From: Kees Cook <keescook@chromium.org>
To: Laura Abbott <labbott@redhat.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
David Windsor <dave@nullcore.net>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>,
linux-sctp@vger.kernel.org,
Network Development <netdev@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Christoph Lameter <cl@linux.com>,
Mark Rutland <mark.rutland@arm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Christoffer Dall <christoffer.dall@linaro.org>,
Dave Kleikamp <dave.kleikamp@oracle.com>, Jan Kara <jack@suse.cz>,
Luis de Bethencourt <luisbg@kernel.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Rik
Subject: Re: [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
Date: Thu, 18 Jan 2018 13:36:03 -0800 [thread overview]
Message-ID: <CAGXu5jK_VyEM4-MaQ53o2AS8NNiTyR8X5LUrbwd=KcDWfKhGTg@mail.gmail.com> (raw)
In-Reply-To: <19a7add8-adaf-4ad4-6ae3-4a62967656b9@redhat.com>
On Thu, Jan 18, 2018 at 1:31 PM, Laura Abbott <labbott@redhat.com> wrote:
> On 01/10/2018 06:02 PM, Kees Cook wrote:
>>
>> From: David Windsor <dave@nullcore.net>
>>
>> The autoclose field can be copied with put_user(), so there is no need to
>> use copy_to_user(). In both cases, hardened usercopy is being bypassed
>> since the size is constant, and not open to runtime manipulation.
>>
>> This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
>> whitelisting code in the last public patch of grsecurity/PaX based on my
>> understanding of the code. Changes or omissions from the original code are
>> mine and don't reflect the original grsecurity/PaX code.
>>
>
> Just tried a quick rebase and it looks like this conflicts with
> c76f97c99ae6 ("sctp: make use of pre-calculated len")
> I don't think we can use put_user if we're copying via the full
> len?
It should be fine, since:
len = sizeof(int);
c76f97c99ae6 just does a swap of sizeof(int) with len, put_user() will
work in either case, since autoclose will always be int sized.
-Kees
>
> Thanks,
> Laura
>
>
>> Signed-off-by: David Windsor <dave@nullcore.net>
>> [kees: adjust commit log]
>> Cc: Vlad Yasevich <vyasevich@gmail.com>
>> Cc: Neil Horman <nhorman@tuxdriver.com>
>> Cc: "David S. Miller" <davem@davemloft.net>
>> Cc: linux-sctp@vger.kernel.org
>> Cc: netdev@vger.kernel.org
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> net/sctp/socket.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>> index efbc8f52c531..15491491ec88 100644
>> --- a/net/sctp/socket.c
>> +++ b/net/sctp/socket.c
>> @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock
>> *sk, int len, char __user *optv
>> len = sizeof(int);
>> if (put_user(len, optlen))
>> return -EFAULT;
>> - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
>> + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval))
>> return -EFAULT;
>> return 0;
>> }
>>
>
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Laura Abbott <labbott@redhat.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
David Windsor <dave@nullcore.net>,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
"David S. Miller" <davem@davemloft.net>,
linux-sctp@vger.kernel.org,
Network Development <netdev@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>,
Christoph Hellwig <hch@infradead.org>,
Christoph Lameter <cl@linux.com>,
Mark Rutland <mark.rutland@arm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Christoffer Dall <christoffer.dall@linaro.org>,
Dave Kleikamp <dave.kleikamp@oracle.com>, Jan Kara <jack@suse.cz>,
Luis de Bethencourt <luisbg@kernel.org>,
Marc Zyngier <marc.zyngier@arm.com>,
Rik van Riel <riel@redhat.com>,
Matthew Garrett <mjg59@google.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
Date: Thu, 18 Jan 2018 13:36:03 -0800 [thread overview]
Message-ID: <CAGXu5jK_VyEM4-MaQ53o2AS8NNiTyR8X5LUrbwd=KcDWfKhGTg@mail.gmail.com> (raw)
Message-ID: <20180118213603.EQ0OfBrufNDIlft_D2r6hcmNdJX8lrFsugUPtapkQlI@z> (raw)
In-Reply-To: <19a7add8-adaf-4ad4-6ae3-4a62967656b9@redhat.com>
On Thu, Jan 18, 2018 at 1:31 PM, Laura Abbott <labbott@redhat.com> wrote:
> On 01/10/2018 06:02 PM, Kees Cook wrote:
>>
>> From: David Windsor <dave@nullcore.net>
>>
>> The autoclose field can be copied with put_user(), so there is no need to
>> use copy_to_user(). In both cases, hardened usercopy is being bypassed
>> since the size is constant, and not open to runtime manipulation.
>>
>> This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
>> whitelisting code in the last public patch of grsecurity/PaX based on my
>> understanding of the code. Changes or omissions from the original code are
>> mine and don't reflect the original grsecurity/PaX code.
>>
>
> Just tried a quick rebase and it looks like this conflicts with
> c76f97c99ae6 ("sctp: make use of pre-calculated len")
> I don't think we can use put_user if we're copying via the full
> len?
It should be fine, since:
len = sizeof(int);
c76f97c99ae6 just does a swap of sizeof(int) with len, put_user() will
work in either case, since autoclose will always be int sized.
-Kees
>
> Thanks,
> Laura
>
>
>> Signed-off-by: David Windsor <dave@nullcore.net>
>> [kees: adjust commit log]
>> Cc: Vlad Yasevich <vyasevich@gmail.com>
>> Cc: Neil Horman <nhorman@tuxdriver.com>
>> Cc: "David S. Miller" <davem@davemloft.net>
>> Cc: linux-sctp@vger.kernel.org
>> Cc: netdev@vger.kernel.org
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> net/sctp/socket.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>> index efbc8f52c531..15491491ec88 100644
>> --- a/net/sctp/socket.c
>> +++ b/net/sctp/socket.c
>> @@ -5011,7 +5011,7 @@ static int sctp_getsockopt_autoclose(struct sock
>> *sk, int len, char __user *optv
>> len = sizeof(int);
>> if (put_user(len, optlen))
>> return -EFAULT;
>> - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
>> + if (put_user(sctp_sk(sk)->autoclose, (int __user *)optval))
>> return -EFAULT;
>> return 0;
>> }
>>
>
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2018-01-18 21:36 UTC|newest]
Thread overview: 152+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-11 2:02 [PATCH v5 00/38] Hardened usercopy whitelisting Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 01/38] usercopy: Remove pointer from overflow report Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 02/38] usercopy: Enhance and rename report_usercopy() Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 17:06 ` Christopher Lameter
2018-01-11 17:06 ` Christopher Lameter
2018-01-14 20:57 ` Kees Cook
2018-01-14 20:57 ` Kees Cook
2018-01-11 2:02 ` [PATCH 03/38] usercopy: Include offset in hardened usercopy report Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 04/38] lkdtm/usercopy: Adjust test to include an offset to check reporting Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 05/38] stddef.h: Introduce sizeof_field() Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 06/38] usercopy: Prepare for usercopy whitelisting Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 07/38] usercopy: WARN() on slab cache usercopy region violations Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 08/38] usercopy: Allow strict enforcement of whitelists Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 09/38] usercopy: Mark kmalloc caches as usercopy caches Kees Cook
2018-01-11 2:02 ` Kees Cook
2019-11-12 7:17 ` [kernel-hardening] " Jiri Slaby
2019-11-12 7:17 ` Jiri Slaby
2019-11-12 21:21 ` Kees Cook
2019-11-12 21:21 ` Kees Cook
2019-11-14 21:27 ` Kees Cook
2019-11-14 21:27 ` Kees Cook
2020-01-23 8:14 ` Jiri Slaby
2020-01-23 8:14 ` Jiri Slaby
2020-01-27 23:19 ` Kees Cook
2020-01-27 23:19 ` Kees Cook
2020-01-28 7:58 ` Christian Borntraeger
2020-01-28 7:58 ` Christian Borntraeger
2020-01-28 23:01 ` Kees Cook
2020-01-28 23:01 ` Kees Cook
2020-01-29 9:26 ` Ursula Braun
2020-01-29 9:26 ` Ursula Braun
2020-01-29 16:43 ` Christopher Lameter
2020-01-29 16:43 ` Christopher Lameter
2020-01-29 17:07 ` Christian Borntraeger
2020-01-29 17:07 ` Christian Borntraeger
2020-01-29 17:09 ` Christoph Hellwig
2020-01-29 17:09 ` Christoph Hellwig
2020-01-29 17:19 ` Christian Borntraeger
2020-01-29 17:19 ` Christian Borntraeger
2020-01-30 19:23 ` Kees Cook
2020-01-30 19:23 ` Kees Cook
2020-01-31 12:03 ` Jann Horn
2020-01-31 12:03 ` Jann Horn
2020-02-01 17:56 ` Kees Cook
2020-02-01 17:56 ` Kees Cook
2020-02-01 19:27 ` Jann Horn
2020-02-01 19:27 ` Jann Horn
2020-02-03 7:46 ` Matthew Wilcox
2020-02-03 7:46 ` Matthew Wilcox
2020-02-03 17:41 ` Christoph Hellwig
2020-02-03 17:41 ` Christoph Hellwig
2020-02-03 17:20 ` Christopher Lameter
2020-02-03 17:20 ` Christopher Lameter
2020-04-07 8:00 ` Vlastimil Babka
2020-04-07 8:00 ` Vlastimil Babka
2020-04-07 11:05 ` Christian Borntraeger
2020-04-07 11:05 ` Christian Borntraeger
2020-04-20 7:53 ` Jiri Slaby
2020-04-20 7:53 ` Jiri Slaby
2020-04-20 17:43 ` Kees Cook
2020-04-20 17:43 ` Kees Cook
2020-02-03 17:38 ` Christoph Hellwig
2020-02-03 17:38 ` Christoph Hellwig
2020-02-03 17:36 ` Christoph Hellwig
2020-02-03 17:36 ` Christoph Hellwig
2018-01-11 2:02 ` [PATCH 10/38] dcache: Define usercopy region in dentry_cache slab cache Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 11/38] vfs: Define usercopy region in names_cache slab caches Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 12/38] vfs: Copy struct mount.mnt_id to userspace using put_user() Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 13/38] ext4: Define usercopy region in ext4_inode_cache slab cache Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 17:01 ` Theodore Ts'o
2018-01-11 17:01 ` Theodore Ts'o
2018-01-11 23:05 ` Kees Cook
2018-01-14 22:34 ` Matthew Wilcox
2018-01-14 22:34 ` Matthew Wilcox
2018-01-11 23:05 ` Kees Cook
2018-01-11 2:02 ` [PATCH 14/38] ext2: Define usercopy region in ext2_inode_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 15/38] jfs: Define usercopy region in jfs_ip " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 16/38] befs: Define usercopy region in befs_inode_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 17/38] exofs: Define usercopy region in exofs_inode_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 18/38] orangefs: Define usercopy region in orangefs_inode_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 19/38] ufs: Define usercopy region in ufs_inode_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 20/38] vxfs: Define usercopy region in vxfs_inode " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 21/38] cifs: Define usercopy region in cifs_request " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 22/38] scsi: Define usercopy region in scsi_sense_cache " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 23/38] net: Define usercopy region in struct proto " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 24/38] ip: Define usercopy region in IP " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 25/38] caif: Define usercopy region in caif " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 26/38] sctp: Define usercopy region in SCTP " Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-11 2:02 ` [PATCH 27/38] sctp: Copy struct sctp_sock.autoclose to userspace using put_user() Kees Cook
2018-01-11 2:02 ` Kees Cook
2018-01-18 21:31 ` Laura Abbott
2018-01-18 21:31 ` Laura Abbott
2018-01-18 21:36 ` Kees Cook [this message]
2018-01-18 21:36 ` Kees Cook
2018-01-11 2:03 ` [PATCH 28/38] net: Restrict unwhitelisted proto caches to size 0 Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 29/38] fork: Define usercopy region in mm_struct slab caches Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 30/38] fork: Define usercopy region in thread_stack " Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 31/38] fork: Provide usercopy whitelisting for task_struct Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 32/38] x86: Implement thread_struct whitelist for hardened usercopy Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 33/38] arm64: " Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-15 12:24 ` Dave P Martin
2018-01-15 12:24 ` Dave P Martin
2018-01-15 20:06 ` Kees Cook
2018-01-15 20:06 ` Kees Cook
2018-01-16 12:33 ` Dave Martin
2018-01-16 12:33 ` Dave Martin
2018-01-11 2:03 ` [PATCH 34/38] arm: " Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 10:24 ` Russell King - ARM Linux
2018-01-11 10:24 ` Russell King - ARM Linux
2018-01-11 23:21 ` Kees Cook
2018-01-11 23:21 ` Kees Cook
2018-01-11 2:03 ` [PATCH 35/38] kvm: whitelist struct kvm_vcpu_arch Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 36/38] kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 37/38] usercopy: Restrict non-usercopy caches to size 0 Kees Cook
2018-01-11 2:03 ` Kees Cook
2018-01-11 2:03 ` [PATCH 38/38] lkdtm: Update usercopy tests for whitelisting Kees Cook
2018-01-11 2:03 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jK_VyEM4-MaQ53o2AS8NNiTyR8X5LUrbwd=KcDWfKhGTg@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=borntraeger@de.ibm.com \
--cc=christoffer.dall@linaro.org \
--cc=cl@linux.com \
--cc=dave.kleikamp@oracle.com \
--cc=dave@nullcore.net \
--cc=davem@davemloft.net \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=luisbg@kernel.org \
--cc=luto@kernel.org \
--cc=marc.zyngier@arm.com \
--cc=mark.rutland@arm.com \
--cc=martin.petersen@oracle.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pbonzini@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).