Received: by 10.223.164.202 with SMTP id h10csp6252100wrb; Wed, 22 Nov 2017 01:29:33 -0800 (PST) X-Google-Smtp-Source: AGs4zMbyv+qe2PBcBa3Z+r3P/+5BT92PpnrUMn/I3foTJLsPyKVXCCSPssdlwnCQtEqEqhNodHua X-Received: by 10.101.86.76 with SMTP id m12mr19901637pgs.143.1511342973324; Wed, 22 Nov 2017 01:29:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511342973; cv=none; d=google.com; s=arc-20160816; b=b0RKL/QaQT2owtWeKy6EkqIjdOsoJn0GV+L1xnJESNMbqP7+aJDOdKpic3ogQ7Usud JiJKxS09ovR1PdOrap6ZJHi70C9jkg8IQCGMcve6KKYij0FL2tCZx6HGUWBxSWu55BSr ab9ZdqmhYuhs1QsTF51F8jy51W27T0095gPVpOBuUgGbY+0p3xJARX0O4AxTGkSCQIZR zdSd7/CwCutwEYoOFgq/afuVIMYizgNlb7oi5LkvfeNtkbSg38bsF+3qq3R9LNy7a5T5 38515S+EOhEADFaMeHmYQ1kzCVcu2XfVoEBtyvtI8tB6cnynXKQ9zN8bRml1Fj8AFvOG a5jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:organization:references:in-reply-to:subject:cc:to:from :date:arc-authentication-results; bh=flRCBmAxB8KyWE4/wXdSJpcpMfcY7kHiDfuAyPeBhK4=; b=yD/6u4fkcsjoRrSu68rFipYcKB6qjY8H6dvUScB6W/uFgTe/pDQEe74GojL2cbeo83 XYzl0khx72yDPxGDUQ7xe6ZZktdp5hI3yTK6v8JSKkPfSfL8hXhn5ZGKxQKksIlaZoAe F22ZORQf1s0mMzzquxbBqwoy+vj7WILMNv3tlEcnUFkxS8TiG81KzXhD0uIEyiaPKW1e lwyxvILAKC1cTm+kj3olTgxXxSRQcNGTZy0DRQ/gtW3c+Kx03QFQVS2cFy9uZ87lhTjU mv+9mu1lKJZXc9H4NnVIN7HZX1v6mNQzq0ExsU65LNoVlmKCKqBUQGw0YzqqD3Gdy3KG n4+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n10si12829372plp.150.2017.11.22.01.29.22; Wed, 22 Nov 2017 01:29:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751559AbdKVJ2m (ORCPT + 75 others); Wed, 22 Nov 2017 04:28:42 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:44882 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751286AbdKVJ2j (ORCPT ); Wed, 22 Nov 2017 04:28:39 -0500 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vAM9Qn27004290 for ; Wed, 22 Nov 2017 04:28:38 -0500 Received: from e06smtp14.uk.ibm.com (e06smtp14.uk.ibm.com [195.75.94.110]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ed5495tpd-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 22 Nov 2017 04:28:38 -0500 Received: from localhost by e06smtp14.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 22 Nov 2017 09:28:35 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp14.uk.ibm.com (192.168.101.144) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 22 Nov 2017 09:28:32 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id vAM9SWNv30146648; Wed, 22 Nov 2017 09:28:32 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 007DB11C04C; Wed, 22 Nov 2017 09:23:13 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A54B111C04A; Wed, 22 Nov 2017 09:23:12 +0000 (GMT) Received: from TP-holzheu (unknown [9.152.212.222]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 22 Nov 2017 09:23:12 +0000 (GMT) Date: Wed, 22 Nov 2017 10:28:29 +0100 From: Michael Holzheu To: Kees Cook Cc: Michael Holzheu , Tycho Andersen , Arnd Bergmann , Greg Kroah-Hartman , LKML , Heiko Carstens , Martin Schwidefsky , Vasily Gorbik Subject: Re: Does CONFIG_HARDENED_USERCOPY break /dev/mem? In-Reply-To: <20171113111938.6c222a81@TP-holzheu> References: <20171110164529.14db25d6@TP-holzheu> <20171113111938.6c222a81@TP-holzheu> Organization: IBM X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.23; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 17112209-0016-0000-0000-000005044240 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17112209-0017-0000-0000-000028401239 Message-Id: <20171122102829.0cbfcc8e@TP-holzheu> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-11-22_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1711220127 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Mon, 13 Nov 2017 11:19:38 +0100 schrieb Michael Holzheu : > Am Fri, 10 Nov 2017 10:46:49 -0800 > schrieb Kees Cook : > > > On Fri, Nov 10, 2017 at 7:45 AM, Michael Holzheu > > wrote: > > > Hello Kees, > > > > > > When I try to run the crash tool on my s390 live system I get a kernel panic > > > when reading memory within the kernel image: > > > > > > # uname -a > > > Linux r3545011 4.14.0-rc8-00066-g1c9dbd4615fd #45 SMP PREEMPT Fri Nov 10 16:16:22 CET 2017 s390x s390x s390x GNU/Linux > > > # crash /boot/vmlinux-devel /dev/mem > > > # crash> rd 0x100000 > > > > > > usercopy: kernel memory exposure attempt detected from 0000000000100000 () (8 bytes) > > > ------------[ cut here ]------------ > > > kernel BUG at mm/usercopy.c:72! > > > illegal operation: 0001 ilc:1 [#1] PREEMPT SMP. > > > Modules linked in: > > > CPU: 0 PID: 1461 Comm: crash Not tainted 4.14.0-rc8-00066-g1c9dbd4615fd-dirty #46 > > > Hardware name: IBM 2827 H66 706 (z/VM 6.3.0) > > > task: 000000001ad10100 task.stack: 000000001df78000 > > > Krnl PSW : 0704d00180000000 000000000038165c (__check_object_size+0x164/0x1d0) > > > R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 > > > Krnl GPRS: 0000000012440e1d 0000000080000000 0000000000000061 00000000001cabc0 > > > 00000000001cc6d6 0000000000000000 0000000000cc4ed2 0000000000001000 > > > 000003ffc22fdd20 0000000000000008 0000000000100008 0000000000000001 > > > 0000000000000008 0000000000100000 0000000000381658 000000001df7bc90 > > > Krnl Code: 000000000038164c: c020004a1c4a larl %r2,cc4ee0 > > > 0000000000381652: c0e5fff2581b brasl %r14,1cc688 > > > #0000000000381658: a7f40001 brc 15,38165a > > > >000000000038165c: eb42000c000c srlg %r4,%r2,12 > > > 0000000000381662: eb32001c000c srlg %r3,%r2,28 > > > 0000000000381668: c0110003ffff lgfi %r1,262143 > > > 000000000038166e: ec31ff752065 clgrj %r3,%r1,2,381558 > > > 0000000000381674: a7f4ff67 brc 15,381542 > > > Call Trace: > > > ([<0000000000381658>] __check_object_size+0x160/0x1d0) > > > [<000000000082263a>] read_mem+0xaa/0x130. > > > [<0000000000386182>] __vfs_read+0x42/0x168. > > > [<000000000038632e>] vfs_read+0x86/0x140. > > > [<0000000000386a26>] SyS_read+0x66/0xc0. > > > [<0000000000ace6a4>] system_call+0xc4/0x2b0. > > > INFO: lockdep is turned off. > > > Last Breaking-Event-Address: > > > [<0000000000381658>] __check_object_size+0x160/0x1d0 > > > > > > Kernel panic - not syncing: Fatal exception: panic_on_oops > > > > > > With CONFIG_HARDENED_USERCOPY copy_to_user() checks in __check_object_size() > > > if the source address is within the kernel image: > > > > > > - __check_object_size() -> check_kernel_text_object(): > > > > > > /* Is this address range in the kernel text area? */ > > > static inline const char *check_kernel_text_object(const void *ptr, > > > unsigned long n) > > > { > > > unsigned long textlow = (unsigned long)_stext; > > > unsigned long texthigh = (unsigned long)_etext; > > > unsigned long textlow_linear, texthigh_linear; > > > > > > if (overlaps(ptr, n, textlow, texthigh)) > > > return ""; > > > > > > When the crash tool reads from 0x100000, this check leads to the kernel BUG() > > > in drivers/char/mem.c: > > > > > > 144 } else { > > > 145 /* > > > 146 * On ia64 if a page has been mapped somewhere as > > > 147 * uncached, then it must also be accessed uncached > > > 148 * by the kernel or data corruption may occur. > > > 149 */ > > > 150 ptr = xlate_dev_mem_ptr(p); > > > 151 if (!ptr) > > > 152 return -EFAULT; > > > 153 > > > 154 remaining = copy_to_user(buf, ptr, sz); <<<---- BUG > > > 155 > > > 156 unxlate_dev_mem_ptr(p, ptr); > > > 157 } > > > > > > Here the reporting function in mm/usercopy.c: > > > > > > 61 static void report_usercopy(const void *ptr, unsigned long len, > > > 62 bool to_user, const char *type) > > > 63 { > > > 64 pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n", > > > 65 to_user ? "exposure" : "overwrite", > > > 66 to_user ? "from" : "to", ptr, type ? : "unknown", len); > > > 67 /* > > > 68 * For greater effect, it would be nice to do do_group_exit(), > > > 69 * but BUG() actually hooks all the lock-breaking and per-arch > > > 70 * Oops code, so that is used here instead. > > > 71 */ > > > 72 BUG(); > > > 73 } > > > > > > Shouldn't we skip the kernel address check for /dev/mem - at least when > > > CONFIG_STRICT_DEVMEM is not enabled? > > > > Some kind of better interaction is needed here, I agree. The prior > > discussions around this basically resulted in declaring that > > HARDENED_USERCOPY without STRICT_DEVMEM didn't make a lot of sense. > > i.e. HARDENED_USERCOPY should maybe require STRICT_DEVMEM, etc. Tycho > > wrote this up after some back-and-forth: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=kspp/kconfig&id=ae98b44ceb338ae165a7f18f29f6244893712da3 > > > > In the end, I was still uncomfortable with it because the usercopy > > protection is wider than just the kernel text, so it seemed strange to > > force it off when not using STRICT_DEVMEM. > > > > What's the use-case here where you've got hardened usercopy without > > strict devmem? > > We use that configuration for development and test. We disabled STRICT_DEVMEM > for debugging the live system with crash. We enabled HARDENED_USERCOPY for > finding user-copy bugs. So what's your plan now? How will you fix this issue? Michael From 1583945809202787525@xxx Mon Nov 13 10:20:36 +0000 2017 X-GM-THRID: 1583694540722198621 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread