| Message ID | 20210401221320.2717732-4-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | sysfs: Unconditionally use vmalloc for buffer | expand |
On Thu, Apr 01, 2021 at 03:13:20PM -0700, Kees Cook wrote: > The sysfs interface to seq_file continues to be rather fragile > (seq_get_buf() should not be used outside of seq_file), as seen with > some recent exploits[1]. Move the seq_file buffer to the vmap area > (while retaining the accounting flag), since it has guard pages that will > catch and stop linear overflows. This seems justified given that sysfs's > use of seq_file almost always already uses PAGE_SIZE allocations, has > normally short-lived allocations, and is not normally on a performance > critical path. This looks completely weird to me. In the end sysfs uses nothing of the seq_file infrastructure, so why do we even pretend to use it? Just switch sysfs_file_kfops_ro and sysfs_file_kfops_rw from using ->seq_show to ->read and do the vmalloc there instead of pretending this is a seq_file. > Once seq_get_buf() has been removed (and all sysfs callbacks using > seq_file directly), this change can also be removed. And with sysfs out of the way I think kiling off the other few users should be pretty easy as well.
On Fri, Apr 02, 2021 at 08:32:21AM +0200, Christoph Hellwig wrote: > On Thu, Apr 01, 2021 at 03:13:20PM -0700, Kees Cook wrote: > > The sysfs interface to seq_file continues to be rather fragile > > (seq_get_buf() should not be used outside of seq_file), as seen with > > some recent exploits[1]. Move the seq_file buffer to the vmap area > > (while retaining the accounting flag), since it has guard pages that will > > catch and stop linear overflows. This seems justified given that sysfs's > > use of seq_file almost always already uses PAGE_SIZE allocations, has > > normally short-lived allocations, and is not normally on a performance > > critical path. > > This looks completely weird to me. In the end sysfs uses nothing > of the seq_file infrastructure, so why do we even pretend to use it? > Just switch sysfs_file_kfops_ro and sysfs_file_kfops_rw from using > ->seq_show to ->read and do the vmalloc there instead of pretending > this is a seq_file. As far as I can tell it's a result of kernfs using seq_file, but sysfs never converted all its callbacks to use seq_file. > > Once seq_get_buf() has been removed (and all sysfs callbacks using > > seq_file directly), this change can also be removed. > > And with sysfs out of the way I think kiling off the other few users > should be pretty easy as well. Let me look at switching to "read" ... it is a twisty maze. :)
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c index 9aefa7779b29..351ff75a97b1 100644 --- a/fs/sysfs/file.c +++ b/fs/sysfs/file.c @@ -16,6 +16,7 @@ #include <linux/mutex.h> #include <linux/seq_file.h> #include <linux/mm.h> +#include <linux/vmalloc.h> #include "sysfs.h" @@ -32,6 +33,31 @@ static const struct sysfs_ops *sysfs_file_ops(struct kernfs_node *kn) return kobj->ktype ? kobj->ktype->sysfs_ops : NULL; } +/* + * To be proactively defensive against sysfs show() handlers that do not + * correctly stay within their PAGE_SIZE buffer, use the vmap area to gain + * the trailing guard page which will stop linear buffer overflows. + */ +static void *sysfs_kf_seq_start(struct seq_file *sf, loff_t *ppos) +{ + struct kernfs_open_file *of = sf->private; + struct kernfs_node *kn = of->kn; + + WARN_ON_ONCE(sf->buf); + sf->buf = __vmalloc(kn->attr.size, GFP_KERNEL_ACCOUNT); + if (!sf->buf) + return ERR_PTR(-ENOMEM); + sf->size = kn->attr.size; + + /* + * Use the same behavior and code as single_open(): continue + * if pos is at the beginning; otherwise, NULL. + */ + if (*ppos) + return NULL; + return SEQ_OPEN_SINGLE; +} + /* * Reads on sysfs are handled through seq_file, which takes care of hairy * details like buffering and seeking. The following function pipes @@ -206,14 +232,17 @@ static const struct kernfs_ops sysfs_file_kfops_empty = { }; static const struct kernfs_ops sysfs_file_kfops_ro = { + .seq_start = sysfs_kf_seq_start, .seq_show = sysfs_kf_seq_show, }; static const struct kernfs_ops sysfs_file_kfops_wo = { + .seq_start = sysfs_kf_seq_start, .write = sysfs_kf_write, }; static const struct kernfs_ops sysfs_file_kfops_rw = { + .seq_start = sysfs_kf_seq_start, .seq_show = sysfs_kf_seq_show, .write = sysfs_kf_write, };
The sysfs interface to seq_file continues to be rather fragile (seq_get_buf() should not be used outside of seq_file), as seen with some recent exploits[1]. Move the seq_file buffer to the vmap area (while retaining the accounting flag), since it has guard pages that will catch and stop linear overflows. This seems justified given that sysfs's use of seq_file almost always already uses PAGE_SIZE allocations, has normally short-lived allocations, and is not normally on a performance critical path. Once seq_get_buf() has been removed (and all sysfs callbacks using seq_file directly), this change can also be removed. [1] https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html Signed-off-by: Kees Cook <keescook@chromium.org> --- fs/sysfs/file.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)