From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751828AbdBOKpP (ORCPT ); Wed, 15 Feb 2017 05:45:15 -0500 Received: from mail-eopbgr20052.outbound.protection.outlook.com ([40.107.2.52]:44887 "EHLO EUR02-VE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751412AbdBOKpN (ORCPT ); Wed, 15 Feb 2017 05:45:13 -0500 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Mark.Rutland@arm.com; Date: Wed, 15 Feb 2017 10:45:03 +0000 From: Mark Rutland To: Kees Cook CC: Hoeun Ryu , LKML , "kernel-hardening@lists.openwall.com" , Subject: Re: [PATCH] usercopy: add testcases to check zeroing on failure of usercopy Message-ID: <20170215104503.GA31733@leverpostej> References: <1486880019-8201-1-git-send-email-hoeun.ryu@gmail.com> <2C0135CD-ACCF-462F-B7C6-E8554C6C99BF@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [217.140.96.140] X-ClientProxiedBy: VI1PR09CA0066.eurprd09.prod.outlook.com (10.174.49.34) To HE1PR0802MB2394.eurprd08.prod.outlook.com (10.175.33.144) X-MS-Office365-Filtering-Correlation-Id: c8f5e9c2-bf1f-4922-b092-08d4558fb684 X-MS-Office365-Filtering-HT: Tenant X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081);SRVR:HE1PR0802MB2394; X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2394;3:2DKrWvMjn5w97iWFgi3SVzJxAmlAXZ6p33CMOWRvJcGC6C5MWlAR170+oOX/HbRVKKieYW4sTJ6S0y96OwSqORhWvtl4u1dSziMjVtcfWAMyv+rNRgC0/4evaZjHZaOX7e8gGSApjk/USNHboKKJZcB1I2p7rypEewE24vlLFoAjGLTjGY7YpIKqsIuQx1OBCm/niF1czZT5UeZOc7e2tA1HtVoaZjaWxM5pEeOAZMSdHh1ungqpxJfzpSqSIWUXrWc8hmPP7jv1qLIT8mwHWKfQY+CbWxZwbFKy8lkdqp0=;25:q/WuEKuYK2aOE8iI2PBAIW0Y7E062JQ+awTp8Q3BkE/fzcS5kjeO+FwxjRTtMuO+uFC5ep7kGx24hDW7UvnnX/s5lUN4fG86roj1BpFIp0OiRfxQUDF1vafkIYX8HfhucX07iKLLSjm7LvY3RPhd7xYcYNJtBM/9Vk2rjMnw6215pYB1OlPtEndwT0zU+MdTeD9fl3m+bpl25rEM1PWxaDH0/Oq2hh+xcEaNjDCgXneCI3p4YDfc92pEYudzz4Vpb95pfvt1hTQeRWJ/+dpvhatND1T94IYTbHcX12K1jDpIp17zhqzaaxOCESa+lxbjSQ7+iqfpseHn3GDwnYagpgLTYjRlJn10vaoSUB1+HedczBDueYeK/B6K7Ga0JSKkD/Vr0aZ2tLPTy+Gtc9l0VwIgozAJ9mDWV+jpolBxqGPx1xDlv26fw3LTgNPkPUxW1sv/SwGMh5W3NWgrtH+2dg== X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2394;31:AdQpub0SjzIzJadObE+zfJRZrw3oCfGxdEcTxNyPZv2Y1/oh8pQ/Ycv3VXI0nJJDXc42VYte45saQaou5F5Yz1Pj/sve6qxhBIIRFwrKtldzDZXHtkNFi1o7BSpmXB9uf31SLao85AgMEjOb1MceqJ9WJEJeKxELZS6sMPVqsQyliCxhpzjtx9JpKQBQNKD597yzq6Ow81PGX9UaXyf1zWBbIoyLJwB8jCWwq5iV6YAeyYaDCjw/Ok/pCFHFAwIY;20:sc3/vfik+96jufdWO/qODA9CFRp3gwJJluMf1EQIZIrTm9/n/SbVeJJMeLcg7pRJ8ZZAxcMCrxG+QI1OehQWy84gGKGOBrk0LRXA0ENgJuP1vzn4YeKcIWGa/I+7comPIjF2hEkRzKbH/YvqHqalnC9TqvIPIJA6xG55qb+Do5I= NoDisclaimer: True X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(84791874153150); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(20161123558025)(6072148);SRVR:HE1PR0802MB2394;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0802MB2394; X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2394;4:Grc4c1ziU+8nTbcJiVG5UFyKTdFTTWg3gKLOL+Zf7wLtIyEAuwAL/+hDsClWDzoqhnMJD+TGEvwX8I5dhy4l+Ec5tWTFgiYxtC4Pfb4ufkGRvJbHj5o5xxUyDjgSl/ldss5P9Wxb5bTH83pTayl7Hx7swTfHU5jEDDRxAEvu9i18pD0sAQHKzeOeyK9tmntsjBu3yoh5ptvTOczqWLfodp44QELbKoHxImS7e93mwXl98zav4ktDvVo7c1cixDi/QB0GRHxQNOBZIeqXY+ZnhLRgN1nkpXXIs3PQi9A5CsHx7S8my1cA+ir/pT6k8mvYg8TlKIw88z/9eDwvvEBxN/KebIFKHC1HjEU1U8ldI/TyNzGksng0Ej85Rg+HSm2PbGBcahHZmSyZd3uGuplr4R0iHagl82a4k1PQvWSJqtDQtz0xMfP/IHt8/hrsfEzfvDVSrbIN1ZO6eC4Hbdlc/7d1/hxSU/Gxoznjl+nhQSxmCFXtYyRbUd1rxl939JzV4uU/vd/2kAlGPhrdXBkQh9XCK5VDqw1P5VMWZS9tIOBHMKET7/41tWkPH2KHeYabgc0PKC8ugUx5J2rljxLoKY4L/uddHrzq/G1gKhDQh22XStfY91BOcXrlOot3jilATZ4poMuS8hUOcBeRLbpRLMYF9A2xqS5YFxMGP9HBU0I= X-Forefront-PRVS: 021975AE46 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6009001)(7916002)(39850400002)(39450400003)(39410400002)(39840400002)(39860400002)(189002)(199003)(24454002)(377454003)(47776003)(93886004)(189998001)(54356999)(2950100002)(76176999)(66066001)(5660300001)(6116002)(50466002)(101416001)(23726003)(50986999)(2906002)(1076002)(305945005)(3846002)(46406003)(4326007)(7736002)(92566002)(97736004)(81156014)(6496005)(81166006)(8676002)(6916009)(53936002)(229853002)(9686003)(33716001)(68736007)(33656002)(97756001)(25786008)(105586002)(106356001)(38730400002)(55016002)(54906002)(42186005)(83506001)(6306002)(86362001)(6246003)(4001350100001)(110136004)(6666003)(389900002)(18370500001);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0802MB2394;H:leverpostej;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;HE1PR0802MB2394;23:W4S1m+6TMljnAAdlqwVj4sIDw5XCFNJASxjWN/e?= =?us-ascii?Q?NxiJVhgfJ0SpabJZWiDkXgLcxHTYBdvuUfQoUsjG5kbi7lJZw2KCnQlyQ8We?= =?us-ascii?Q?5KyhQILqnRcn/Bw929Esvl9LHZjYajs60ehRIEZSdZ9nKVo8VBREa96Y90yQ?= =?us-ascii?Q?muKntp0DOHgJOh5473y17JnC6WE31ioRa2vPRGTucm8+QIEmhETJu0YnaZL7?= =?us-ascii?Q?N51mqnRi3bG6pjD5y4Kj3Z9rxL7Tw8pBhW5JnjnY7VOzM+r0JOUggk24fwDv?= =?us-ascii?Q?Gw6PF9Dw5hXd5Sbsw5PhLRLvwLo9iglmd4vPhl8/wRWD8qNn40JgnZ2yxw5K?= =?us-ascii?Q?6klSjAQ0WvqWtuL0B+97WnrDrXbNLyApkFUHJaTWYsYJV0L9PW3Duy0iDj+H?= =?us-ascii?Q?g6f35DITljHSO58suvAgoTwobN1gL6AIeA6zt7tBzy65OboRz/+3fUr6H1dy?= =?us-ascii?Q?YVOLTFdDzQ4fxmk6315Xwz1rD7XPFWypz77efkxV8qHzhBDhi+P8Ftp/axQ6?= =?us-ascii?Q?IGUjoFeYgX14DKv3eyHWQz8ksHXP1P4DZL2M66VZKTwUaPUHPiUZjiz5XQMV?= =?us-ascii?Q?h1Xaw3kHkDcF7rsdgURsXbe9Gr6h+9neiCOa/XPIJaHDHkDL9xx7NKj84xkp?= =?us-ascii?Q?y0XqYooswuCKk5b6WGBrK4Izo7jRFN4AXYT6krnR8XxIyVkrQAWgIgt4y2Nl?= =?us-ascii?Q?oJw4U4jMnrYQaV/X1zeZ7N+mF7JppfawYbjUZCaz+sQVhnpvE+/6x0W71UC5?= =?us-ascii?Q?VZKJkYLCp4u7u/pilLSwsuyXAHMKRvE95kOuKQD2uCoWToAePj+wvflTSGoV?= =?us-ascii?Q?yqsa3boiVmi3CGTYryLpLXpHPp4vIbVO8w2q0JJtN0mJYwADhXAQsB7Fuou1?= =?us-ascii?Q?x6ch5T7VSxlnjzhhN8PFsirc6D+vX5T0UCSavhOo0rji2h+voDNXW639kvoZ?= =?us-ascii?Q?8TsaJ15kXM9R711Gx+zWNpQce/OqSnki7FpNf3kReBOTWSgm/MOySQVrqKeL?= =?us-ascii?Q?yLFphTqBR7QJAj5UOvo01t73Tj3RfpoG4jo72hh/OKIPcUD8/RLEua7dgTOS?= =?us-ascii?Q?7cFz7G4essuTEnSUWerEAII00HJF7WKphJAbDNHKFZX2QkjlUSRXiQkTkdpQ?= =?us-ascii?Q?6xen+35JLSTeJ/tEcBL1MarYouStjrEuVRNfsDTu5Dos5TBkIkBjvaN3kMWZ?= =?us-ascii?Q?WB7udDSQQ284+PLyF50XwyhgwZlP4ODeS84b7z6itRdG17s2ssiP79F53B7K?= =?us-ascii?Q?x5/RT52gvSVXnRWzCaIBdv8wZrQ4IS8FkkvISmIS/69SrpfqYANxYFJiyVG6?= =?us-ascii?Q?hIl6MQ3qHj5npI/xqrNu0YwPs0zVjrcyWwZhGH40tvCA9LR1AdWH2+AboOhD?= =?us-ascii?Q?PbEu02Gr+ijVqKdEIBDNtBKo/077VO3mfZpVx6H6jukBBQuzCcd5g1jlezf1?= =?us-ascii?Q?3iLguSR246S0FFmgvF5L1daSSwqFdac3Toz0R8vC7qJlyAyyrSVIZ4ndxBqk?= =?us-ascii?Q?SecFI0YO/qiAQDA=3D=3D?= X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2394;6:Shebw+tmWIHcJHWmTgRb2159jFRStaNxB5dYOemAKkObB+s32UIbQ5h4XHDeZ1yitcUj1Mtb3ngsQi4dnM58/hRSxT9Zr4xY0oMILIfOoq8ijJbX2IpTM5lng4nM6aNHwgxz6bqRUaehDrH5PFVhtQ+0Lll7GmjCoee04krnuYNV771hnG+T388KOdeWCHS5KcrNRRftUmzikRbYhrSWZNNfAekAb521K+honB0V/m+aMZr5mS6tHvH6MWhPD5tW7Zk2NUmRhgGzati1kc1PGP8u7gRYQV1JIk0MhzZbaIwLMsJZYd230QceFTScIVFAfp4RARcVqnmXxUMV6ZAbIWrdyqDihDjV0vpaPnsS//AUDAPvb/YLrweU2qHW0pS3C5cozUYkfrrE+E3IQe6XWTEckZnP7nWUjOhMX5eC//A=;5:wwXsRIJJlK+CZ931lzBvLD0s1hE9Bw4rtQrIj0saolpJP8csjLnQ8vqvY0Jd9L00SxiGMd8Zem3hFD4sa1gmKYgC1nvvqveL2KupkROJWyXPaHSUCSPvvztAO6DwHZ6zePzmBZH4bWdHN1QV+7YqIvTpNmYpr6ms66sbamlrdQE=;24:RCLgUfLNxBlCWRdtMt8k5o8kL/FJOQTiK/H3aMfl1uKr6QvqTJrKWK0hg/4i3Lby7EY7ti80iU9aJ+eqTLC4Q53oCRguUygaABdNPEBu8V8= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;HE1PR0802MB2394;7:p1yQrymIRKWznid3oO41kJI/bGeErvg65h5vGB+AVpLfBydjXsXnd13U5YTglTPjxqSjEhXXul6CGVeCFmcdYwOMinx8xkcESsGZOIvlzzh4FQC96lmt6sMK2wJWrD9Iy0mHYKZofvPiRwkV8elYmqJJ0DvyJrP1wE7D38FwWXdYpFw5ihhovQhKmfw+onDaEJxs/PFvaHVnLmDYRTFRovStvb+pZS91LXwSwm8NTymqYLA0L7JXqLAzytktjvzFysZ8CBT1Blt4MQ7er6wPDJVOxdhhJR7gtvEdN9sVaACOhvl1chjuxVF1+Ixq5gD7xNk0JQY8HbzOcAJ6AeubwuVS6j1FN1+pBt+UMU6kiDZZ/ftNBbstN4nSO3UreWEMxsnDeVEjKmTa5uNppKQ+M6Uy6V0YthvrGVv1meu9KKnFIM2QDhsx4yFr44ZwGMarub7oG7WSTwcXOQQjXdCJYTGVYKPqsn8jSG/kM+ZXbj+brwhfU5oTmwzEPC1xnXfTRUG8sOwPoLvF3L0RyhaSng== X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Feb 2017 10:45:09.1251 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2394 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 14, 2017 at 12:36:48PM -0800, Kees Cook wrote: > On Mon, Feb 13, 2017 at 5:44 PM, Hoeun Ryu wrote: > >> On Feb 14, 2017, at 4:24 AM, Kees Cook wrote: > >>> On Mon, Feb 13, 2017 at 10:33 AM, Kees Cook wrote: > >>>> On Sat, Feb 11, 2017 at 10:13 PM, Hoeun Ryu wrote: > >>>> @@ -69,25 +76,35 @@ static int __init test_user_copy_init(void) > >>>> "legitimate put_user failed"); > >>>> > >>>> /* Invalid usage: none of these should succeed. */ > >>>> + memset(kmem, 0x5A, PAGE_SIZE); > >>>> ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE), > >>>> PAGE_SIZE), > >>>> "illegal all-kernel copy_from_user passed"); > >>>> + ret |= test(memcmp(zerokmem, kmem, PAGE_SIZE), > >>>> + "zeroing failure for illegal all-kernel copy_from_user"); > >>>> + memset(bad_usermem, 0x5A, PAGE_SIZE); > >>> > >>> Oh, actually, ha-ha: this isn't legal: it's a direct copy from kernel > >>> to userspace. :) This needs a copy_to_user()... (and same for the > >>> memcmp...) > > > > I just came up with that usercopy doesn't check the buffer is valid > > when zeroing happens. I mean if the buffer is wrong address pointing > > other kernel objects or user space address, is it possible for > > zeroing to overwrite the address ? > > The overwrite happening even when the address is "wrong" seems like a > bug to me, but it's sort of already too late (a bad kernel address > would have already been a target for a userspace copy), but if > something has gone really wrong (i.e. attacker doesn't have control > over the source buffer) this does give a "write 0" primitive. > > Mark Rutland noticed some order-of-operations issues here too, and his > solution is pretty straight forward: move the checks outside the > failure path. If the kernel target is demonstrably bad, then the > process will be killed before the write 0 happens. (In the non-const > case at least...) > > (Oh, btw, I just noticed that x86's copy_from_user() already does the > check before _copy_from_user() can do the memset, so x86 is already > "ok" in this regard.) FWIW, the patch making arm64 do the check first is queued [1], and should be in v4.11. Doing the same for other architectures would be good. Mark. [1] https://git.kernel.org/cgit/linux/kernel/git/arm64/linux.git/commit/?h=for-next/core&id=76624175dcae6f7a808d345c0592908a15ca6975