summaryrefslogtreecommitdiff |
diff options
author | Jiri Slaby <jslaby@suse.cz> | 2019-01-18 07:53:27 +0100 |
---|---|---|
committer | Jiri Slaby <jslaby@suse.cz> | 2019-01-18 07:53:36 +0100 |
commit | e8c868c962bad20609c8c6f7c43bf5a7caa44f49 (patch) | |
tree | 26d081bdd2b7ae5349c7ccd749cc37f605b3c693 | |
parent | 74e259922b5ca9dde72b7a56dddcdb13b17d4f8e (diff) |
mm/usercopy.c: no check page span for stack objects
(bnc#1012628).
-rw-r--r-- | patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch | 89 | ||||
-rw-r--r-- | series.conf | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch new file mode 100644 index 0000000000..36ae206971 --- /dev/null +++ b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch @@ -0,0 +1,89 @@ +From: Qian Cai <cai@lca.pw> +Date: Tue, 8 Jan 2019 15:23:04 -0800 +Subject: [PATCH] mm/usercopy.c: no check page span for stack objects +References: bnc#1012628 +Patch-mainline: 4.20.3 +Git-commit: 7bff3c06997374fb9b9991536a547b840549a813 + +commit 7bff3c06997374fb9b9991536a547b840549a813 upstream. + +It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y, + + usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 23)! + kernel BUG at mm/usercopy.c:102! + +For example, + +print_worker_info +char name[WQ_NAME_LEN] = { }; +char desc[WORKER_DESC_LEN] = { }; + probe_kernel_read(name, wq->name, sizeof(name) - 1); + probe_kernel_read(desc, worker->desc, sizeof(desc) - 1); + __copy_from_user_inatomic + check_object_size + check_heap_object + check_page_span + +This is because on-stack variables could cross PAGE_SIZE boundary, and +failed this check, + +if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) == + ((unsigned long)end & (unsigned long)PAGE_MASK))) + +ptr = FFFF889007D7EFF8 +end = FFFF889007D7F00E + +Hence, fix it by checking if it is a stack object first. + +[keescook@chromium.org: improve comments after reorder] + Link: http://lkml.kernel.org/r/20190103165151.GA32845@beast +Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@lca.pw +Signed-off-by: Qian Cai <cai@lca.pw> +Signed-off-by: Kees Cook <keescook@chromium.org> +Acked-by: Kees Cook <keescook@chromium.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Signed-off-by: Jiri Slaby <jslaby@suse.cz> +--- + mm/usercopy.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/mm/usercopy.c b/mm/usercopy.c +index 852eb4e53f06..14faadcedd06 100644 +--- a/mm/usercopy.c ++++ b/mm/usercopy.c +@@ -247,7 +247,8 @@ static DEFINE_STATIC_KEY_FALSE_RO(bypass_usercopy_checks); + /* + * Validates that the given object is: + * - not bogus address +- * - known-safe heap or stack object ++ * - fully contained by stack (or stack frame, when available) ++ * - fully within SLAB object (or object whitelist area, when available) + * - not in kernel text + */ + void __check_object_size(const void *ptr, unsigned long n, bool to_user) +@@ -262,9 +263,6 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) + /* Check for invalid addresses. */ + check_bogus_address((const unsigned long)ptr, n, to_user); + +- /* Check for bad heap object. */ +- check_heap_object(ptr, n, to_user); +- + /* Check for bad stack object. */ + switch (check_stack_object(ptr, n)) { + case NOT_STACK: +@@ -282,6 +280,9 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user) + usercopy_abort("process stack", NULL, to_user, 0, n); + } + ++ /* Check for bad heap object. */ ++ check_heap_object(ptr, n, to_user); ++ + /* Check for object in kernel to avoid text exposure. */ + check_kernel_text_object((const unsigned long)ptr, n, to_user); + } +-- +2.20.1 + diff --git a/series.conf b/series.conf index 4e54b8e4e9..94349af7c3 100644 --- a/series.conf +++ b/series.conf @@ -266,6 +266,7 @@ patches.kernel.org/4.20.3-026-USB-Add-USB_QUIRK_DELAY_CTRL_MSG-quirk-for-Cor.patch patches.kernel.org/4.20.3-027-fork-memcg-fix-cached_stacks-case.patch patches.kernel.org/4.20.3-028-slab-alien-caches-must-not-be-initialized-if-t.patch + patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch ######################################################## # Build fixes that apply to the vanilla kernel too. |