[GIT PULL] usercopy whitelisting for v4.15-rc1
From: Kees Cook
Date: Fri Nov 17 2017 - 11:54:36 EST
Hi Linus,
Please pull these hardened usercopy changes for v4.15-rc1. This
significantly narrows the areas of memory that can be copied to/from
userspace in the face of usercopy bugs by adding explicit whitelisting for
slab cache regions. This has lived in -next for quite some time without
major problems, but there were some late-discovered missing whitelists,
so a fallback mode was added just to make sure we don't break anything. I
expect to remove the fallback mode in a release or two.
(Sorry if this pull request is a duplicate: I just don't want to miss
the merge window, given its potential for being shorter than usual.)
Thanks!
-Kees
The following changes since commit 9e66317d3c92ddaab330c125dfe9d06eee268aff:
Linux 4.14-rc3 (2017-10-01 14:54:54 -0700)
are available in the git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.15-rc1
for you to fetch changes up to 3889a28c449c01cebe166e413a58742002c2352b:
lkdtm: Update usercopy tests for whitelisting (2017-11-08 15:40:04 -0800)
----------------------------------------------------------------
Currently, hardened usercopy performs dynamic bounds checking on slab
cache objects. This is good, but still leaves a lot of kernel memory
available to be copied to/from userspace in the face of bugs. To further
restrict what memory is available for copying, this creates a way to
whitelist specific areas of a given slab cache object for copying to/from
userspace, allowing much finer granularity of access control. Slab caches
that are never exposed to userspace can declare no whitelist for their
objects, thereby keeping them unavailable to userspace via dynamic copy
operations. (Note, an implicit form of whitelisting is the use of constant
sizes in usercopy operations and get_user()/put_user(); these bypass
hardened usercopy checks since these sizes cannot change at runtime.)
----------------------------------------------------------------
David Windsor (23):
usercopy: Prepare for usercopy whitelisting
usercopy: Enforce slab cache usercopy region boundaries
usercopy: Mark kmalloc caches as usercopy caches
dcache: Define usercopy region in dentry_cache slab cache
vfs: Define usercopy region in names_cache slab caches
vfs: Copy struct mount.mnt_id to userspace using put_user()
ext4: Define usercopy region in ext4_inode_cache slab cache
ext2: Define usercopy region in ext2_inode_cache slab cache
jfs: Define usercopy region in jfs_ip slab cache
befs: Define usercopy region in befs_inode_cache slab cache
exofs: Define usercopy region in exofs_inode_cache slab cache
orangefs: Define usercopy region in orangefs_inode_cache slab cache
ufs: Define usercopy region in ufs_inode_cache slab cache
vxfs: Define usercopy region in vxfs_inode slab cache
cifs: Define usercopy region in cifs_request slab cache
scsi: Define usercopy region in scsi_sense_cache slab cache
net: Define usercopy region in struct proto slab cache
ip: Define usercopy region in IP proto slab cache
caif: Define usercopy region in caif proto slab cache
sctp: Define usercopy region in SCTP proto slab cache
sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
fork: Define usercopy region in mm_struct slab caches
fork: Define usercopy region in thread_stack slab caches
Kees Cook (8):
net: Restrict unwhitelisted proto caches to size 0
fork: Provide usercopy whitelisting for task_struct
x86: Implement thread_struct whitelist for hardened usercopy
arm64: Implement thread_struct whitelist for hardened usercopy
arm: Implement thread_struct whitelist for hardened usercopy
usercopy: Allow for temporary fallback for non-whitelisted usercopy
usercopy: Restrict non-usercopy caches to size 0
lkdtm: Update usercopy tests for whitelisting
Paolo Bonzini (2):
kvm: whitelist struct kvm_vcpu_arch
kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
arch/Kconfig | 11 +++++
arch/arm/Kconfig | 1 +
arch/arm/include/asm/processor.h | 7 +++
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/processor.h | 8 ++++
arch/x86/Kconfig | 1 +
arch/x86/include/asm/processor.h | 8 ++++
arch/x86/kvm/x86.c | 7 +--
drivers/misc/lkdtm.h | 4 +-
drivers/misc/lkdtm_core.c | 4 +-
drivers/misc/lkdtm_usercopy.c | 88 +++++++++++++++++++++-----------------
drivers/scsi/scsi_lib.c | 9 ++--
fs/befs/linuxvfs.c | 14 +++---
fs/cifs/cifsfs.c | 10 +++--
fs/dcache.c | 9 ++--
fs/exofs/super.c | 7 ++-
fs/ext2/super.c | 12 +++---
fs/ext4/super.c | 12 +++---
fs/fhandle.c | 3 +-
fs/freevxfs/vxfs_super.c | 8 +++-
fs/jfs/super.c | 8 ++--
fs/orangefs/super.c | 15 ++++---
fs/ufs/super.c | 13 +++---
include/linux/sched/task.h | 14 ++++++
include/linux/slab.h | 27 +++++++++---
include/linux/slab_def.h | 3 ++
include/linux/slub_def.h | 3 ++
include/linux/stddef.h | 2 +
include/net/sctp/structs.h | 9 +++-
include/net/sock.h | 2 +
kernel/fork.c | 31 +++++++++++---
mm/slab.c | 35 ++++++++++++---
mm/slab.h | 8 +++-
mm/slab_common.c | 54 ++++++++++++++++++-----
mm/slub.c | 46 ++++++++++++++++----
mm/usercopy.c | 12 ++++++
net/caif/caif_socket.c | 2 +
net/core/sock.c | 4 +-
net/ipv4/raw.c | 2 +
net/ipv6/raw.c | 2 +
net/sctp/socket.c | 10 ++++-
security/Kconfig | 12 ++++++
virt/kvm/kvm_main.c | 7 ++-
43 files changed, 407 insertions(+), 138 deletions(-)
--
Kees Cook
Pixel Security