Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4125966ybb; Tue, 7 Apr 2020 01:00:58 -0700 (PDT) X-Google-Smtp-Source: APiQypLl1GUJW4JJ9rLIhO+k+aV1y8TN7H82HXl24OQPFG8J1yLqOLSJWMMHcy9teBedAlvjU54L X-Received: by 2002:a05:6808:6cb:: with SMTP id m11mr726049oih.130.1586246458264; Tue, 07 Apr 2020 01:00:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586246458; cv=none; d=google.com; s=arc-20160816; b=qkDwOsvE2SXGdI9czanrSl12nlbvwgFtx0HRzw4BwRrT60awzG6G3mcn1AteZnKj6v 6fLXifa6+54zFolc+97H/qvZ3VbYyYcVF8x+1kZcyH0BU5T4Pe7kCxt+IawjxIezpUCb TSyLgmUarMsqFWXOzWU4ltvVEIMX5W/06D5AOz7onSRsD0Xk3jRlf64UiKjqA1fGtKwu XX9HPG5tMP5X+ORvZz8vBeBmCeqhJdTgEFWhznLED5Is67/CdS2EzbINyw+xEvnD8N8A YNum1MvZgqDvTT4JM6jlfg5RXsyYOxBTSa9YNtVomBdtFoID198JCixp6RmS5ddds/4J 2Wfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=OMfUEUVvm33sZhr6LMlOk1O6P4yprgKFj5kcKtybMNE=; b=ZGBZVpEmhKW1zm58dk4MQafAbw+2VryTH0CtRWfJ5S7HY88X18Xw17W/a7OB7Tf2ze 42NE9ecEa9tcOdGT7Cn9D4X9hIzSXrFH/0i4XSlRV9PJW5iy9et+Y1ZMPp4sZUxFTgEv lamp0jEn6tz58N2OqvfdZzTf5OIrsd3qLhfZB7juoNWAaO8vw6WnWT5yCDlCLl0suPLY yHgTwckvw6hSx7kJZRNMXLUapvjGH3YY8/iXjFVRUEnRGoblj9tk76Rw7xbOg6kCq3nv lu3sUWRCr3ap2lGq230gZlvu2BZBrhyOtkkpG9jQ9uOhe7tEMPqB0pI4TpXVw2RiSJk1 Ak/A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u66si368891oib.159.2020.04.07.01.00.46; Tue, 07 Apr 2020 01:00:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727883AbgDGIAQ (ORCPT + 99 others); Tue, 7 Apr 2020 04:00:16 -0400 Received: from mx2.suse.de ([195.135.220.15]:35104 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726635AbgDGIAQ (ORCPT ); Tue, 7 Apr 2020 04:00:16 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 5A711AC37; Tue, 7 Apr 2020 08:00:12 +0000 (UTC) Subject: Re: [kernel-hardening] [PATCH 09/38] usercopy: Mark kmalloc caches as usercopy caches To: Jann Horn , Kees Cook Cc: Christian Borntraeger , Christoph Hellwig , Christopher Lameter , Jiri Slaby , Julian Wiedmann , Ursula Braun , Alexander Viro , kernel list , David Windsor , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Linux-MM , linux-xfs@vger.kernel.org, Linus Torvalds , Andy Lutomirski , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel , linux-arch , Network Development , Kernel Hardening , Michal Kubecek References: <201911121313.1097D6EE@keescook> <201911141327.4DE6510@keescook> <202001271519.AA6ADEACF0@keescook> <5861936c-1fe1-4c44-d012-26efa0c8b6e7@de.ibm.com> <202001281457.FA11CC313A@keescook> <6844ea47-8e0e-4fb7-d86f-68046995a749@de.ibm.com> <20200129170939.GA4277@infradead.org> <771c5511-c5ab-3dd1-d938-5dbc40396daa@de.ibm.com> <202001300945.7D465B5F5@keescook> From: Vlastimil Babka Message-ID: <7d810f6d-8085-ea2f-7805-47ba3842dc50@suse.cz> Date: Tue, 7 Apr 2020 10:00:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/31/20 1:03 PM, Jann Horn wrote: > I think dma-kmalloc slabs should be handled the same way as normal > kmalloc slabs. When a dma-kmalloc allocation is freshly created, it is > just normal kernel memory - even if it might later be used for DMA -, > and it should be perfectly fine to copy_from_user() into such > allocations at that point, and to copy_to_user() out of them at the > end. If you look at the places where such allocations are created, you > can see things like kmemdup(), memcpy() and so on - all normal > operations that shouldn't conceptually be different from usercopy in > any relevant way. So, let's do that? ----8<---- From d5190e4e871689a530da3c3fd327be45a88f006a Mon Sep 17 00:00:00 2001 From: Vlastimil Babka Date: Tue, 7 Apr 2020 09:58:00 +0200 Subject: [PATCH] usercopy: Mark dma-kmalloc caches as usercopy caches We have seen a "usercopy: Kernel memory overwrite attempt detected to SLUB object 'dma-kmalloc-1 k' (offset 0, size 11)!" error on s390x, as IUCV uses kmalloc() with __GFP_DMA because of memory address restrictions. The issue has been discussed [2] and it has been noted that if all the kmalloc caches are marked as usercopy, there's little reason not to mark dma-kmalloc caches too. The 'dma' part merely means that __GFP_DMA is used to restrict memory address range. As Jann Horn put it [3]: "I think dma-kmalloc slabs should be handled the same way as normal kmalloc slabs. When a dma-kmalloc allocation is freshly created, it is just normal kernel memory - even if it might later be used for DMA -, and it should be perfectly fine to copy_from_user() into such allocations at that point, and to copy_to_user() out of them at the end. If you look at the places where such allocations are created, you can see things like kmemdup(), memcpy() and so on - all normal operations that shouldn't conceptually be different from usercopy in any relevant way." Thus this patch marks the dma-kmalloc-* caches as usercopy. [1] https://bugzilla.suse.com/show_bug.cgi?id=1156053 [2] https://lore.kernel.org/kernel-hardening/bfca96db-bbd0-d958-7732-76e36c667c68@suse.cz/ [3] https://lore.kernel.org/kernel-hardening/CAG48ez1a4waGk9kB0WLaSbs4muSoK0AYAVk8=XYaKj4_+6e6Hg@mail.gmail.com/ Signed-off-by: Vlastimil Babka --- mm/slab_common.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 5282f881d2f5..ae9486160594 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -1303,7 +1303,8 @@ void __init create_kmalloc_caches(slab_flags_t flags) kmalloc_caches[KMALLOC_DMA][i] = create_kmalloc_cache( kmalloc_info[i].name[KMALLOC_DMA], kmalloc_info[i].size, - SLAB_CACHE_DMA | flags, 0, 0); + SLAB_CACHE_DMA | flags, 0, + kmalloc_info[i].size); } } #endif -- 2.26.0