From patchwork Wed Sep 20 20:45:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9962531 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EDC5760208 for ; Wed, 20 Sep 2017 20:54:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E00EC29210 for ; Wed, 20 Sep 2017 20:54:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D4DEA29239; Wed, 20 Sep 2017 20:54:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id D8D9429210 for ; Wed, 20 Sep 2017 20:54:06 +0000 (UTC) Received: (qmail 1485 invoked by uid 550); 20 Sep 2017 20:53:09 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 1330 invoked from network); 20 Sep 2017 20:53:05 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=pyFDIaXBXd/xydwRlXh6RPXOHouRALUO1bJrvgXof6w=; b=Yxm5lYvFf3wPzsa4PgX87jT8KcfJT1KNmq6mG51YRzB3AMGSxCKi+4cqK2iFsqUN2K 1w9sLkgzP6dnkqx4sGDuEoZgKSaeWEJnvkbNIX3UwAR57d86hwWh1mWTlagukyj4w3Ja AikwSJlYm1sjLoTgNAMONtYGPAXtkRkETUPb0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=pyFDIaXBXd/xydwRlXh6RPXOHouRALUO1bJrvgXof6w=; b=HujzK9/MiZzbSXA4FJ02GnubNPlkX8KcDqAXMrrO1vctbI+h1tIz/cM4sxptNDRUW7 G/41jx3h6byeb676v0AY5sWp3FNNPPsbLZPDKkOyyblcjufsK2sOIfNVOEi7Tpcv34XH IUEuy+9IYbfWoDmrX2vXOShdjbgT1dAlrJPKhxk3Iz9/f+JmtOElaq7Ms2McUXGPfr3b g5FoOKDT41PieA/IErqHevllAbqeAAPbuEaO7U1OfNjdIQ3IB9U6b6LAKRt8t+LdUKyb 2C2CaowbNcTbPjvkWHwWISHHpSXjkK72gdOLsjRzActn1TcW1/TBMco6GnpBTuW8yM/t MuZQ== X-Gm-Message-State: AHPjjUhf0TJmjh2a5T/KnFfGgHx1acSeBw+R544mSDruPi1JWjKhLa3k VhFTsQRifkGYqaqk668ZFsznGw== X-Google-Smtp-Source: AOwi7QBeSrwPzi/1uoSQ8zSMwjWWj98tbYXJI5cT0XsDEVKGZlEkHLXEUEV1RA2HfZs3ZePpS2D8hA== X-Received: by 10.84.133.111 with SMTP id 102mr1087393plf.204.1505940773930; Wed, 20 Sep 2017 13:52:53 -0700 (PDT) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , David Windsor , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 20 Sep 2017 13:45:23 -0700 Message-Id: <1505940337-79069-18-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1505940337-79069-1-git-send-email-keescook@chromium.org> References: <1505940337-79069-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH v3 17/31] scsi: Define usercopy region in scsi_sense_cache slab cache X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor SCSI sense buffers, stored in struct scsi_cmnd.sense and therefore contained in the scsi_sense_cache slab cache, need to be copied to/from userspace. cache object allocation: drivers/scsi/scsi_lib.c: scsi_select_sense_cache(...): return ... ? scsi_sense_isadma_cache : scsi_sense_cache scsi_alloc_sense_buffer(...): return kmem_cache_alloc_node(scsi_select_sense_cache(), ...); scsi_init_request(...): ... cmd->sense_buffer = scsi_alloc_sense_buffer(...); ... cmd->req.sense = cmd->sense_buffer example usage trace: block/scsi_ioctl.c: (inline from sg_io) blk_complete_sghdr_rq(...): struct scsi_request *req = scsi_req(rq); ... copy_to_user(..., req->sense, len) scsi_cmd_ioctl(...): sg_io(...); In support of usercopy hardening, this patch defines a region in the scsi_sense_cache slab cache in which userspace copy operations are allowed. This region is known as the slab cache's usercopy region. Slab caches can now check that each copy operation involving cache-managed memory falls entirely within the slab's usercopy region. Signed-off-by: David Windsor [kees: adjust commit log, provide usage trace] Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Signed-off-by: Kees Cook --- drivers/scsi/scsi_lib.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c index 9cf6a80fe297..88bfab251693 100644 --- a/drivers/scsi/scsi_lib.c +++ b/drivers/scsi/scsi_lib.c @@ -79,14 +79,15 @@ int scsi_init_sense_cache(struct Scsi_Host *shost) if (shost->unchecked_isa_dma) { scsi_sense_isadma_cache = kmem_cache_create("scsi_sense_cache(DMA)", - SCSI_SENSE_BUFFERSIZE, 0, - SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL); + SCSI_SENSE_BUFFERSIZE, 0, + SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA, NULL); if (!scsi_sense_isadma_cache) ret = -ENOMEM; } else { scsi_sense_cache = - kmem_cache_create("scsi_sense_cache", - SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN, NULL); + kmem_cache_create_usercopy("scsi_sense_cache", + SCSI_SENSE_BUFFERSIZE, 0, SLAB_HWCACHE_ALIGN, + 0, SCSI_SENSE_BUFFERSIZE, NULL); if (!scsi_sense_cache) ret = -ENOMEM; }