Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2018526ybl; Sat, 1 Feb 2020 11:29:32 -0800 (PST) X-Google-Smtp-Source: APXvYqywriH/HDpvYpQMMMdIeYgXpA50Q5IhGyrkYGKvmLeDz3xxtxrw733uU9MEjf2NBAf9rZ3j X-Received: by 2002:a9d:7d9a:: with SMTP id j26mr11660875otn.21.1580585372288; Sat, 01 Feb 2020 11:29:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580585372; cv=none; d=google.com; s=arc-20160816; b=OM7faFR9x3Gr/y3OUVlu8GUnckTyUM+HAq2BUSl4MQIZqylwhQSWvTcs3tM40oTcxh hROGr0Uex0ajtDh8wxlj4ngyE/oMCOKslbZkdGv0cEfbWNsT59QWHV85O9azKzmwNnVD fV/2ox2cFstFKxDIzHl6CVrzVAjl+Ttxfl/gis3gebZx7kC+x6HTGxxYF+hfiLL5Q3NT cnTxL/DRO+8YEk5CKV8E6mVrN1URkgfsiFNRcLy7Y376jJmtLgcCmptHxEvOlQJtJihF qK+OyA1PD7kCRrFjeFtBDI9gCLuNpyrZkLxVixmt3iFu7w1Q43PhaxnzjTc1/KjJSD9R YUaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=cxP/mWDrHKD9UWBcOV7z7zMrCIASBgDPmpZP09ULspU=; b=gfAobz9cmxJh99svW8iQts31kYCyJCX8zb164TUrx5xt6ZiqmidTkiQrztqadDmV1h YFxj6MrUjgWXhOawLNJtei6uUm1j3JNnxzBkgYNyB7SyIBROyxE/QaLi1ibzBEj9b1+j /Vtcd11CeoHT1VF8ca3CwhGTE0LIf6c37XHqnvD3Z6UO7WmBqXfAkAVLsfLQqZzJtIK+ q3FyDPVM8da9QbDWAJ59dk75CguutWJWLoWca2Db/52jS9DFzbJOfBMmr2GaSO9q3IC3 p2IbEsiV6FK++eltYsAGxGsbvZz/PfP/+VRQcR/WQozbB4yjyxpMniS+t8hecWmYClCe pAgw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DHbz0vbx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e23si3096645oii.173.2020.02.01.11.29.20; Sat, 01 Feb 2020 11:29:32 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=DHbz0vbx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726880AbgBAT2U (ORCPT + 99 others); Sat, 1 Feb 2020 14:28:20 -0500 Received: from mail-ot1-f66.google.com ([209.85.210.66]:43130 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726354AbgBAT2R (ORCPT ); Sat, 1 Feb 2020 14:28:17 -0500 Received: by mail-ot1-f66.google.com with SMTP id p8so9862722oth.10 for ; Sat, 01 Feb 2020 11:28:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cxP/mWDrHKD9UWBcOV7z7zMrCIASBgDPmpZP09ULspU=; b=DHbz0vbxuVJr39v4IG5GLko8yPJ2OS6cGBWBlCBw6koGzH+k7gmSCl86lfXXJXyTfS lGLseZubt3OGJEGo7iYD6W08gI9l+Z0T6Z8qt2Sl4a584TvXAdgew2Zny1clbqb5yqTa zo5P76hEP3ZOy/8YimvwqHHOOK/+kG2vflddlA4LDX2Xk+CZis5rwduV5SZe3AGIcN3F N1JkutQpZB5oy9/0pQcdNCdb8eg8DZDeDkDvE3MZ2bvF7MYUe2GeY5l/edaHdyr+Ie4h WulEeklbFMQFb86tSVVfFrIvW121MkB3D9LqmtYh62q+ZNYSKUgfvb5q/vKRjxTNuy/J QBzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cxP/mWDrHKD9UWBcOV7z7zMrCIASBgDPmpZP09ULspU=; b=EDHGKcj2Rjz5XAma9KZTlJkeUgIZzEluidiiQX+LbjDYZD9Bj+Tm4Qh+awvr2J0chk LuWOMT+3lP7HWF6oHV73xNS9KcnU2QOXqV8AFA9E8LIg/QBelLFWXwgSNPaU62FVv2GU 7qrGG6neDu7o3luT6Da7IwTnbfl9ZYD6R3Sxig8uMqOKuDrtZUy9adjkA7qrbY1R4Wjz 1oI+vawrf0OQp063CCM/gwp8YNlXOyi+QRZfHR+47yAOT2Uxw2naU5VuneNGkyBmWja/ dpLy9fZFpbMacl5Y/UJcG+Nlahp8vLliJorzroUFnYcwZizt6H/HkAgOV/vxEpFMlV8z 6xFA== X-Gm-Message-State: APjAAAVVWTmRNGFfivMb187mXtm4oigGKa3z1uW86HSG9jgEgBorPRJn dCbFoE2H62PsriFZL7S0rZ4r81Fk0xidavn+TmsH4Q== X-Received: by 2002:a9d:74d0:: with SMTP id a16mr1495412otl.228.1580585295885; Sat, 01 Feb 2020 11:28:15 -0800 (PST) MIME-Version: 1.0 References: <202001271519.AA6ADEACF0@keescook> <5861936c-1fe1-4c44-d012-26efa0c8b6e7@de.ibm.com> <202001281457.FA11CC313A@keescook> <6844ea47-8e0e-4fb7-d86f-68046995a749@de.ibm.com> <20200129170939.GA4277@infradead.org> <771c5511-c5ab-3dd1-d938-5dbc40396daa@de.ibm.com> <202001300945.7D465B5F5@keescook> <202002010952.ACDA7A81@keescook> In-Reply-To: <202002010952.ACDA7A81@keescook> From: Jann Horn Date: Sat, 1 Feb 2020 20:27:49 +0100 Message-ID: Subject: Re: [kernel-hardening] [PATCH 09/38] usercopy: Mark kmalloc caches as usercopy caches To: Kees Cook Cc: Christian Borntraeger , Christoph Hellwig , Christopher Lameter , Jiri Slaby , Julian Wiedmann , Ursula Braun , Alexander Viro , kernel list , David Windsor , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , linux-xfs@vger.kernel.org, Linus Torvalds , Andy Lutomirski , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Dave Kleikamp , Jan Kara , Marc Zyngier , Matthew Garrett , linux-fsdevel , linux-arch , Network Development , Kernel Hardening , Vlastimil Babka , Michal Kubecek Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [pruned bogus addresses from recipient list] On Sat, Feb 1, 2020 at 6:56 PM Kees Cook wrote: > On Fri, Jan 31, 2020 at 01:03:40PM +0100, Jann Horn wrote: > > I think dma-kmalloc slabs should be handled the same way as normal > > kmalloc slabs. When a dma-kmalloc allocation is freshly created, it is > > just normal kernel memory - even if it might later be used for DMA -, > > and it should be perfectly fine to copy_from_user() into such > > allocations at that point, and to copy_to_user() out of them at the > > end. If you look at the places where such allocations are created, you > > can see things like kmemdup(), memcpy() and so on - all normal > > operations that shouldn't conceptually be different from usercopy in > > any relevant way. > > I can't find where the address limit for dma-kmalloc is implemented. dma-kmalloc is a slab that uses GFP_DMA pages. Things have changed a bit through the kernel versions, but in current mainline, the zone limit for GFP_DMA is reported from arch code to generic code via zone_dma_bits, from where it is used to decide which zones should be used for allocations based on the address limit of a given device: kernel/dma/direct.c: /* * Most architectures use ZONE_DMA for the first 16 Megabytes, but some use it * it for entirely different regions. In that case the arch code needs to * override the variable below for dma-direct to work properly. */ unsigned int zone_dma_bits __ro_after_init = 24; [...] static gfp_t __dma_direct_optimal_gfp_mask(struct device *dev, u64 dma_mask, u64 *phys_limit) { [...] /* * Optimistically try the zone that the physical address mask falls * into first. If that returns memory that isn't actually addressable * we will fallback to the next lower zone and try again. * * Note that GFP_DMA32 and GFP_DMA are no ops without the corresponding * zones. */ if (*phys_limit <= DMA_BIT_MASK(zone_dma_bits)) return GFP_DMA; if (*phys_limit <= DMA_BIT_MASK(32)) return GFP_DMA32; return 0; } There are only a few architectures that override the limit: powerpc: /* * Allow 30-bit DMA for very limited Broadcom wifi chips on many * powerbooks. */ if (IS_ENABLED(CONFIG_PPC32)) zone_dma_bits = 30; else zone_dma_bits = 31; s390: zone_dma_bits = 31; and arm64: #define ARM64_ZONE_DMA_BITS 30 [...] if (IS_ENABLED(CONFIG_ZONE_DMA)) { zone_dma_bits = ARM64_ZONE_DMA_BITS; arm64_dma_phys_limit = max_zone_phys(ARM64_ZONE_DMA_BITS); } The actual categorization of page ranges into zones happens via free_area_init_nodes() or free_area_init_node(); these are provided with arrays of maximum physical addresses or zone sizes (depending on which of them is called) by arch-specific code. For arm64, the caller is zone_sizes_init(). X86 does it in zone_sizes_init(). > As to whitelisting all of dma-kmalloc -- I guess I can be talked into > it. It still seems like the memory used for direct hardware > communication shouldn't be exposed to userspace, but it we're dealing > with packet data, etc, then it makes sense not to have to have bounce > buffers, etc. FWIW, as far as I understand, usercopy doesn't actually have any effect on drivers that use the modern, proper APIs, since those don't use the slab allocator at all - as I pointed out in my last mail, the dma-kmalloc* slabs are used very rarely. (Which is good, because putting objects from less-than-page-size slabs into iommu entries is a terrible idea from a security and reliability perspective because it gives the hardware access to completely unrelated memory.) Instead, they get pages from the page allocator, and these pages may e.g. be allocated from the DMA, DMA32 or NORMAL zones depending on the restrictions imposed by hardware. So I think the usercopy restriction only affects a few oddball drivers (like this s390 stuff), which is why you're not seeing more bug reports caused by this.