Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1181458imj; Sat, 16 Feb 2019 23:25:12 -0800 (PST) X-Google-Smtp-Source: AHgI3Iawko96OzkbnQRiauJ3VtXVCmp3/KzedR79sehChm9tF3TiMC6SVH+kyjNHakKfeFBaeg2v X-Received: by 2002:a17:902:780c:: with SMTP id p12mr18493721pll.197.1550388312823; Sat, 16 Feb 2019 23:25:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550388312; cv=none; d=google.com; s=arc-20160816; b=wnMSN8QM9yYyZ7HrAMsDJQEXeD+aRM57CyfPJ6qlhJNE0hpYPdbSGuEXNjkHiIuiXX Gw9fzWcez/oMKzmWzNqwvP9UrYeCfLFvbt+KvbY74Gtrz3Mn7Li4IjIPARRWJ9f0avrW QOTq7EWI0VL4rpgXfgshZV3TEAvp5PyQ0IAvRgnzW243YZE9cqVO2cFhR7ZBoZSLI+eP pwiaWNZsOFERQ4F/SF7QKbMg2LemE/7VpS+CsIeymISweVLkh4COpzBuFBEzzzG6+vGQ vTj99aGpzWa0O9bdieXknq4TgbxggjhXtlseTtvSQ8ajvBwDfG3Fl0S26imOaJDC3Pwc 3azA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=sgPxOtSYL7FBSm7hdQtYFv606hVku+ZMwuYY0fgBplY=; b=zxq9UGckMEqP/JH8qYio9bZfLvPsuJi6XlL6ybZG1gP+SpKQxy5zrh0ATYj2RdUi2T VQW232lrGm9sFd4auR3BDh18ByuSHEChGpBTEdsICUDpVjD3S+5bC5Az1h/9xp6e8qsH JmH2KDAqz5VDZLEI8liG2zGnUjn6LVkyrDri//gq4+4YLcZAVwqp9ILik7htCNvvaM+f QSBmL0idmEUTOf4fGvDkpJcwy3iUvr7kUidimmpq+Q+0/EWG14qQzdhuZO6zfKss1RMr 14o85bwYQ3ymIK54KrxB16Ray5KLqpL+8+RiKYDp9CJOaGR8B6ACMMC5HLxt+BxnL6fZ Uhng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s14si2754943plq.284.2019.02.16.23.24.56; Sat, 16 Feb 2019 23:25:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733119AbfBPUSs (ORCPT + 99 others); Sat, 16 Feb 2019 15:18:48 -0500 Received: from Galois.linutronix.de ([146.0.238.70]:54819 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727270AbfBPUSr (ORCPT ); Sat, 16 Feb 2019 15:18:47 -0500 Received: from p5492e0d8.dip0.t-ipconnect.de ([84.146.224.216] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1gv6Q3-0004j3-I3; Sat, 16 Feb 2019 21:18:39 +0100 Date: Sat, 16 Feb 2019 21:18:39 +0100 (CET) From: Thomas Gleixner To: Jann Horn cc: baloo@gandi.net, Andy Lutomirski , the arch/x86 maintainers , Ingo Molnar , Borislav Petkov , kernel list , Pascal Bouchareine Subject: Re: [PATCH] x86: uaccess: fix regression in unsafe_get_user In-Reply-To: Message-ID: References: <20190215235901.23541-1-baloo@gandi.net> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 16 Feb 2019, Jann Horn wrote: > On Sat, Feb 16, 2019 at 12:59 AM wrote: > > When extracting an initramfs, a filename may be near an allocation boundary. > > Should that happen, strncopy_from_user will invoke unsafe_get_user which > > may cross the allocation boundary. Should that happen, unsafe_get_user will > > trigger a page fault, and strncopy_from_user would then bailout to > > byte_at_a_time behavior. > > > > unsafe_get_user is unsafe by nature, and rely on pagefault to detect boundaries. > > After 9da3f2b74054 ("x86/fault: BUG() when uaccess helpers fault on kernel addresses") > > it may no longer rely on pagefault as the new page fault handler would > > trigger a BUG(). > > > > This commit allows unsafe_get_user to explicitly trigger pagefaults and > > handle them directly with the error target label. > > Oof. So basically the init code is full of things that just call > syscalls instead of using VFS functions (which don't actually exist > for everything), and the VFS syscalls use getname_flags(), which uses > strncpy_from_user(), which can access out-of-bounds pages on > architectures that set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, and > that in summary means that all the init code is potentially prone to > tripping over this? Not all init code. It should be only the initramfs decompression. > I don't particularly like this approach to fixing it, but I also don't > have any better ideas, so I guess unless someone else has a bright > idea, this patch might have to go in. So we know that this happens in the context of decompress() which calls flush_buffer() for every chunk. flush_buffer() gets the start_address and the length. We also know that the fault can only happen within: start_address <= fault_address < start_address + length + 8; So something like the untested workaround below should cover the initramfs oddity and avoid to weaken the protection for all other cases. Thanks, tglx 8<--------------- --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -1,5 +1,6 @@ #include #include +#include #include #include @@ -161,6 +162,14 @@ static bool bogus_uaccess(struct pt_regs if (current->kernel_uaccess_faults_ok) return false; + /* + * initramfs decompression can trigger a fault when + * unsafe_get_user() goes over the boundary of the buffer. That's a + * valid case for e.g. strncpy_from_user(). + */ + if (initramfs_fault_in_decompress(fault_addr)) + return false; + /* This is bad. Refuse the fixup so that we go into die(). */ if (trapnr == X86_TRAP_PF) { pr_emerg("BUG: pagefault on kernel address 0x%lx in non-whitelisted uaccess\n", --- a/include/linux/initrd.h +++ b/include/linux/initrd.h @@ -1,5 +1,8 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#ifndef LINUX_INITRD_H +#define LINUX_INITRD_H + #define INITRD_MINOR 250 /* shouldn't collide with /dev/ram* too soon ... */ /* 1 = load ramdisk, 0 = don't load */ @@ -25,3 +28,14 @@ extern phys_addr_t phys_initrd_start; extern unsigned long phys_initrd_size; extern unsigned int real_root_dev; + +#ifdef CONFIG_BLK_DEV_INITRD +bool initramfs_fault_in_decompress(unsigned long addr); +#else +static inline bool initramfs_fault_in_decompress(unsigned long addr) +{ + return false; +} +#endif + +#endif --- a/init/initramfs.c +++ b/init/initramfs.c @@ -403,13 +403,27 @@ static __initdata int (*actions[])(void) [Reset] = do_reset, }; +static unsigned long flush_start; +static unsigned long flush_length; + +bool initramfs_fault_in_decompress(unsigned long addr) +{ + return addr >= flush_start && addr < flush_start + flush_length + 8; +} + static long __init write_buffer(char *buf, unsigned long len) { + /* Store address and length for uaccess fault handling */ + flush_start = (unsigned long) buf; + flush_length = len; + byte_count = len; victim = buf; while (!actions[state]()) ; + /* Clear the uaccess fault handling region */ + flush_start = flush_length = 0; return len - byte_count; }