mm/usercopy.c: no check page span for stack objects

(bnc#1012628).
author: Jiri Slaby <jslaby@suse.cz> 2019-01-18 07:53:27 +0100
committer: Jiri Slaby <jslaby@suse.cz> 2019-01-18 07:53:36 +0100
commit: e8c868c962bad20609c8c6f7c43bf5a7caa44f49 (patch)
tree: 26d081bdd2b7ae5349c7ccd749cc37f605b3c693
parent: 74e259922b5ca9dde72b7a56dddcdb13b17d4f8e (diff)
2 files changed, 90 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
new file mode 100644
index 0000000000..36ae206971
--- /dev/null
+++ b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
@@ -0,0 +1,89 @@
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 8 Jan 2019 15:23:04 -0800
+Subject: [PATCH] mm/usercopy.c: no check page span for stack objects
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: 7bff3c06997374fb9b9991536a547b840549a813
+
+commit 7bff3c06997374fb9b9991536a547b840549a813 upstream.
+
+It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y,
+
+  usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 23)!
+  kernel BUG at mm/usercopy.c:102!
+
+For example,
+
+print_worker_info
+char name[WQ_NAME_LEN] = { };
+char desc[WORKER_DESC_LEN] = { };
+  probe_kernel_read(name, wq->name, sizeof(name) - 1);
+  probe_kernel_read(desc, worker->desc, sizeof(desc) - 1);
+    __copy_from_user_inatomic
+      check_object_size
+        check_heap_object
+          check_page_span
+
+This is because on-stack variables could cross PAGE_SIZE boundary, and
+failed this check,
+
+if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
+	   ((unsigned long)end & (unsigned long)PAGE_MASK)))
+
+ptr = FFFF889007D7EFF8
+end = FFFF889007D7F00E
+
+Hence, fix it by checking if it is a stack object first.
+
+[keescook@chromium.org: improve comments after reorder]
+  Link: http://lkml.kernel.org/r/20190103165151.GA32845@beast
+Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ mm/usercopy.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/mm/usercopy.c b/mm/usercopy.c
+index 852eb4e53f06..14faadcedd06 100644
+--- a/mm/usercopy.c
++++ b/mm/usercopy.c
+@@ -247,7 +247,8 @@ static DEFINE_STATIC_KEY_FALSE_RO(bypass_usercopy_checks);
+ /*
+  * Validates that the given object is:
+  * - not bogus address
+- * - known-safe heap or stack object
++ * - fully contained by stack (or stack frame, when available)
++ * - fully within SLAB object (or object whitelist area, when available)
+  * - not in kernel text
+  */
+ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+@@ -262,9 +263,6 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+ 	/* Check for invalid addresses. */
+ 	check_bogus_address((const unsigned long)ptr, n, to_user);
+ 
+-	/* Check for bad heap object. */
+-	check_heap_object(ptr, n, to_user);
+-
+ 	/* Check for bad stack object. */
+ 	switch (check_stack_object(ptr, n)) {
+ 	case NOT_STACK:
+@@ -282,6 +280,9 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+ 		usercopy_abort("process stack", NULL, to_user, 0, n);
+ 	}
+ 
++	/* Check for bad heap object. */
++	check_heap_object(ptr, n, to_user);
++
+ 	/* Check for object in kernel to avoid text exposure. */
+ 	check_kernel_text_object((const unsigned long)ptr, n, to_user);
+ }
+-- 
+2.20.1
+
diff --git a/series.conf b/series.conf
index 4e54b8e4e9..94349af7c3 100644
--- a/series.conf
+++ b/series.conf
@@ -266,6 +266,7 @@
 	patches.kernel.org/4.20.3-026-USB-Add-USB_QUIRK_DELAY_CTRL_MSG-quirk-for-Cor.patch
 	patches.kernel.org/4.20.3-027-fork-memcg-fix-cached_stacks-case.patch
 	patches.kernel.org/4.20.3-028-slab-alien-caches-must-not-be-initialized-if-t.patch
+	patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
 
 	########################################################
 	# Build fixes that apply to the vanilla kernel too.
author	Jiri Slaby <jslaby@suse.cz>	2019-01-18 07:53:27 +0100
committer	Jiri Slaby <jslaby@suse.cz>	2019-01-18 07:53:36 +0100
commit	e8c868c962bad20609c8c6f7c43bf5a7caa44f49 (patch)
tree	26d081bdd2b7ae5349c7ccd749cc37f605b3c693
parent	74e259922b5ca9dde72b7a56dddcdb13b17d4f8e (diff)