Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5246899imu;
        Tue, 15 Jan 2019 14:01:41 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6FjpowbGf3mTEAIIzN7lGXPOrGBk/5mv8NVzq/6KQzQBKYUJU6Y9KYcXtp/kf46ulThB1e
X-Received: by 2002:a62:399b:: with SMTP id u27mr6408966pfj.181.1547589700861;
        Tue, 15 Jan 2019 14:01:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547589700; cv=none;
        d=google.com; s=arc-20160816;
        b=P6zNHk/vMTTtN8vTA3rIzWWZlC1c4a7K33h1fs0P/kuoNQgYmSOrvFvneSc3sHGBft
         pxNgqXEHWmtbT4PFSkURE3km52SAoXyUjMmCT4Hh8r4LiBLWDiAt+4EWw0gJoothrQOb
         8CWpYRi10K9oOMXQ0ytsh8cMgWMlYJibiOgvOJTdtooYbz1l/CW2HBn6nsPysm8DXnQh
         pk8t1qyj9c1z9+KHzS1T6ILoehvSrp+p23kzXvEQvU/WSgnn2Z0rpJ6I1h6UZ1kYJEpC
         pcjcL+gr0BfHizT4pJxG+vmCsPuGr50pvhbFUUj62tTWnkXbo+HUAkjZKNqVzp5fFfux
         GP9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=AZe3Q00FrsWuRgOaBQ4fzngbQ/LVRVz2QkX6nLF2MlI=;
        b=mdcbiOY4dhlVRkvMiuf/v7rR5TvsYxfAobKsEFKYVjzgXRJFfswdsELi0VLY7FvgBS
         zvJSme8/vmx/f/hGLUUK17mdDWzvqzv3I16tvtKcW3bNjX4NGJsMg4Ka3NpJ3PQsilFT
         /k88tW7Sy5zt/snti9ArKHUclxSu3iXWHPCOix9pEyyEU6eVoSyZPFpVYqpRbREci5s2
         Vmo6PDEpKlN4znenFZWkLiiVlSgYqIK8G2tjU0L8fBNRwr4MVRPzgnd/wYLdforK7kf5
         ZuibZXxEh0eCUi68faWk5tFMKcguDBnindlLf2JKiHQFmSl8TTEyFxMNfb1ObPqf8KnB
         7vvA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=L8hxahvA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j132si4423534pfc.84.2019.01.15.14.01.21;
        Tue, 15 Jan 2019 14:01:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=L8hxahvA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2387582AbfAOQoh (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Tue, 15 Jan 2019 11:44:37 -0500
Received: from mail.kernel.org ([198.145.29.99]:34168 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2387561AbfAOQoe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 15 Jan 2019 11:44:34 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 417C520675;
        Tue, 15 Jan 2019 16:44:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1547570673;
        bh=3lLMw0CSiPzDfPv1USGwx2YWl5qJAJS9Fs6IWusn/5Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=L8hxahvAa0kwIGUhTeojnwWgYrq/jPv/N/Ejc8kxKn2hhrZCGQ5OzaQ/d8Uctx4Hm
         8o1bo6exPudGkpC1jXX3EygiFI+si/DS+EwjNJkLhqSdVBumd+yerWR2Y6P+LlKKEr
         Ei5Kqqv3npogJWucnBIcnNY3fku1SiY9b+dd8mPI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Qian Cai <cai@lca.pw>,
        Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.20 29/57] mm/usercopy.c: no check page span for stack objects
Date:   Tue, 15 Jan 2019 17:36:10 +0100
Message-Id: <20190115154912.309319386@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190115154910.734892368@linuxfoundation.org>
References: <20190115154910.734892368@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.20-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Qian Cai <cai@lca.pw>

commit 7bff3c06997374fb9b9991536a547b840549a813 upstream.

It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y,

  usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 23)!
  kernel BUG at mm/usercopy.c:102!

For example,

print_worker_info
char name[WQ_NAME_LEN] = { };
char desc[WORKER_DESC_LEN] = { };
  probe_kernel_read(name, wq->name, sizeof(name) - 1);
  probe_kernel_read(desc, worker->desc, sizeof(desc) - 1);
    __copy_from_user_inatomic
      check_object_size
        check_heap_object
          check_page_span

This is because on-stack variables could cross PAGE_SIZE boundary, and
failed this check,

if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
	   ((unsigned long)end & (unsigned long)PAGE_MASK)))

ptr = FFFF889007D7EFF8
end = FFFF889007D7F00E

Hence, fix it by checking if it is a stack object first.

[keescook@chromium.org: improve comments after reorder]
  Link: http://lkml.kernel.org/r/20190103165151.GA32845@beast
Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/usercopy.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -247,7 +247,8 @@ static DEFINE_STATIC_KEY_FALSE_RO(bypass
 /*
  * Validates that the given object is:
  * - not bogus address
- * - known-safe heap or stack object
+ * - fully contained by stack (or stack frame, when available)
+ * - fully within SLAB object (or object whitelist area, when available)
  * - not in kernel text
  */
 void __check_object_size(const void *ptr, unsigned long n, bool to_user)
@@ -262,9 +263,6 @@ void __check_object_size(const void *ptr
 	/* Check for invalid addresses. */
 	check_bogus_address((const unsigned long)ptr, n, to_user);
 
-	/* Check for bad heap object. */
-	check_heap_object(ptr, n, to_user);
-
 	/* Check for bad stack object. */
 	switch (check_stack_object(ptr, n)) {
 	case NOT_STACK:
@@ -282,6 +280,9 @@ void __check_object_size(const void *ptr
 		usercopy_abort("process stack", NULL, to_user, 0, n);
 	}
 
+	/* Check for bad heap object. */
+	check_heap_object(ptr, n, to_user);
+
 	/* Check for object in kernel to avoid text exposure. */
 	check_kernel_text_object((const unsigned long)ptr, n, to_user);
 }