Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79B5AC636CC for ; Fri, 3 Feb 2023 22:28:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231160AbjBCW2L (ORCPT ); Fri, 3 Feb 2023 17:28:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49322 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233784AbjBCW2D (ORCPT ); Fri, 3 Feb 2023 17:28:03 -0500 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A845AA7032 for ; Fri, 3 Feb 2023 14:27:56 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id n13so6700284plf.11 for ; Fri, 03 Feb 2023 14:27:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:subject:cc :to:from:date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=Y6a3uofuaRWFnhRwy6DM9u/s4KpjQkLkP1c4r8F5Dp4=; b=R6y8ck6vSR8fETfTkYUNju+wtcVgRBo/ruWEdX6JWnI8ZRPxnnfY3JbshQ+RIwnaiz rStwY5umhUwvhdp+8e4JSZZ/osBRzISBqqTkD0VFvrUUMoNZEYWoLdqB8K3n0AEqhzHZ oeZ/AYIehkUbkKyS3wTps5SXt3RZUs9VzaNgk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:subject:cc :to:from:date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Y6a3uofuaRWFnhRwy6DM9u/s4KpjQkLkP1c4r8F5Dp4=; b=RiMp/pmWg33Ym3tETG3xbyBuYSgucBnzKqM7HEyUd4iFaxhf+iySqNUBNHiOEQnmKg fHZy5eTO4M4doVv3h0QpNvttW7tPNB7bdfl1ZP/7jZvLO5AjE7dyRMAfVi93j0B6dlXE w7YI9gbwzgR8+rHG575o6Np72ZsqYB0QH4t5Yfid6SNfYuy5lAez18oUf9588ubu+bq9 yxegeixDVFSiHb/tWeoiiiKWRFoZq8ddBJ+vj+0VsuXYgmn3fiDSTLFGrCxIxRnfn5ZQ myc4XpXp8RT+aCcOFkKMXgwa4aC2Tw4od1HPf7+Rrx6fcFtkt3LbRhTZe9bzPlydib5Q Jhwg== X-Gm-Message-State: AO0yUKWAN7xloJXH0KlCC9yYmSYCoTYiScXd+OYjJvYH52Ql5tpDcWFO +gBGYT1Sf6T7gF+5lt4Vny5siw== X-Google-Smtp-Source: AK7set/xjUWMWjOPi5xQ4TcdBEuC7tcdaRzvNmLij3yX1CJXryvQq6Imzuuem+hbuqzyRkgFD3rlbQ== X-Received: by 2002:a17:90b:3511:b0:22c:1422:e3fb with SMTP id ls17-20020a17090b351100b0022c1422e3fbmr12594858pjb.5.1675463275879; Fri, 03 Feb 2023 14:27:55 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id j5-20020a17090a3e0500b0022c03785e9dsm5347197pjc.18.2023.02.03.14.27.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Feb 2023 14:27:55 -0800 (PST) Message-ID: <63dd8a6b.170a0220.f5c98.9e65@mx.google.com> X-Google-Original-Message-ID: <202302032223.@keescook> Date: Fri, 3 Feb 2023 22:27:54 +0000 From: Kees Cook To: Arnd Bergmann Cc: Aleksa Sarai , Christian Brauner , Rasmus Villemoes , Dinh Nguyen , Catalin Marinas , Andrew Morton , Geert Uytterhoeven , Alexander Potapenko , Christian Brauner , Stafford Horne , Alexander Viro , Christophe Leroy , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] uaccess: Add minimum bounds check on kernel buffer size References: <20230203193523.never.667-kees@kernel.org> <6c728dfc-d777-4beb-b463-649704c81a5e@app.fastmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6c728dfc-d777-4beb-b463-649704c81a5e@app.fastmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 03, 2023 at 10:23:13PM +0100, Arnd Bergmann wrote: > On Fri, Feb 3, 2023, at 20:35, Kees Cook wrote: > > While there is logic about the difference between ksize and usize, > > copy_struct_from_user() didn't check the size of the destination buffer > > (when it was known) against ksize. Add this check so there is an upper > > bounds check on the possible memset() call, otherwise lower bounds > > checks made by callers will trigger bounds warnings under -Warray-bounds. > > Seen under GCC 13: > > > > In function 'copy_struct_from_user', > > inlined from 'iommufd_fops_ioctl' at > > ../drivers/iommu/iommufd/main.c:333:8: > > ../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' > > offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' > > with type 'union ucmd_buffer' [-Warray-bounds=] > > 59 | #define __underlying_memset __builtin_memset > > | ^ > > ../include/linux/fortify-string.h:453:9: note: in expansion of macro > > '__underlying_memset' > > 453 | __underlying_memset(p, c, __fortify_size); \ > > | ^~~~~~~~~~~~~~~~~~~ > > ../include/linux/fortify-string.h:461:25: note: in expansion of macro > > '__fortify_memset_chk' > > 461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ > > | ^~~~~~~~~~~~~~~~~~~~ > > ../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset' > > 334 | memset(dst + size, 0, rest); > > | ^~~~~~ > > ../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl': > > ../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here > > 311 | union ucmd_buffer buf; > > | ^~~ > > > > Hi Kees, > > I started building with gcc-13.0.1 myself but ran into a lot of > other -Warray-bounds warnings in randconfig builds, so I ended up > turning it off once more with CONFIG_CC_NO_ARRAY_BOUNDS in order > to keep building without warnings. Understood. AFAIK, all the open bugs I (and you) filed with GCC 13 have been fixed related to -Warray-bounds. The most recent was the misbehavior between CONFIG_UBSAN_SHIFT and -Warray-bounds. (Though the shift checking still exposes some warnings since it introduces an implicit bounds check on the shift variable, but they're not _wrong_ any more.) > Is there anything else I need to do to get to the point of > just addressing actual issues instead of false positives? > Do you already have a patch series for fixing the others? I've been working through the list that I see when building with -Warray-bounds and -fstrict-flex-arrays=3. Some are real bugs, as usual. > > diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h > > index afb18f198843..ab9728138ad6 100644 > > --- a/include/linux/uaccess.h > > +++ b/include/linux/uaccess.h > > @@ -329,6 +329,10 @@ copy_struct_from_user(void *dst, size_t ksize, > > const void __user *src, > > size_t size = min(ksize, usize); > > size_t rest = max(ksize, usize) - size; > > > > + /* Double check if ksize is larger than a known object size. */ > > + if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1))) > > + return -E2BIG; > > + > > WARN_ON_ONCE() may be a little expensive since that adds two > comparisons and a static variable to each copy, but it's probably > fine. Yeah. IMO, copy_struct_from_user() is not fast path and having better bounds checking when coming from userspace is well worth it. -- Kees Cook