From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>, Breno Leitao <leitao@debian.org>,
Sasha Levin <sashal@kernel.org>,
keescook@chromium.org, nathan@kernel.org,
ndesaulniers@google.com, io-uring@vger.kernel.org,
linux-hardening@vger.kernel.org, llvm@lists.linux.dev
Subject: [PATCH AUTOSEL 6.5 27/36] io_uring: annotate the struct io_kiocb slab for appropriate user copy
Date: Fri, 8 Sep 2023 15:28:38 -0400 [thread overview]
Message-ID: <20230908192848.3462476-27-sashal@kernel.org> (raw)
In-Reply-To: <20230908192848.3462476-1-sashal@kernel.org>
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit b97f96e22f051d59d07a527dbd7d90408b661ca8 ]
When compiling the kernel with clang and having HARDENED_USERCOPY
enabled, the liburing openat2.t test case fails during request setup:
usercopy: Kernel memory overwrite attempt detected to SLUB object 'io_kiocb' (offset 24, size 24)!
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:102!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 3 PID: 413 Comm: openat2.t Tainted: G N 6.4.3-g6995e2de6891-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014
RIP: 0010:usercopy_abort+0x84/0x90
Code: ce 49 89 ce 48 c7 c3 68 48 98 82 48 0f 44 de 48 c7 c7 56 c6 94 82 4c 89 de 48 89 c1 41 52 41 56 53 e8 e0 51 c5 00 48 83 c4 18 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 41 57 41 56
RSP: 0018:ffffc900016b3da0 EFLAGS: 00010296
RAX: 0000000000000062 RBX: ffffffff82984868 RCX: 4e9b661ac6275b00
RDX: ffff8881b90ec580 RSI: ffffffff82949a64 RDI: 00000000ffffffff
RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc900016b3c88 R11: ffffc900016b3c30 R12: 00007ffe549659e0
R13: ffff888119014000 R14: 0000000000000018 R15: 0000000000000018
FS: 00007f862e3ca680(0000) GS:ffff8881b90c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005571483542a8 CR3: 0000000118c11000 CR4: 00000000003506e0
Call Trace:
<TASK>
? __die_body+0x63/0xb0
? die+0x9d/0xc0
? do_trap+0xa7/0x180
? usercopy_abort+0x84/0x90
? do_error_trap+0xc6/0x110
? usercopy_abort+0x84/0x90
? handle_invalid_op+0x2c/0x40
? usercopy_abort+0x84/0x90
? exc_invalid_op+0x2f/0x40
? asm_exc_invalid_op+0x16/0x20
? usercopy_abort+0x84/0x90
__check_heap_object+0xe2/0x110
__check_object_size+0x142/0x3d0
io_openat2_prep+0x68/0x140
io_submit_sqes+0x28a/0x680
__se_sys_io_uring_enter+0x120/0x580
do_syscall_64+0x3d/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x55714834de26
Code: ca 01 0f b6 82 d0 00 00 00 8b ba cc 00 00 00 45 31 c0 31 d2 41 b9 08 00 00 00 83 e0 01 c1 e0 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 66 0f 1f 84 00 00 00 00 00 89 30 eb 89 0f 1f 40 00 8b 00 a8 06
RSP: 002b:00007ffe549659c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
RAX: ffffffffffffffda RBX: 00007ffe54965a50 RCX: 000055714834de26
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000008
R10: 0000000000000000 R11: 0000000000000246 R12: 000055714834f057
R13: 00007ffe54965a50 R14: 0000000000000001 R15: 0000557148351dd8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
when it tries to copy struct open_how from userspace into the per-command
space in the io_kiocb. There's nothing wrong with the copy, but we're
missing the appropriate annotations for allowing user copies to/from the
io_kiocb slab.
Allow copies in the per-command area, which is from the 'file' pointer to
when 'opcode' starts. We do have existing user copies there, but they are
not all annotated like the one that openat2_prep() uses,
copy_struct_from_user(). But in practice opcodes should be allowed to
copy data into their per-command area in the io_kiocb.
Reported-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/io_uring.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 93db3e4e7b688..5006b14f97e1e 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4615,8 +4615,20 @@ static int __init io_uring_init(void)
io_uring_optable_init();
- req_cachep = KMEM_CACHE(io_kiocb, SLAB_HWCACHE_ALIGN | SLAB_PANIC |
- SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU);
+ /*
+ * Allow user copy in the per-command field, which starts after the
+ * file in io_kiocb and until the opcode field. The openat2 handling
+ * requires copying in user memory into the io_kiocb object in that
+ * range, and HARDENED_USERCOPY will complain if we haven't
+ * correctly annotated this range.
+ */
+ req_cachep = kmem_cache_create_usercopy("io_kiocb",
+ sizeof(struct io_kiocb), 0,
+ SLAB_HWCACHE_ALIGN | SLAB_PANIC |
+ SLAB_ACCOUNT | SLAB_TYPESAFE_BY_RCU,
+ offsetof(struct io_kiocb, cmd.data),
+ sizeof_field(struct io_kiocb, cmd.data), NULL);
+
return 0;
};
__initcall(io_uring_init);
--
2.40.1
next prev parent reply other threads:[~2023-09-08 19:32 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-08 19:28 [PATCH AUTOSEL 6.5 01/36] drm/bridge: tc358762: Instruct DSI host to generate HSE packets Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 02/36] drm/edid: Add quirk for OSVR HDK 2.0 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 03/36] drm: bridge: samsung-dsim: Drain command transfer FIFO before transfer Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 04/36] ASoC: amd: vangogh: Use dmi_first_match() for DMI quirk handling Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 05/36] arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 06/36] arm64: dts: qcom: sm6125-sprout: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 07/36] arm64: dts: qcom: sm6350: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 08/36] arm64: dts: qcom: sm8150-kumano: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 09/36] arm64: dts: qcom: sm8250-edo: " Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 10/36] drm/amdgpu: Increase soft IH ring size Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 11/36] drm/amd/display: Add stream overhead in BW calculations for 128b/132b Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 12/36] samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 13/36] drm/amdgpu: Update ring scheduler info as needed Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 14/36] drm/amd/display: Read down-spread percentage from lut to adjust dprefclk Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 15/36] drm/amd/display: Fix underflow issue on 175hz timing Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 16/36] drm/vkms: Fix race-condition between the hrtimer and the atomic commit Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 17/36] ASoC: SOF: topology: simplify code to prevent static analysis warnings Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 18/36] ASoC: Intel: sof_sdw: Update BT offload config for soundwire config Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 19/36] ALSA: hda: intel-dsp-cfg: add LunarLake support Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 20/36] drm/amd/display: Use DTBCLK as refclk instead of DPREFCLK Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 21/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 22/36] drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN314 Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 23/36] drm/amd/display: Use max memclk variable when setting max memclk Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 24/36] drm/msm/adreno: Use quirk identify hw_apriv Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 25/36] drm/msm/adreno: Use quirk to identify cached-coherent support Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 26/36] drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin [this message]
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 28/36] drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 29/36] bus: ti-sysc: Configure uart quirks for k3 SoC Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 30/36] arm64: dts: qcom: sc8280xp-x13s: Add camera activity LED Sasha Levin
2023-09-11 6:33 ` Johan Hovold
2023-09-18 21:41 ` Sasha Levin
2023-09-19 6:15 ` Johan Hovold
2023-09-19 13:06 ` Sasha Levin
2023-09-19 13:28 ` Johan Hovold
2023-09-19 15:09 ` Sasha Levin
2023-09-19 15:40 ` Johan Hovold
2023-09-19 16:00 ` Johan Hovold
2023-09-20 4:53 ` Thorsten Leemhuis
2023-09-20 7:06 ` Johan Hovold
2023-09-20 7:16 ` Krzysztof Kozlowski
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 31/36] block: Allow bio_iov_iter_get_pages() with bio->bi_bdev unset Sasha Levin
2023-09-08 19:32 ` Jens Axboe
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 32/36] md: raid1: fix potential OOB in raid1_remove_disk() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 33/36] ext2: fix datatype of block number in ext2_xattr_set2() Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 34/36] blk-mq: fix tags leak when shrink nr_hw_queues Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 35/36] ASoC: SOF: amd: clear panic mask status when panic occurs Sasha Levin
2023-09-08 19:28 ` [PATCH AUTOSEL 6.5 36/36] x86: bring back rep movsq for user access on CPUs without ERMS Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230908192848.3462476-27-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=keescook@chromium.org \
--cc=leitao@debian.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.