgg1ELI8BXqa8NEskdQBqKiJHN8FgoFbPuxaKiI4BCL31gmpmHKLBvS9/v
         6Qq6az3m/Dfn1uRXi3KciF03Ag82lPvtUBNC5yt0OCqLPtGQbStt+cQwLa7mYA7LkdQq
         zG69PNFhW/5fBqvaL/N9gkUGrvlQcRuCRm9l8VhT8jCN8/5ib6vNuyBg84LsRO8J0BOQ
         LjVNbj/9Vj/ubeiQfttfxzhXVrQBMteJUeb0OrxvLejR4fT/1fOcUDg7gqMNt/gtbw7w
         VJMw==
X-Gm-Message-State: AOUpUlFAiWC7a1WIluv/PAWNraO5PILQytQwXVL46Dx7jF2rzGvDUjql
        OrkkOEFlCfgFwk/MXPZ6xhELN8STPsU=
X-Received: by 2002:a81:5fd7:: with SMTP id t206-v6mr19335234ywb.278.1534544593106;
        Fri, 17 Aug 2018 15:23:13 -0700 (PDT)
Received: from mail-yb0-f175.google.com (mail-yb0-f175.google.com. [209.85.213.175])
        by smtp.gmail.com with ESMTPSA id e134-v6sm3129714ywa.59.2018.08.17.15.23.10
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 17 Aug 2018 15:23:11 -0700 (PDT)
Received: by mail-yb0-f175.google.com with SMTP id c1-v6so864688ybq.5
        for <linux-kernel@vger.kernel.org>; Fri, 17 Aug 2018 15:23:10 -0700 (PDT)
X-Received: by 2002:a25:7797:: with SMTP id s145-v6mr2905037ybc.137.1534544590300;
 Fri, 17 Aug 2018 15:23:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:aa31:0:0:0:0:0 with HTTP; Fri, 17 Aug 2018 15:23:09
 -0700 (PDT)
In-Reply-To: <alpine.DEB.2.21.999.1808162319420.3196@trent.utfs.org>
References: <20180803200551.GA47157@beast> <alpine.DEB.2.21.999.1808162319420.3196@trent.utfs.org>
From:   Kees Cook <keescook@chromium.org>
Date:   Fri, 17 Aug 2018 15:23:09 -0700
X-Gmail-Original-Message-ID: <CAGXu5j+_qOcnJjwXX9mop++Bs7HCA7QMXCs5VXofewZ7XOwddw@mail.gmail.com>
Message-ID: <CAGXu5j+_qOcnJjwXX9mop++Bs7HCA7QMXCs5VXofewZ7XOwddw@mail.gmail.com>
Subject: Re: [Jfs-discussion] [PATCH] jfs: Expand usercopy whitelist for
 inline inode data
To:     Christian Kujau <lists@nerdbynature.de>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Bart Massey <bart.massey@gmail.com>,
        jfs-discussion@lists.sourceforge.net,
        David Windsor <dave@nullcore.net>,
        Dave Kleikamp <shaggy@kernel.org>,
        Ben Hutchings <ben@decadent.org.uk>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Aug 16, 2018 at 11:56 PM, Christian Kujau <lists@nerdbynature.de> wrote:
> On Fri, 3 Aug 2018, Kees Cook via Jfs-discussion wrote:
>> Bart Massey reported what turned out to be a usercopy whitelist false
>> positive in JFS when symlink contents exceeded 128 bytes. The inline
>> inode data (i_inline) is actually designed to overflow into the "extended
>
> So, this may be a stupid question, but: is there a way to disable this
> hardened usercopy thing with a boot option maybe?
>
> Apparently, CONFIG_HARDENED_USERCOPY_FALLBACK was disabled in Debian's
> 4.16.0-0.bpo.2-amd64 (4.16.16) kernels[0] and I have a VMware guest here
> that prints a BUG message (below) whenever a certain directory is being
> accesses. ls(1) is fine, but "ls -l" (i.e. with stat()) produces the splat
> below. And indeed, the target of one of the symlinks inside is 129
> characters long, and every attempt to stat it prints the splat below.
>
> Going back to 4.16.0-0.bpo.1-amd64 (4.16.5) helps, but I was wondering if
> there was a magic boot option to disable it while I wait for 4.18 to land
> in Debian? I booted with hardened_usercopy=off, but it doesn't seem to
> have an effect and the directory is still inaccessible.

Precisely this was just added upstream[1] for 4.19 but isn't available
in 4.16. It should be trivial to backport it, though, if Ben wants to
do that? (The JFS fix is in the 4.17 and 4.18 -stable trees now, too,
BTW.)

-Kees

[1] https://git.kernel.org/linus/b5cb15d9372a

-- 
Kees Cook
Pixel Security