Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp5248544yba; Wed, 10 Apr 2019 15:00:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqyu2UoLES9F1rWCFouHAVnD+V1pjpd1WhgWNHHkoioVGJYE/TJ97yuvb5dDr4xKo0jV0p/D X-Received: by 2002:a63:36ce:: with SMTP id d197mr44293029pga.180.1554933619464; Wed, 10 Apr 2019 15:00:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554933619; cv=none; d=google.com; s=arc-20160816; b=xC1TB3RsHyzwWoas+LqxWvgzy1in0oRFk1ybA8XdzPmQ6vb3v4OG6jWbLyJirWF2Rd fvc4MBikt9DXZhOpv6v/N1v1TXxt8PKwUzqlHiYINbnwpUDDRbtYvLgJ3qY3dBYRBymX 1mTL5dEd45CG6J4CB2plvW6gKJRUZ47EbGFdpc7w7EJ0faHGII6L8xUGeiJ0ZibKWjIY Gdp07BJngIiZQXnN2cgcXSAJvRXABs07gGF1S1GlSJ+UhsD6gBQaH6QJq4K0IsWzGszL /eo2ZoUWzSOUjXisRhCFiQyoFjK+XLD0vJbJc1j5EKMPH77HBN0zjI4ROCJ22cPa478E u6ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zQ6wwUQrK1NqHrZtbqa5TkZR4Gt0ENtEbKzfcyHpppE=; b=RC+fxWxmyRdoYicSx/euAiYSD9RM+bwqklo2EdP5zyX4KEkAiee85X24NdE+ObFFlG ylwXlLK0vYjj2EjBRXKqv+HKMFeeEXri6lxQxRNscpWy86v3YdwFYb0Rwtmfw+58vfXH 4FEUKdhMoGqidsB4SVpmre8Q1jv8r6NyEBF1FRfqI0EOet4rb4lY9pCSZtXwGK8NhDs9 wVkG/y1h/j4kSjT0doNDF7myiFnUYie8pWY0zrDtRgTe8wqWVnWuq/pO2zjpyMh+CuzC hSqD+YQLqeaRm/re62BEYcYTUwB65qkkqfWs/VVwqyP7y671RXECfGPemsefyTPd7SM3 y+FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gv1MQ9tG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j5si33346537pfi.166.2019.04.10.15.00.03; Wed, 10 Apr 2019 15:00:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=gv1MQ9tG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726517AbfDJV6D (ORCPT + 99 others); Wed, 10 Apr 2019 17:58:03 -0400 Received: from mail-vk1-f178.google.com ([209.85.221.178]:36158 "EHLO mail-vk1-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726026AbfDJV6D (ORCPT ); Wed, 10 Apr 2019 17:58:03 -0400 Received: by mail-vk1-f178.google.com with SMTP id w140so925502vkd.3 for ; Wed, 10 Apr 2019 14:58:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zQ6wwUQrK1NqHrZtbqa5TkZR4Gt0ENtEbKzfcyHpppE=; b=gv1MQ9tGqukjy1cxAUfCcBksLGw3OlCHJEx6K+6Mj+1qUsoKucc/YgqMNaG86eMB1D WTZemX8QDCe1WFlW0Juf+fhQeN08D7xVWNfo88NerKEYK9jpXnm7gPmG9WLWOA3Q0qGA 0Zf/bWUhqXgosvN7oHj639aOLqJscqb1wUEVI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zQ6wwUQrK1NqHrZtbqa5TkZR4Gt0ENtEbKzfcyHpppE=; b=BSx0teldFTdEWB8nuL60GTa3T8J0SWm4wgXkVHeeO4O+FPw9Vtupqg8NrrguK2Ti7g Tyzeds7oEOLCbxCfLckhnIzkR+j3nMFo0Ib3y6dxXTDF/7xmvZyhyscxKBsqeqKn5ZUb H5I0uEdu/dke71MPH1Tnal8fGqcpkZ+yn7bdmVy5Dj/i+ZoGyX0LGuWmAI5a6hQkZal+ jTj+aDTz5ycutluN8yrMuycSNeL4TNi6pIlvfH48EVId7GwBb3xuhjR2W6QMZ2y3XffE LJBzXaTQ7opEpKwn7mcJxFZNi7E0S08V5RVPg6qa0VxgfvjwLRaS/fpccgDalIzjEz9P JhkQ== X-Gm-Message-State: APjAAAXk8NCgPLm9LlRCyE3DwY9fjcDJxbO3lbi40kw8k1Z3IVKiBRvC +GpPzM/UMn/lxLsv0P4MHTEtQ4VKLhI= X-Received: by 2002:a1f:2b8e:: with SMTP id r136mr25307247vkr.48.1554933481186; Wed, 10 Apr 2019 14:58:01 -0700 (PDT) Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com. [209.85.217.49]) by smtp.gmail.com with ESMTPSA id d193sm5764984vkd.41.2019.04.10.14.57.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Apr 2019 14:57:59 -0700 (PDT) Received: by mail-vs1-f49.google.com with SMTP id j184so2275673vsd.11 for ; Wed, 10 Apr 2019 14:57:59 -0700 (PDT) X-Received: by 2002:a67:1345:: with SMTP id 66mr24870637vst.30.1554933478741; Wed, 10 Apr 2019 14:57:58 -0700 (PDT) MIME-Version: 1.0 References: <20190319170911.GB202956@gmail.com> <20190320185719.GB180195@gmail.com> <20190321175122.GA1587@sol.localdomain> <20190410031734.GB7140@sol.localdomain> <20190410190729.GA120258@gmail.com> In-Reply-To: <20190410190729.GA120258@gmail.com> From: Kees Cook Date: Wed, 10 Apr 2019 14:57:46 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: crypto: Kernel memory overwrite attempt detected to spans multiple pages To: Eric Biggers Cc: Geert Uytterhoeven , Herbert Xu , linux-security-module , Linux ARM , Linux Crypto Mailing List , Linux Kernel Mailing List , Laura Abbott , Rik van Riel Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 10, 2019 at 12:07 PM Eric Biggers wrote: > That didn't answer my question. My question is what is the purpose of this? If > there was actual buffer overflow when __GFP_COMP isn't specified that would make > perfect sense, but AFAICS there isn't. So why does hardened usercopy consider > it broken when __GFP_COMP isn't specified? The goal of CONFIG_HARDENED_USERCOPY_PAGESPAN was to detect copies across page boundaries in memory allocated by the page allocator. There appear to be enough cases of allocations that span pages but do not mark them with __GFP_COMP, so this logic hasn't proven useful in the real world (which is why no one should use the ..._PAGESPAN config in production). I'd like to get the kernel to the point where hardened usercopy can correctly do these checks (right now it's mainly only useful at checking for overflows in slub and slab), but it'll take time/focus for a while. No one has had time yet to track all of these down and fix them. (I defer to Laura and Rik on the design of the pagespan checks; they did the bulk of the work there.) Does that help explain it, or am I still missing your question? -- Kees Cook