[GIT PULL] hardened usercopy whitelisting for v4.16-rc1

From: Kees Cook
Date: Mon Jan 29 2018 - 05:54:33 EST


Hi Linus,

Please pull these hardened usercopy changes for v4.16-rc1. This is very
close to what I sent for v4.15, though now it has a couple more Acks,
I reorganized the WARN-by-default to be earlier in the series where
hopefully it stands out better, and I improved reporting (while also
dropping the nearly meaningless %p usage). The bulk of this series
has been living happily in linux-next for almost two devel cycles now,
so my impression is that it's baked well enough for prime-time.

One merge conflict with net (sctp) appeared about 3 weeks ago, which
should prefer the usercopy version (since it uses a constant size for
the copy). Noted here: https://lkml.org/lkml/2018/1/11/757

Thanks!

-Kees

The following changes since commit ae64f9bd1d3621b5e60d7363bc20afb46aede215:

Linux 4.15-rc2 (2017-12-03 11:01:47 -0500)

are available in the git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.16-rc1

for you to fetch changes up to e47e311843dece8073146f3606871280ee9beb87:

lkdtm: Update usercopy tests for whitelisting (2018-01-15 12:08:09 -0800)

----------------------------------------------------------------
Currently, hardened usercopy performs dynamic bounds checking on slab
cache objects. This is good, but still leaves a lot of kernel memory
available to be copied to/from userspace in the face of bugs. To further
restrict what memory is available for copying, this creates a way to
whitelist specific areas of a given slab cache object for copying to/from
userspace, allowing much finer granularity of access control. Slab caches
that are never exposed to userspace can declare no whitelist for their
objects, thereby keeping them unavailable to userspace via dynamic copy
operations. (Note, an implicit form of whitelisting is the use of constant
sizes in usercopy operations and get_user()/put_user(); these bypass all
hardened usercopy checks since these sizes cannot change at runtime.)

This new check is WARN-by-default, so any mistakes can be found over the
next several releases without breaking anyone's system.

The series has roughly the following sections:
- remove %p and improve reporting with offset
- prepare infrastructure and whitelist kmalloc
- update VFS subsystem with whitelists
- update SCSI subsystem with whitelists
- update network subsystem with whitelists
- update process memory with whitelists
- update per-architecture thread_struct with whitelists
- update KVM with whitelists and fix ioctl bug
- mark all other allocations as not whitelisted
- update lkdtm for more sensible test overage

----------------------------------------------------------------
David Windsor (22):
usercopy: Prepare for usercopy whitelisting
usercopy: Mark kmalloc caches as usercopy caches
dcache: Define usercopy region in dentry_cache slab cache
vfs: Define usercopy region in names_cache slab caches
vfs: Copy struct mount.mnt_id to userspace using put_user()
ext4: Define usercopy region in ext4_inode_cache slab cache
ext2: Define usercopy region in ext2_inode_cache slab cache
jfs: Define usercopy region in jfs_ip slab cache
befs: Define usercopy region in befs_inode_cache slab cache
exofs: Define usercopy region in exofs_inode_cache slab cache
orangefs: Define usercopy region in orangefs_inode_cache slab cache
ufs: Define usercopy region in ufs_inode_cache slab cache
vxfs: Define usercopy region in vxfs_inode slab cache
cifs: Define usercopy region in cifs_request slab cache
scsi: Define usercopy region in scsi_sense_cache slab cache
net: Define usercopy region in struct proto slab cache
ip: Define usercopy region in IP proto slab cache
caif: Define usercopy region in caif proto slab cache
sctp: Define usercopy region in SCTP proto slab cache
sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
fork: Define usercopy region in mm_struct slab caches
fork: Define usercopy region in thread_stack slab caches

Kees Cook (14):
usercopy: Remove pointer from overflow report
usercopy: Enhance and rename report_usercopy()
usercopy: Include offset in hardened usercopy report
lkdtm/usercopy: Adjust test to include an offset to check reporting
stddef.h: Introduce sizeof_field()
usercopy: WARN() on slab cache usercopy region violations
usercopy: Allow strict enforcement of whitelists
net: Restrict unwhitelisted proto caches to size 0
fork: Provide usercopy whitelisting for task_struct
x86: Implement thread_struct whitelist for hardened usercopy
arm64: Implement thread_struct whitelist for hardened usercopy
arm: Implement thread_struct whitelist for hardened usercopy
usercopy: Restrict non-usercopy caches to size 0
lkdtm: Update usercopy tests for whitelisting

Paolo Bonzini (2):
kvm: whitelist struct kvm_vcpu_arch
kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl

arch/Kconfig | 11 +++
arch/arm/Kconfig | 1 +
arch/arm/include/asm/processor.h | 10 +++
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/processor.h | 10 +++
arch/x86/Kconfig | 1 +
arch/x86/include/asm/processor.h | 8 +++
arch/x86/kvm/x86.c | 7 +-
drivers/misc/lkdtm.h | 4 +-
drivers/misc/lkdtm_core.c | 4 +-
drivers/misc/lkdtm_usercopy.c | 101 ++++++++++++++++------------
drivers/scsi/scsi_lib.c | 9 +--
fs/befs/linuxvfs.c | 14 ++--
fs/cifs/cifsfs.c | 10 +--
fs/dcache.c | 9 +--
fs/exofs/super.c | 7 +-
fs/ext2/super.c | 12 ++--
fs/ext4/super.c | 12 ++--
fs/fhandle.c | 3 +-
fs/freevxfs/vxfs_super.c | 8 ++-
fs/jfs/super.c | 8 ++-
fs/orangefs/super.c | 15 +++--
fs/ufs/super.c | 13 ++--
include/linux/sched/task.h | 14 ++++
include/linux/slab.h | 41 ++++++++----
include/linux/slab_def.h | 3 +
include/linux/slub_def.h | 3 +
include/linux/stddef.h | 10 ++-
include/linux/uaccess.h | 8 +++
include/net/sctp/structs.h | 9 ++-
include/net/sock.h | 2 +
kernel/fork.c | 31 +++++++--
mm/slab.c | 36 +++++++---
mm/slab.h | 8 ++-
mm/slab_common.c | 62 ++++++++++++++---
mm/slub.c | 49 ++++++++++----
mm/usercopy.c | 133 +++++++++++++++++++++----------------
net/caif/caif_socket.c | 2 +
net/core/sock.c | 4 +-
net/ipv4/raw.c | 2 +
net/ipv6/raw.c | 2 +
net/sctp/socket.c | 10 ++-
security/Kconfig | 14 ++++
tools/objtool/check.c | 1 +
virt/kvm/kvm_main.c | 8 ++-
45 files changed, 515 insertions(+), 215 deletions(-)

--
Kees Cook
Pixel Security