Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:27 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:36 +0100
commite8c868c962bad20609c8c6f7c43bf5a7caa44f49 (patch)
tree26d081bdd2b7ae5349c7ccd749cc37f605b3c693
parent74e259922b5ca9dde72b7a56dddcdb13b17d4f8e (diff)
mm/usercopy.c: no check page span for stack objects
-rw-r--r--patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch89
-rw-r--r--series.conf1
2 files changed, 90 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
new file mode 100644
index 0000000000..36ae206971
--- /dev/null
+++ b/patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
@@ -0,0 +1,89 @@
+From: Qian Cai <cai@lca.pw>
+Date: Tue, 8 Jan 2019 15:23:04 -0800
+Subject: [PATCH] mm/usercopy.c: no check page span for stack objects
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: 7bff3c06997374fb9b9991536a547b840549a813
+
+commit 7bff3c06997374fb9b9991536a547b840549a813 upstream.
+
+It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y,
+
+ usercopy: Kernel memory overwrite attempt detected to spans multiple pages (offset 0, size 23)!
+ kernel BUG at mm/usercopy.c:102!
+
+For example,
+
+print_worker_info
+char name[WQ_NAME_LEN] = { };
+char desc[WORKER_DESC_LEN] = { };
+ probe_kernel_read(name, wq->name, sizeof(name) - 1);
+ probe_kernel_read(desc, worker->desc, sizeof(desc) - 1);
+ __copy_from_user_inatomic
+ check_object_size
+ check_heap_object
+ check_page_span
+
+This is because on-stack variables could cross PAGE_SIZE boundary, and
+failed this check,
+
+if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) ==
+ ((unsigned long)end & (unsigned long)PAGE_MASK)))
+
+ptr = FFFF889007D7EFF8
+end = FFFF889007D7F00E
+
+Hence, fix it by checking if it is a stack object first.
+
+[keescook@chromium.org: improve comments after reorder]
+ Link: http://lkml.kernel.org/r/20190103165151.GA32845@beast
+Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@lca.pw
+Signed-off-by: Qian Cai <cai@lca.pw>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ mm/usercopy.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/mm/usercopy.c b/mm/usercopy.c
+index 852eb4e53f06..14faadcedd06 100644
+--- a/mm/usercopy.c
++++ b/mm/usercopy.c
+@@ -247,7 +247,8 @@ static DEFINE_STATIC_KEY_FALSE_RO(bypass_usercopy_checks);
+ /*
+ * Validates that the given object is:
+ * - not bogus address
+- * - known-safe heap or stack object
++ * - fully contained by stack (or stack frame, when available)
++ * - fully within SLAB object (or object whitelist area, when available)
+ * - not in kernel text
+ */
+ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+@@ -262,9 +263,6 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+ /* Check for invalid addresses. */
+ check_bogus_address((const unsigned long)ptr, n, to_user);
+
+- /* Check for bad heap object. */
+- check_heap_object(ptr, n, to_user);
+-
+ /* Check for bad stack object. */
+ switch (check_stack_object(ptr, n)) {
+ case NOT_STACK:
+@@ -282,6 +280,9 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
+ usercopy_abort("process stack", NULL, to_user, 0, n);
+ }
+
++ /* Check for bad heap object. */
++ check_heap_object(ptr, n, to_user);
++
+ /* Check for object in kernel to avoid text exposure. */
+ check_kernel_text_object((const unsigned long)ptr, n, to_user);
+ }
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 4e54b8e4e9..94349af7c3 100644
--- a/series.conf
+++ b/series.conf
@@ -266,6 +266,7 @@
patches.kernel.org/4.20.3-026-USB-Add-USB_QUIRK_DELAY_CTRL_MSG-quirk-for-Cor.patch
patches.kernel.org/4.20.3-027-fork-memcg-fix-cached_stacks-case.patch
patches.kernel.org/4.20.3-028-slab-alien-caches-must-not-be-initialized-if-t.patch
+ patches.kernel.org/4.20.3-029-mm-usercopy.c-no-check-page-span-for-stack-obj.patch
########################################################
# Build fixes that apply to the vanilla kernel too.