From: Jan Kara <jack@suse.cz>
To: Kees Cook <keescook@chromium.org>
Cc: Jan Kara <jack@suse.cz>,
syzbot <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com>,
Amir Goldstein <amir73il@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
cai@lca.pw, Chris von Recklinghausen <crecklin@redhat.com>,
LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: WARNING: bad usercopy in fanotify_read
Date: Wed, 13 Mar 2019 16:47:12 +0100 [thread overview]
Message-ID: <20190313154712.GJ9108@quack2.suse.cz> (raw)
In-Reply-To: <CAGXu5j+_Ao_CU8DG9nrTbx5ioDkJUFw0cGcLBMWnvNLe_eFJ4A@mail.gmail.com>
On Wed 13-03-19 08:35:33, Kees Cook wrote:
> On Wed, Mar 13, 2019 at 7:35 AM Jan Kara <jack@suse.cz> wrote:
> > On Tue 12-03-19 23:26:22, Kees Cook wrote:
> > > On Mon, Mar 11, 2019 at 1:42 PM syzbot
> > > <syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com> wrote:
> > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17ee410b200000
> > > > [...]
> > > > ------------[ cut here ]------------
> > > > Bad or missing usercopy whitelist? Kernel memory exposure attempt detected
> > > > from SLAB object 'fanotify_event' (offset 40, size 8)!
> > > > [...]
> > > > copy_to_user include/linux/uaccess.h:151 [inline]
> > > > copy_fid_to_user fs/notify/fanotify/fanotify_user.c:236 [inline]
> > > > copy_event_to_user fs/notify/fanotify/fanotify_user.c:294 [inline]
> > >
> > > Looks like this is the fh/ext_fh union in struct fanotify_fid, field
> > > "fid" in struct fanotify_event. Given that "fid" is itself in a union
> > > against a struct path, I think instead of a whitelist using
> > > KMEM_CACHE_USERCOPY(), this should just use a bounce buffer to avoid
> > > leaving a whitelist open for path or ext_fh exposure.
> >
> > Do you mean to protect it from a situation when some other code (i.e. not
> > copy_fid_to_user()) would be tricked into copying ext_fh containing slab
> > pointer to userspace?
>
> Yes. That's the design around the usercopy hardening. The
> "whitelisting" is either via code (with a bounce buffer, so only the
> specific "expected" code path can copy it), with a
> kmem_create_usercopy() range marking (generally best for areas that
> are not unions or when bounce buffers would be too big/slow), or with
> implicit whitelisting (via a constant copy size that cannot change at
> run-time, like: copy_to_user(dst, src, 6)).
>
> In this case, since there are multiple unions in place and
> FANOTIFY_INLINE_FH_LEN is small, it seemed best to go with a bounce
> buffer.
OK, makes sense. I'll replace tha patch using kmem_create_usercopy() in my
tree with a variant you've suggested.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2019-03-13 15:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-11 20:42 WARNING: bad usercopy in fanotify_read syzbot
2019-03-11 20:42 ` syzbot
2019-03-13 6:26 ` Kees Cook
2019-03-13 6:26 ` Kees Cook
2019-03-13 6:42 ` Amir Goldstein
2019-03-13 6:42 ` Amir Goldstein
2019-03-13 14:35 ` Jan Kara
2019-03-13 15:35 ` Kees Cook
2019-03-13 15:35 ` Kees Cook
2019-03-13 15:47 ` Jan Kara [this message]
2019-03-18 18:27 ` Kees Cook
2019-03-18 18:27 ` Kees Cook
2019-03-19 8:32 ` Jan Kara
2019-03-16 14:49 ` syzbot
2019-03-16 14:49 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313154712.GJ9108@quack2.suse.cz \
--to=jack@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=amir73il@gmail.com \
--cc=cai@lca.pw \
--cc=crecklin@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzbot+2c49971e251e36216d1f@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.