diff mbox series

io_uring: annotate the struct io_kiocb slab for appropriate user copy

Message ID db807b6b-76ca-4101-844a-aa6da1467b98@kernel.dk (mailing list archive)
State New
Headers show
Series io_uring: annotate the struct io_kiocb slab for appropriate user copy | expand

Commit Message

Jens Axboe Aug. 2, 2023, 8:42 p.m. UTC
When compiling the kernel with clang and having HARDENED_USERCOPY
enabled, the liburing openat2.t test case fails during request setup:

usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 3 PID: 413 Comm: openat2.t Tainted: G                 N 6.4.3-g6995e2de6891-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Call Trace:
 <TASK>
 ? __die_body+0x63/0xb0
 ? die+0x9d/0xc0
 ? do_trap+0xa7/0x180
 ? usercopy_abort+0x84/0x90
 ? do_error_trap+0xc6/0x110
 ? usercopy_abort+0x84/0x90
 ? handle_invalid_op+0x2c/0x40
 ? usercopy_abort+0x84/0x90
 ? exc_invalid_op+0x2f/0x40
 ? asm_exc_invalid_op+0x16/0x20
 ? usercopy_abort+0x84/0x90
 __check_heap_object+0xe2/0x110
 __check_object_size+0x142/0x3d0
 io_openat2_prep+0x68/0x140
 io_submit_sqes+0x28a/0x680
 __se_sys_io_uring_enter+0x120/0x580
 do_syscall_64+0x3d/0x80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x55714834de26
Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception ]---

when it tries to copy struct open_how from userspace into the per-command
space in the io_kiocb. There's nothing wrong with the copy, but we're
missing the appropriate annotations for allowing user copies to/from the
io_kiocb slab.

Allow copies in the per-command area, which is from the 'file' pointer to
when 'opcode' starts. We do have existing user copies there, but they are
not all annotated like the one that openat2_prep() uses,
copy_struct_from_user(). But in practice opcodes should be allowed to
copy data into their per-command area in the io_kiocb.

Reported-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

---

Comments

Pavel Begunkov Aug. 2, 2023, 11:30 p.m. UTC | #1
On 8/2/23 21:42, Jens Axboe wrote:
> When compiling the kernel with clang and having HARDENED_USERCOPY
> enabled, the liburing openat2.t test case fails during request setup:
> 
> usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:102!
> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> CPU: 3 PID: 413 Comm: openat2.t Tainted: G                 N 6.4.3-g6995e2de6891-dirty #19
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
> RIP: 0010:usercopy_abort+0x84/0x90
> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
> FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
> Call Trace:
>   <TASK>
>   ? __die_body+0x63/0xb0
>   ? die+0x9d/0xc0
>   ? do_trap+0xa7/0x180
>   ? usercopy_abort+0x84/0x90
>   ? do_error_trap+0xc6/0x110
>   ? usercopy_abort+0x84/0x90
>   ? handle_invalid_op+0x2c/0x40
>   ? usercopy_abort+0x84/0x90
>   ? exc_invalid_op+0x2f/0x40
>   ? asm_exc_invalid_op+0x16/0x20
>   ? usercopy_abort+0x84/0x90
>   __check_heap_object+0xe2/0x110
>   __check_object_size+0x142/0x3d0
>   io_openat2_prep+0x68/0x140
>   io_submit_sqes+0x28a/0x680
>   __se_sys_io_uring_enter+0x120/0x580
>   do_syscall_64+0x3d/0x80
>   entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x55714834de26
> Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
> RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
> RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
> R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
> R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
>   </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:usercopy_abort+0x84/0x90
> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
> FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
> Kernel panic - not syncing: Fatal exception
> Kernel Offset: disabled
> ---[ end Kernel panic - not syncing: Fatal exception ]---
> 
> when it tries to copy struct open_how from userspace into the per-command
> space in the io_kiocb. There's nothing wrong with the copy, but we're
> missing the appropriate annotations for allowing user copies to/from the
> io_kiocb slab.
> 
> Allow copies in the per-command area, which is from the 'file' pointer to
> when 'opcode' starts. We do have existing user copies there, but they are
> not all annotated like the one that openat2_prep() uses,
> copy_struct_from_user(). But in practice opcodes should be allowed to
> copy data into their per-command area in the io_kiocb.
> 
> Reported-by: Breno Leitao <leitao@debian.org>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> ---
> 
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 135da2fd0eda..d8e69461786d 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -4627,8 +4627,20 @@ static int __init io_uring_init(void)
>   
>   	io_uring_optable_init();
>   
> -	req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
> -				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
> +	/*
> +	 * Allow user copy in the per-command field, which starts after the
> +	 * file in io_kiocb and until the opcode field. The openat2 handling
> +	 * requires copying in user memory into the io_kiocb object in that
> +	 * range, and HARDENED_USERCOPY will complain if we haven't
> +	 * correctly annotated this range.
> +	 */
> +	req_cachep = kmem_cache_create_usercopy("io_kiocb",
> +				sizeof(struct io_kiocb), 0,
> +				SLAB_HWCACHE_ALIGN | SLAB_PANIC |
> +				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
> +				offsetof(struct io_kiocb, cmd.data),
> +				offsetof(struct io_kiocb, opcode) -
> +				offsetof(struct io_kiocb, cmd.data), NULL);

sizeof_field(struct io_kiocb, cmd.data)

should be less awkward
Jens Axboe Aug. 3, 2023, 1:34 a.m. UTC | #2
On 8/2/23 5:30?PM, Pavel Begunkov wrote:
> On 8/2/23 21:42, Jens Axboe wrote:
>> When compiling the kernel with clang and having HARDENED_USERCOPY
>> enabled, the liburing openat2.t test case fails during request setup:
>>
>> usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
>> ------------[ cut here ]------------
>> kernel BUG at mm/usercopy.c:102!
>> invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
>> CPU: 3 PID: 413 Comm: openat2.t Tainted: G                 N 6.4.3-g6995e2de6891-dirty #19
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
>> RIP: 0010:usercopy_abort+0x84/0x90
>> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
>> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
>> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
>> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
>> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
>> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
>> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
>> FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
>> Call Trace:
>>   <TASK>
>>   ? __die_body+0x63/0xb0
>>   ? die+0x9d/0xc0
>>   ? do_trap+0xa7/0x180
>>   ? usercopy_abort+0x84/0x90
>>   ? do_error_trap+0xc6/0x110
>>   ? usercopy_abort+0x84/0x90
>>   ? handle_invalid_op+0x2c/0x40
>>   ? usercopy_abort+0x84/0x90
>>   ? exc_invalid_op+0x2f/0x40
>>   ? asm_exc_invalid_op+0x16/0x20
>>   ? usercopy_abort+0x84/0x90
>>   __check_heap_object+0xe2/0x110
>>   __check_object_size+0x142/0x3d0
>>   io_openat2_prep+0x68/0x140
>>   io_submit_sqes+0x28a/0x680
>>   __se_sys_io_uring_enter+0x120/0x580
>>   do_syscall_64+0x3d/0x80
>>   entry_SYSCALL_64_after_hwframe+0x46/0xb0
>> RIP: 0033:0x55714834de26
>> Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
>> RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
>> RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
>> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
>> R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
>> R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
>>   </TASK>
>> Modules linked in:
>> ---[ end trace 0000000000000000 ]---
>> RIP: 0010:usercopy_abort+0x84/0x90
>> Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
>> RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
>> RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
>> RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
>> RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
>> R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
>> R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
>> FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
>> Kernel panic - not syncing: Fatal exception
>> Kernel Offset: disabled
>> ---[ end Kernel panic - not syncing: Fatal exception ]---
>>
>> when it tries to copy struct open_how from userspace into the per-command
>> space in the io_kiocb. There's nothing wrong with the copy, but we're
>> missing the appropriate annotations for allowing user copies to/from the
>> io_kiocb slab.
>>
>> Allow copies in the per-command area, which is from the 'file' pointer to
>> when 'opcode' starts. We do have existing user copies there, but they are
>> not all annotated like the one that openat2_prep() uses,
>> copy_struct_from_user(). But in practice opcodes should be allowed to
>> copy data into their per-command area in the io_kiocb.
>>
>> Reported-by: Breno Leitao <leitao@debian.org>
>> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>>
>> ---
>>
>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
>> index 135da2fd0eda..d8e69461786d 100644
>> --- a/io_uring/io_uring.c
>> +++ b/io_uring/io_uring.c
>> @@ -4627,8 +4627,20 @@ static int __init io_uring_init(void)
>>         io_uring_optable_init();
>>   -    req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
>> -                SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
>> +    /*
>> +     * Allow user copy in the per-command field, which starts after the
>> +     * file in io_kiocb and until the opcode field. The openat2 handling
>> +     * requires copying in user memory into the io_kiocb object in that
>> +     * range, and HARDENED_USERCOPY will complain if we haven't
>> +     * correctly annotated this range.
>> +     */
>> +    req_cachep = kmem_cache_create_usercopy("io_kiocb",
>> +                sizeof(struct io_kiocb), 0,
>> +                SLAB_HWCACHE_ALIGN | SLAB_PANIC |
>> +                SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
>> +                offsetof(struct io_kiocb, cmd.data),
>> +                offsetof(struct io_kiocb, opcode) -
>> +                offsetof(struct io_kiocb, cmd.data), NULL);
> 
> sizeof_field(struct io_kiocb, cmd.data)
> 
> should be less awkward

Ah yes, good point. Updated below:

commit 8c57ecb0f5e58bcff0a8b7e984b77b261440b8c3
Author: Jens Axboe <axboe@kernel.dk>
Date:   Wed Aug 2 14:38:01 2023 -0600

    io_uring: annotate the struct io_kiocb slab for appropriate user copy
    
    When compiling the kernel with clang and having HARDENED_USERCOPY
    enabled, the liburing openat2.t test case fails during request setup:
    
    usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
    ------------[ cut here ]------------
    kernel BUG at mm/usercopy.c:102!
    invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
    CPU: 3 PID: 413 Comm: openat2.t Tainted: G                 N 6.4.3-g6995e2de6891-dirty #19
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
    RIP: 0010:usercopy_abort+0x84/0x90
    Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
    RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
    RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
    RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
    RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
    R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
    R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
    FS:  00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
    Call Trace:
     <TASK>
     ? __die_body+0x63/0xb0
     ? die+0x9d/0xc0
     ? do_trap+0xa7/0x180
     ? usercopy_abort+0x84/0x90
     ? do_error_trap+0xc6/0x110
     ? usercopy_abort+0x84/0x90
     ? handle_invalid_op+0x2c/0x40
     ? usercopy_abort+0x84/0x90
     ? exc_invalid_op+0x2f/0x40
     ? asm_exc_invalid_op+0x16/0x20
     ? usercopy_abort+0x84/0x90
     __check_heap_object+0xe2/0x110
     __check_object_size+0x142/0x3d0
     io_openat2_prep+0x68/0x140
     io_submit_sqes+0x28a/0x680
     __se_sys_io_uring_enter+0x120/0x580
     do_syscall_64+0x3d/0x80
     entry_SYSCALL_64_after_hwframe+0x46/0xb0
    RIP: 0033:0x55714834de26
    Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
    RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
    RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
    RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
    RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
    R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
    R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
     </TASK>
    Modules linked in:
    ---[ end trace 0000000000000000 ]---
    
    when it tries to copy struct open_how from userspace into the per-command
    space in the io_kiocb. There's nothing wrong with the copy, but we're
    missing the appropriate annotations for allowing user copies to/from the
    io_kiocb slab.
    
    Allow copies in the per-command area, which is from the 'file' pointer to
    when 'opcode' starts. We do have existing user copies there, but they are
    not all annotated like the one that openat2_prep() uses,
    copy_struct_from_user(). But in practice opcodes should be allowed to
    copy data into their per-command area in the io_kiocb.
    
    Reported-by: Breno Leitao <leitao@debian.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 135da2fd0eda..e70cf5c2dc7f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4627,8 +4627,19 @@ static int __init io_uring_init(void)
 
 	io_uring_optable_init();
 
-	req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
-				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
+	/*
+	 * Allow user copy in the per-command field, which starts after the
+	 * file in io_kiocb and until the opcode field. The openat2 handling
+	 * requires copying in user memory into the io_kiocb object in that
+	 * range, and HARDENED_USERCOPY will complain if we haven't
+	 * correctly annotated this range.
+	 */
+	req_cachep = kmem_cache_create_usercopy("io_kiocb",
+				sizeof(struct io_kiocb), 0,
+				SLAB_HWCACHE_ALIGN | SLAB_PANIC |
+				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
+				offsetof(struct io_kiocb, cmd.data),
+				sizeof_field(struct io_kiocb, cmd.data), NULL);
 
 #ifdef CONFIG_SYSCTL
 	register_sysctl_init("kernel", kernel_io_uring_disabled_table);
diff mbox series

Patch

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 135da2fd0eda..d8e69461786d 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4627,8 +4627,20 @@  static int __init io_uring_init(void)
 
 	io_uring_optable_init();
 
-	req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
-				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
+	/*
+	 * Allow user copy in the per-command field, which starts after the
+	 * file in io_kiocb and until the opcode field. The openat2 handling
+	 * requires copying in user memory into the io_kiocb object in that
+	 * range, and HARDENED_USERCOPY will complain if we haven't
+	 * correctly annotated this range.
+	 */
+	req_cachep = kmem_cache_create_usercopy("io_kiocb",
+				sizeof(struct io_kiocb), 0,
+				SLAB_HWCACHE_ALIGN | SLAB_PANIC |
+				SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
+				offsetof(struct io_kiocb, cmd.data),
+				offsetof(struct io_kiocb, opcode) -
+				offsetof(struct io_kiocb, cmd.data), NULL);
 
 #ifdef CONFIG_SYSCTL
 	register_sysctl_init("kernel", kernel_io_uring_disabled_table);