From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
David Windsor <dave@nullcore.net>,
linux-xfs@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v2 15/30] xfs: Define usercopy region in xfs_inode slab cache
Date: Mon, 28 Aug 2017 21:47:07 -0700 [thread overview]
Message-ID: <20170829044707.GP4757@magnolia> (raw)
In-Reply-To: <CAGXu5j+pvxRjASUuBE49+uH34Mw26a4mtcWrZd=CEqcRHjetvA@mail.gmail.com>
On Mon, Aug 28, 2017 at 02:57:14PM -0700, Kees Cook wrote:
> On Mon, Aug 28, 2017 at 2:49 PM, Darrick J. Wong
> <darrick.wong@oracle.com> wrote:
> > On Mon, Aug 28, 2017 at 02:34:56PM -0700, Kees Cook wrote:
> >> From: David Windsor <dave@nullcore.net>
> >>
> >> The XFS inline inode data, stored in struct xfs_inode_t field
> >> i_df.if_u2.if_inline_data and therefore contained in the xfs_inode slab
> >> cache, needs to be copied to/from userspace.
> >>
> >> cache object allocation:
> >> fs/xfs/xfs_icache.c:
> >> xfs_inode_alloc(...):
> >> ...
> >> ip = kmem_zone_alloc(xfs_inode_zone, KM_SLEEP);
> >>
> >> fs/xfs/libxfs/xfs_inode_fork.c:
> >> xfs_init_local_fork(...):
> >> ...
> >> if (mem_size <= sizeof(ifp->if_u2.if_inline_data))
> >> ifp->if_u1.if_data = ifp->if_u2.if_inline_data;
> >
> > Hmm, what happens when mem_size > sizeof(if_inline_data)? A slab object
> > will be allocated for ifp->if_u1.if_data which can then be used for
> > readlink in the same manner as the example usage trace below. Does
> > that allocated object have a need for a usercopy annotation like
> > the one we're adding for if_inline_data? Or is that already covered
> > elsewhere?
>
> Yeah, the xfs helper kmem_alloc() is used in the other case, which
> ultimately boils down to a call to kmalloc(), which is entirely
> whitelisted by an earlier patch in the series:
>
> https://lkml.org/lkml/2017/8/28/1026
Ah. It would've been helpful to have the first three patches cc'd to
the xfs list. So basically this series establishes the ability to set
regions within a slab object into which copy_to_user can copy memory
contents, and vice versa. Have you seen any runtime performance impact?
The overhead looks like it ought to be minimal.
> (It's possible that at some future time we can start segregating
> kernel-only kmallocs from usercopy-able kmallocs, but for now, there
> are no plans for this.)
A pity. It would be interesting to create no-usercopy versions of the
kmalloc-* slabs and see how much of XFS' memory consumption never
touches userspace buffers. :)
--D
>
> -Kees
>
> --
> Kees Cook
> Pixel Security
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
David Windsor <dave@nullcore.net>,
linux-xfs@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v2 15/30] xfs: Define usercopy region in xfs_inode slab cache
Date: Mon, 28 Aug 2017 21:47:07 -0700 [thread overview]
Message-ID: <20170829044707.GP4757@magnolia> (raw)
In-Reply-To: <CAGXu5j+pvxRjASUuBE49+uH34Mw26a4mtcWrZd=CEqcRHjetvA@mail.gmail.com>
On Mon, Aug 28, 2017 at 02:57:14PM -0700, Kees Cook wrote:
> On Mon, Aug 28, 2017 at 2:49 PM, Darrick J. Wong
> <darrick.wong@oracle.com> wrote:
> > On Mon, Aug 28, 2017 at 02:34:56PM -0700, Kees Cook wrote:
> >> From: David Windsor <dave@nullcore.net>
> >>
> >> The XFS inline inode data, stored in struct xfs_inode_t field
> >> i_df.if_u2.if_inline_data and therefore contained in the xfs_inode slab
> >> cache, needs to be copied to/from userspace.
> >>
> >> cache object allocation:
> >> fs/xfs/xfs_icache.c:
> >> xfs_inode_alloc(...):
> >> ...
> >> ip = kmem_zone_alloc(xfs_inode_zone, KM_SLEEP);
> >>
> >> fs/xfs/libxfs/xfs_inode_fork.c:
> >> xfs_init_local_fork(...):
> >> ...
> >> if (mem_size <= sizeof(ifp->if_u2.if_inline_data))
> >> ifp->if_u1.if_data = ifp->if_u2.if_inline_data;
> >
> > Hmm, what happens when mem_size > sizeof(if_inline_data)? A slab object
> > will be allocated for ifp->if_u1.if_data which can then be used for
> > readlink in the same manner as the example usage trace below. Does
> > that allocated object have a need for a usercopy annotation like
> > the one we're adding for if_inline_data? Or is that already covered
> > elsewhere?
>
> Yeah, the xfs helper kmem_alloc() is used in the other case, which
> ultimately boils down to a call to kmalloc(), which is entirely
> whitelisted by an earlier patch in the series:
>
> https://lkml.org/lkml/2017/8/28/1026
Ah. It would've been helpful to have the first three patches cc'd to
the xfs list. So basically this series establishes the ability to set
regions within a slab object into which copy_to_user can copy memory
contents, and vice versa. Have you seen any runtime performance impact?
The overhead looks like it ought to be minimal.
> (It's possible that at some future time we can start segregating
> kernel-only kmallocs from usercopy-able kmallocs, but for now, there
> are no plans for this.)
A pity. It would be interesting to create no-usercopy versions of the
kmalloc-* slabs and see how much of XFS' memory consumption never
touches userspace buffers. :)
--D
>
> -Kees
>
> --
> Kees Cook
> Pixel Security
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
David Windsor <dave@nullcore.net>,
linux-xfs@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v2 15/30] xfs: Define usercopy region in xfs_inode slab cache
Date: Mon, 28 Aug 2017 21:47:07 -0700 [thread overview]
Message-ID: <20170829044707.GP4757@magnolia> (raw)
In-Reply-To: <CAGXu5j+pvxRjASUuBE49+uH34Mw26a4mtcWrZd=CEqcRHjetvA@mail.gmail.com>
On Mon, Aug 28, 2017 at 02:57:14PM -0700, Kees Cook wrote:
> On Mon, Aug 28, 2017 at 2:49 PM, Darrick J. Wong
> <darrick.wong@oracle.com> wrote:
> > On Mon, Aug 28, 2017 at 02:34:56PM -0700, Kees Cook wrote:
> >> From: David Windsor <dave@nullcore.net>
> >>
> >> The XFS inline inode data, stored in struct xfs_inode_t field
> >> i_df.if_u2.if_inline_data and therefore contained in the xfs_inode slab
> >> cache, needs to be copied to/from userspace.
> >>
> >> cache object allocation:
> >> fs/xfs/xfs_icache.c:
> >> xfs_inode_alloc(...):
> >> ...
> >> ip = kmem_zone_alloc(xfs_inode_zone, KM_SLEEP);
> >>
> >> fs/xfs/libxfs/xfs_inode_fork.c:
> >> xfs_init_local_fork(...):
> >> ...
> >> if (mem_size <= sizeof(ifp->if_u2.if_inline_data))
> >> ifp->if_u1.if_data = ifp->if_u2.if_inline_data;
> >
> > Hmm, what happens when mem_size > sizeof(if_inline_data)? A slab object
> > will be allocated for ifp->if_u1.if_data which can then be used for
> > readlink in the same manner as the example usage trace below. Does
> > that allocated object have a need for a usercopy annotation like
> > the one we're adding for if_inline_data? Or is that already covered
> > elsewhere?
>
> Yeah, the xfs helper kmem_alloc() is used in the other case, which
> ultimately boils down to a call to kmalloc(), which is entirely
> whitelisted by an earlier patch in the series:
>
> https://lkml.org/lkml/2017/8/28/1026
Ah. It would've been helpful to have the first three patches cc'd to
the xfs list. So basically this series establishes the ability to set
regions within a slab object into which copy_to_user can copy memory
contents, and vice versa. Have you seen any runtime performance impact?
The overhead looks like it ought to be minimal.
> (It's possible that at some future time we can start segregating
> kernel-only kmallocs from usercopy-able kmallocs, but for now, there
> are no plans for this.)
A pity. It would be interesting to create no-usercopy versions of the
kmalloc-* slabs and see how much of XFS' memory consumption never
touches userspace buffers. :)
--D
>
> -Kees
>
> --
> Kees Cook
> Pixel Security
> --
> To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-08-29 4:47 UTC|newest]
Thread overview: 163+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-28 21:34 [kernel-hardening] [PATCH v2 00/30] Hardened usercopy whitelisting Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 01/30] usercopy: Prepare for " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 02/30] usercopy: Enforce slab cache usercopy region boundaries Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 03/30] usercopy: Mark kmalloc caches as usercopy caches Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 04/30] dcache: Define usercopy region in dentry_cache slab cache Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 05/30] vfs: Define usercopy region in names_cache slab caches Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 06/30] vfs: Copy struct mount.mnt_id to userspace using put_user() Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 07/30] ext4: Define usercopy region in ext4_inode_cache slab cache Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 08/30] ext2: Define usercopy region in ext2_inode_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-30 11:22 ` [kernel-hardening] " Jan Kara
2017-08-30 11:22 ` Jan Kara
2017-08-30 11:22 ` Jan Kara
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 09/30] jfs: Define usercopy region in jfs_ip " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 10/30] befs: Define usercopy region in befs_inode_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-29 10:12 ` [kernel-hardening] " Luis de Bethencourt
2017-08-29 10:12 ` Luis de Bethencourt
2017-08-29 10:12 ` Luis de Bethencourt
2017-08-29 15:36 ` [kernel-hardening] " Kees Cook
2017-08-29 15:36 ` Kees Cook
2017-08-29 15:36 ` Kees Cook
2017-08-29 17:10 ` [kernel-hardening] " Luis de Bethencourt
2017-08-29 17:10 ` Luis de Bethencourt
2017-08-29 17:10 ` Luis de Bethencourt
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 11/30] exofs: Define usercopy region in exofs_inode_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 12/30] orangefs: Define usercopy region in orangefs_inode_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 13/30] ufs: Define usercopy region in ufs_inode_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 14/30] vxfs: Define usercopy region in vxfs_inode " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 15/30] xfs: Define usercopy region in xfs_inode " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:49 ` [kernel-hardening] " Darrick J. Wong
2017-08-28 21:49 ` Darrick J. Wong
2017-08-28 21:49 ` Darrick J. Wong
2017-08-28 21:57 ` [kernel-hardening] " Kees Cook
2017-08-28 21:57 ` Kees Cook
2017-08-28 21:57 ` Kees Cook
2017-08-29 4:47 ` Darrick J. Wong [this message]
2017-08-29 4:47 ` Darrick J. Wong
2017-08-29 4:47 ` Darrick J. Wong
2017-08-29 18:48 ` [kernel-hardening] " Kees Cook
2017-08-29 18:48 ` Kees Cook
2017-08-29 18:48 ` Kees Cook
2017-08-29 19:00 ` [kernel-hardening] " Darrick J. Wong
2017-08-29 19:00 ` Darrick J. Wong
2017-08-29 19:00 ` Darrick J. Wong
2017-08-29 22:15 ` [kernel-hardening] " Dave Chinner
2017-08-29 22:15 ` Dave Chinner
2017-08-29 22:15 ` Dave Chinner
2017-08-29 22:25 ` [kernel-hardening] " Kees Cook
2017-08-29 22:25 ` Kees Cook
2017-08-29 22:25 ` Kees Cook
2017-08-29 8:14 ` [kernel-hardening] " Christoph Hellwig
2017-08-29 8:14 ` Christoph Hellwig
2017-08-29 8:14 ` Christoph Hellwig
2017-08-29 12:31 ` [kernel-hardening] " Dave Chinner
2017-08-29 12:31 ` Dave Chinner
2017-08-29 12:31 ` Dave Chinner
2017-08-29 12:45 ` [kernel-hardening] " Christoph Hellwig
2017-08-29 12:45 ` Christoph Hellwig
2017-08-29 12:45 ` Christoph Hellwig
2017-08-29 21:51 ` [kernel-hardening] " Dave Chinner
2017-08-29 21:51 ` Dave Chinner
2017-08-29 21:51 ` Dave Chinner
2017-08-30 7:14 ` [kernel-hardening] " Christoph Hellwig
2017-08-30 7:14 ` Christoph Hellwig
2017-08-30 7:14 ` Christoph Hellwig
2017-08-30 8:05 ` [kernel-hardening] " Dave Chinner
2017-08-30 8:05 ` Dave Chinner
2017-08-30 8:05 ` Dave Chinner
2017-08-30 8:33 ` [kernel-hardening] " Christoph Hellwig
2017-08-30 8:33 ` Christoph Hellwig
2017-08-30 8:33 ` Christoph Hellwig
2017-08-29 18:55 ` [kernel-hardening] " Kees Cook
2017-08-29 18:55 ` Kees Cook
2017-08-29 18:55 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 16/30] cifs: Define usercopy region in cifs_request " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 17/30] scsi: Define usercopy region in scsi_sense_cache " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:42 ` [kernel-hardening] " Bart Van Assche
2017-08-28 21:42 ` Bart Van Assche
2017-08-28 21:52 ` [kernel-hardening] " Kees Cook
2017-08-28 21:52 ` Kees Cook
2017-08-28 21:52 ` Kees Cook
2017-08-28 21:34 ` [kernel-hardening] [PATCH v2 18/30] net: Define usercopy region in struct proto " Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:34 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 19/30] ip: Define usercopy region in IP " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 20/30] caif: Define usercopy region in caif " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 21/30] sctp: Define usercopy region in SCTP " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 22/30] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 23/30] net: Restrict unwhitelisted proto caches to size 0 Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 24/30] fork: Define usercopy region in mm_struct slab caches Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-30 19:29 ` [kernel-hardening] " Rik van Riel
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 25/30] fork: Define usercopy region in thread_stack " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-30 18:55 ` [kernel-hardening] " Rik van Riel
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 26/30] fork: Provide usercopy whitelisting for task_struct Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-30 18:55 ` [kernel-hardening] " Rik van Riel
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 27/30] x86: Implement thread_struct whitelist for hardened usercopy Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-30 18:55 ` [kernel-hardening] " Rik van Riel
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 28/30] arm64: " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 29/30] arm: " Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` [kernel-hardening] [PATCH v2 30/30] usercopy: Restrict non-usercopy caches to size 0 Kees Cook
2017-08-28 21:35 ` Kees Cook
2017-08-28 21:35 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170829044707.GP4757@magnolia \
--to=darrick.wong@oracle.com \
--cc=dave@nullcore.net \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.