[3/3] mm/usercopy: Detect compound page overruns

Message ID	20211004224224.4137992-4-willy@infradead.org (mailing list archive)
State	New
Headers	show Return-Path: <SRS0=Fowb=OY=kvack.org=owner-linux-mm@kernel.org> DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 70BB461506 From: "Matthew Wilcox (Oracle)" <willy@infradead.org> To: Kees Cook <keescook@chromium.org> Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>, linux-mm@kvack.org, Thomas Gleixner <tglx@linutronix.de> Subject: [PATCH 3/3] mm/usercopy: Detect compound page overruns Date: Mon, 4 Oct 2021 23:42:23 +0100 Message-Id: <20211004224224.4137992-4-willy@infradead.org> In-Reply-To: <20211004224224.4137992-1-willy@infradead.org> References: <20211004224224.4137992-1-willy@infradead.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Assorted improvements to usercopy \| expand [0/3] Assorted improvements to usercopy [1/3] mm/usercopy: Check kmap addresses properly [2/3] mm/usercopy: Detect vmalloc overruns [3/3] mm/usercopy: Detect compound page overruns

Message ID

20211004224224.4137992-4-willy@infradead.org (mailing list archive)

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 70BB461506
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
To: Kees Cook <keescook@chromium.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	linux-mm@kvack.org,
	Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH 3/3] mm/usercopy: Detect compound page overruns
Date: Mon,  4 Oct 2021 23:42:23 +0100
Message-Id: <20211004224224.4137992-4-willy@infradead.org>
In-Reply-To: <20211004224224.4137992-1-willy@infradead.org>
References: <20211004224224.4137992-1-willy@infradead.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

Assorted improvements to usercopy | expand

Commit Message

Matthew Wilcox (Oracle) Oct. 4, 2021, 10:42 p.m. UTC

Move the compound page overrun detection out of
CONFIG_HARDENED_USERCOPY_PAGESPAN so it's enabled for more people.

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
 mm/usercopy.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Comments

Kees Cook Oct. 5, 2021, 9:26 p.m. UTC | #1

On Mon, Oct 04, 2021 at 11:42:23PM +0100, Matthew Wilcox (Oracle) wrote:
> Move the compound page overrun detection out of
> CONFIG_HARDENED_USERCOPY_PAGESPAN so it's enabled for more people.
> 
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> ---
>  mm/usercopy.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 7bfc4f9ed1e4..e395462961d5 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -194,11 +194,6 @@ static inline void check_page_span(const void *ptr, unsigned long n,
>  		   ((unsigned long)end & (unsigned long)PAGE_MASK)))
>  		return;
>  
> -	/* Allow if fully inside the same compound (__GFP_COMP) page. */
> -	endpage = virt_to_head_page(end);
> -	if (likely(endpage == page))
> -		return;
> -
>  	/*
>  	 * Reject if range is entirely either Reserved (i.e. special or
>  	 * device memory), or CMA. Otherwise, reject since the object spans
> @@ -250,6 +245,10 @@ static inline void check_heap_object(const void *ptr, unsigned long n,
>  	if (PageSlab(page)) {
>  		/* Check slab allocator for flags and size. */
>  		__check_heap_object(ptr, n, page, to_user);
> +	} else if (PageHead(page)) {
> +		/* A compound allocation */
> +		if (ptr + n > page_address(page) + page_size(page))
> +			usercopy_abort("page alloc", NULL, to_user, 0, n);

"0" could be "ptr - page_address(page)", I think? With that:

Acked-by: Kees Cook <keescook@chromium.org>

-Kees

>  	} else {
>  		/* Verify object does not incorrectly span multiple pages. */
>  		check_page_span(ptr, n, page, to_user);
> -- 
> 2.32.0
>

Matthew Wilcox (Oracle) Oct. 5, 2021, 10:12 p.m. UTC | #2

On Tue, Oct 05, 2021 at 02:26:37PM -0700, Kees Cook wrote:
> On Mon, Oct 04, 2021 at 11:42:23PM +0100, Matthew Wilcox (Oracle) wrote:
> > +	} else if (PageHead(page)) {
> > +		/* A compound allocation */
> > +		if (ptr + n > page_address(page) + page_size(page))
> > +			usercopy_abort("page alloc", NULL, to_user, 0, n);
> 
> "0" could be "ptr - page_address(page)", I think? With that:
> 
> Acked-by: Kees Cook <keescook@chromium.org>

Right, so that can be:

        } else if (PageHead(page)) {
		/* A compound allocation */
                unsigned long offset = ptr - page_address(page);
                if (offset + n > page_size(page))
                        usercopy_abort("page alloc", NULL, to_user, offset, n);

which saves us calling page_address() twice.  Probably GCC is smart
enough to CSE it anyway, but it also avoids splitting at the 80 column
boundary ;-)

Kees Cook Oct. 5, 2021, 10:55 p.m. UTC | #3

On Tue, Oct 05, 2021 at 11:12:47PM +0100, Matthew Wilcox wrote:
> On Tue, Oct 05, 2021 at 02:26:37PM -0700, Kees Cook wrote:
> > On Mon, Oct 04, 2021 at 11:42:23PM +0100, Matthew Wilcox (Oracle) wrote:
> > > +	} else if (PageHead(page)) {
> > > +		/* A compound allocation */
> > > +		if (ptr + n > page_address(page) + page_size(page))
> > > +			usercopy_abort("page alloc", NULL, to_user, 0, n);
> > 
> > "0" could be "ptr - page_address(page)", I think? With that:
> > 
> > Acked-by: Kees Cook <keescook@chromium.org>
> 
> Right, so that can be:
> 
>         } else if (PageHead(page)) {
> 		/* A compound allocation */
>                 unsigned long offset = ptr - page_address(page);
>                 if (offset + n > page_size(page))
>                         usercopy_abort("page alloc", NULL, to_user, offset, n);
> 
> which saves us calling page_address() twice.  Probably GCC is smart
> enough to CSE it anyway, but it also avoids splitting at the 80 column
> boundary ;-)

Perfect, yes!

diff --git a/mm/usercopy.c b/mm/usercopy.c
index 7bfc4f9ed1e4..e395462961d5 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -194,11 +194,6 @@  static inline void check_page_span(const void *ptr, unsigned long n,
 		   ((unsigned long)end & (unsigned long)PAGE_MASK)))
 		return;
 
-	/* Allow if fully inside the same compound (__GFP_COMP) page. */
-	endpage = virt_to_head_page(end);
-	if (likely(endpage == page))
-		return;
-
 	/*
 	 * Reject if range is entirely either Reserved (i.e. special or
 	 * device memory), or CMA. Otherwise, reject since the object spans
@@ -250,6 +245,10 @@  static inline void check_heap_object(const void *ptr, unsigned long n,
 	if (PageSlab(page)) {
 		/* Check slab allocator for flags and size. */
 		__check_heap_object(ptr, n, page, to_user);
+	} else if (PageHead(page)) {
+		/* A compound allocation */
+		if (ptr + n > page_address(page) + page_size(page))
+			usercopy_abort("page alloc", NULL, to_user, 0, n);
 	} else {
 		/* Verify object does not incorrectly span multiple pages. */
 		check_page_span(ptr, n, page, to_user);

[3/3] mm/usercopy: Detect compound page overruns

Commit Message

Comments

Patch