From patchwork Thu Jun 9 23:37:14 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rik van Riel X-Patchwork-Id: 9168597 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 55DDA604DB for ; Thu, 9 Jun 2016 23:37:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 31BB820855 for ; Thu, 9 Jun 2016 23:37:36 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1360E2835B; Thu, 9 Jun 2016 23:37:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 1FCC420855 for ; Thu, 9 Jun 2016 23:37:34 +0000 (UTC) Received: (qmail 3654 invoked by uid 550); 9 Jun 2016 23:37:32 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 3632 invoked from network); 9 Jun 2016 23:37:31 -0000 Date: Thu, 9 Jun 2016 19:37:14 -0400 From: Rik van Riel To: Kees Cook Cc: kernel-hardening@lists.openwall.com, Brad Spengler , PaX Team , Casey Schaufler , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton Message-ID: <20160609193714.0f302022@annuminas.surriel.com> In-Reply-To: <1465420302-23754-3-git-send-email-keescook@chromium.org> References: <1465420302-23754-1-git-send-email-keescook@chromium.org> <1465420302-23754-3-git-send-email-keescook@chromium.org> Organization: Red Hat, Inc. MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 09 Jun 2016 23:37:19 +0000 (UTC) Subject: [kernel-hardening] Re: [PATCH v2 2/4] usercopy: avoid direct copying to userspace X-Virus-Scanned: ClamAV using ClamSMTP On Wed, 8 Jun 2016 14:11:40 -0700 Kees Cook wrote: > Some non-whitelisted heap memory has small areas that need to be copied > to userspace. For these cases, explicitly copy the needed contents out > to stack first before sending to userspace. This lets their respective > caches remain un-whitelisted (i.e. no SLAB_USERCOPY), since the bulk of > their contents should not be exposed to userspace. > > These changes, based on code by Brad Spengler and PaX Team, were extracted > from grsecurity/PaX on a case-by-case basis as I ran into errors during > testing of CONFIG_HARDENED_USERCOPY_WHITELIST: You will want this bit as well. It is an adaptation, with a slight change after digging through XFS code for an hour and a half or so, of code originally from grsecurity. With this change, my system boots a usercopy kernel without any visible issues. ---8<--- Subject: mm,xfs: bounce buffer the file name in xfs_dir2_sf_getdents "Short form" directories in XFS have the directory content inside the in-memory inode, or other kernel memory. The directory contents can be in the same slab object as other, more sensitive, contents. Instead of marking the xfs_inode slab accessible to copy_from_user and copy_to_user, bounce buffer the file name when doing getdents on a short form directory. This only affects short form directories, which will have a very small number of entries. Large directories use different code. Adapted from the grsecurity patch set. Thanks go out to pipacs and spender. Signed-off-by: Rik van Riel --- fs/xfs/xfs_dir2_readdir.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c index f44f79996978..bc6c78cbe4c6 100644 --- a/fs/xfs/xfs_dir2_readdir.c +++ b/fs/xfs/xfs_dir2_readdir.c @@ -127,6 +127,7 @@ xfs_dir2_sf_getdents( */ sfep = xfs_dir2_sf_firstentry(sfp); for (i = 0; i < sfp->count; i++) { + char name[sfep->namelen]; __uint8_t filetype; off = xfs_dir2_db_off_to_dataptr(geo, geo->datablk, @@ -140,7 +141,14 @@ xfs_dir2_sf_getdents( ino = dp->d_ops->sf_get_ino(sfp, sfep); filetype = dp->d_ops->sf_get_ftype(sfep); ctx->pos = off & 0x7fffffff; - if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino, + /* + * Short form directories have the file name stored in + * memory that is not directly accessible to copy_to_user. + * Bounce buffer the name, instead of potentially making + * the other data accessible. + */ + memcpy(name, sfep->name, sfep->namelen); + if (!dir_emit(ctx, name, sfep->namelen, ino, xfs_dir3_get_dtype(dp->i_mount, filetype))) return 0; sfep = dp->d_ops->sf_nextentry(sfp, sfep);