Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5246899imu; Tue, 15 Jan 2019 14:01:41 -0800 (PST) X-Google-Smtp-Source: ALg8bN6FjpowbGf3mTEAIIzN7lGXPOrGBk/5mv8NVzq/6KQzQBKYUJU6Y9KYcXtp/kf46ulThB1e X-Received: by 2002:a62:399b:: with SMTP id u27mr6408966pfj.181.1547589700861; Tue, 15 Jan 2019 14:01:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547589700; cv=none; d=google.com; s=arc-20160816; b=P6zNHk/vMTTtN8vTA3rIzWWZlC1c4a7K33h1fs0P/kuoNQgYmSOrvFvneSc3sHGBft pxNgqXEHWmtbT4PFSkURE3km52SAoXyUjMmCT4Hh8r4LiBLWDiAt+4EWw0gJoothrQOb 8CWpYRi10K9oOMXQ0ytsh8cMgWMlYJibiOgvOJTdtooYbz1l/CW2HBn6nsPysm8DXnQh pk8t1qyj9c1z9+KHzS1T6ILoehvSrp+p23kzXvEQvU/WSgnn2Z0rpJ6I1h6UZ1kYJEpC pcjcL+gr0BfHizT4pJxG+vmCsPuGr50pvhbFUUj62tTWnkXbo+HUAkjZKNqVzp5fFfux GP9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AZe3Q00FrsWuRgOaBQ4fzngbQ/LVRVz2QkX6nLF2MlI=; b=mdcbiOY4dhlVRkvMiuf/v7rR5TvsYxfAobKsEFKYVjzgXRJFfswdsELi0VLY7FvgBS zvJSme8/vmx/f/hGLUUK17mdDWzvqzv3I16tvtKcW3bNjX4NGJsMg4Ka3NpJ3PQsilFT /k88tW7Sy5zt/snti9ArKHUclxSu3iXWHPCOix9pEyyEU6eVoSyZPFpVYqpRbREci5s2 Vmo6PDEpKlN4znenFZWkLiiVlSgYqIK8G2tjU0L8fBNRwr4MVRPzgnd/wYLdforK7kf5 ZuibZXxEh0eCUi68faWk5tFMKcguDBnindlLf2JKiHQFmSl8TTEyFxMNfb1ObPqf8KnB 7vvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L8hxahvA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j132si4423534pfc.84.2019.01.15.14.01.21; Tue, 15 Jan 2019 14:01:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=L8hxahvA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387582AbfAOQoh (ORCPT + 99 others); Tue, 15 Jan 2019 11:44:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:34168 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387561AbfAOQoe (ORCPT ); Tue, 15 Jan 2019 11:44:34 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 417C520675; Tue, 15 Jan 2019 16:44:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547570673; bh=3lLMw0CSiPzDfPv1USGwx2YWl5qJAJS9Fs6IWusn/5Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=L8hxahvAa0kwIGUhTeojnwWgYrq/jPv/N/Ejc8kxKn2hhrZCGQ5OzaQ/d8Uctx4Hm 8o1bo6exPudGkpC1jXX3EygiFI+si/DS+EwjNJkLhqSdVBumd+yerWR2Y6P+LlKKEr Ei5Kqqv3npogJWucnBIcnNY3fku1SiY9b+dd8mPI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qian Cai , Kees Cook , Andrew Morton , Linus Torvalds Subject: [PATCH 4.20 29/57] mm/usercopy.c: no check page span for stack objects Date: Tue, 15 Jan 2019 17:36:10 +0100 Message-Id: <20190115154912.309319386@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190115154910.734892368@linuxfoundation.org> References: <20190115154910.734892368@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Qian Cai commit 7bff3c06997374fb9b9991536a547b840549a813 upstream. It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y, usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 23)! kernel BUG at mm/usercopy.c:102! For example, print_worker_info char name[WQ_NAME_LEN] = { }; char desc[WORKER_DESC_LEN] = { }; probe_kernel_read(name, wq->name, sizeof(name) - 1); probe_kernel_read(desc, worker->desc, sizeof(desc) - 1); __copy_from_user_inatomic check_object_size check_heap_object check_page_span This is because on-stack variables could cross PAGE_SIZE boundary, and failed this check, if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) == ((unsigned long)end & (unsigned long)PAGE_MASK))) ptr = FFFF889007D7EFF8 end = FFFF889007D7F00E Hence, fix it by checking if it is a stack object first. [keescook@chromium.org: improve comments after reorder] Link: http://lkml.kernel.org/r/20190103165151.GA32845@beast Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@lca.pw Signed-off-by: Qian Cai Signed-off-by: Kees Cook Acked-by: Kees Cook Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/usercopy.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -247,7 +247,8 @@ static DEFINE_STATIC_KEY_FALSE_RO(bypass /* * Validates that the given object is: * - not bogus address - * - known-safe heap or stack object + * - fully contained by stack (or stack frame, when available) + * - fully within SLAB object (or object whitelist area, when available) * - not in kernel text */ void __check_object_size(const void *ptr, unsigned long n, bool to_user) @@ -262,9 +263,6 @@ void __check_object_size(const void *ptr /* Check for invalid addresses. */ check_bogus_address((const unsigned long)ptr, n, to_user); - /* Check for bad heap object. */ - check_heap_object(ptr, n, to_user); - /* Check for bad stack object. */ switch (check_stack_object(ptr, n)) { case NOT_STACK: @@ -282,6 +280,9 @@ void __check_object_size(const void *ptr usercopy_abort("process stack", NULL, to_user, 0, n); } + /* Check for bad heap object. */ + check_heap_object(ptr, n, to_user); + /* Check for object in kernel to avoid text exposure. */ check_kernel_text_object((const unsigned long)ptr, n, to_user); }