From: Kees Cook <keescook@chromium.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-security-module <linux-security-module@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: crypto: Kernel memory overwrite attempt detected to spans multiple pages
Date: Wed, 10 Apr 2019 11:30:57 -0700 [thread overview]
Message-ID: <CAGXu5j+SZ2+Zkc=Vp5CXQUHhiR9f_OOnca684JTRW3T0yXdaNQ@mail.gmail.com> (raw)
In-Reply-To: <20190410031734.GB7140@sol.localdomain>
On Tue, Apr 9, 2019 at 8:17 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Thu, Mar 21, 2019 at 10:51:22AM -0700, Eric Biggers wrote:
> > On Thu, Mar 21, 2019 at 10:45:31AM -0700, Kees Cook wrote:
> > > On Wed, Mar 20, 2019 at 11:57 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > >
> > > > On Tue, Mar 19, 2019 at 10:09:13AM -0700, Eric Biggers wrote:
> > > > > On Tue, Mar 19, 2019 at 12:54:23PM +0100, Geert Uytterhoeven wrote:
> > > > > > When running the sha1-asm crypto selftest on arm with
> > > > > > CONFIG_HARDENED_USERCOPY_PAGESPAN=y:
> > > > > >
> > > > > > usercopy: Kernel memory overwrite attempt detected to spans
> > > > > > multiple pages (offset 0, size 42)!
> > > > >
> > > > > Well, this must happen with the new (in 5.1) crypto self-tests implementation
> > > > > for any crypto algorithm when CONFIG_HARDENED_USERCOPY_PAGESPAN=y. I don't
> > > > > understand why hardened usercopy considers it a bug though, as there's no buffer
> > > > > overflow. The crypto tests use copy_from_iter() to copy data into a 2-page
> > > > > buffer that was allocated with __get_free_pages():
> > > > >
> > > > > __get_free_pages(GFP_KERNEL, 1)
> > > > >
> > > > > ... where 1 means an order-1 allocation.
> > > > >
> > > > > If it copies to offset=4064 len=42, for example, then hardened usercopy
> > > > > considers it a bug even though the buffer is 8192 bytes long. Why?
> > > > >
> > > > > It isn't actually copying anything to/from userspace, BTW; it's using iov_iter
> > > > > with ITER_KVEC.
> > > > >
> > > > > - Eric
> > > >
> > > > Kees, any thoughts on why hardened usercopy rejects copies spanning a page
> > > > boundary when they seem to be fine?
> > >
> > > This is due to missing the compound page marking, if I remember
> > > correctly. However, I tend to leave the pagespan test disabled: it
> > > really isn't ready for production use -- there are a lot of missing
> > > annotations still.
> > >
> >
> > So do I need to add __GFP_COMP? Is there any actual reason to do so?
> > Why does hardened usercopy check for it?
> >
> > - Eric
>
> Hi Kees, any answer to this question?
Hi! Sorry, this got lost in my inbox. Yes, if you can add __GFP_COMP,
that would fix this case. No one has had time lately to track down all
these cases, but avoiding adding new ones would be wonderful. :)
It's in there because it's a state I'd like to get to in the kernel,
but it'll require a lot more work to get there.
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: crypto: Kernel memory overwrite attempt detected to spans multiple pages
Date: Wed, 10 Apr 2019 11:30:57 -0700 [thread overview]
Message-ID: <CAGXu5j+SZ2+Zkc=Vp5CXQUHhiR9f_OOnca684JTRW3T0yXdaNQ@mail.gmail.com> (raw)
In-Reply-To: <20190410031734.GB7140@sol.localdomain>
On Tue, Apr 9, 2019 at 8:17 PM Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Thu, Mar 21, 2019 at 10:51:22AM -0700, Eric Biggers wrote:
> > On Thu, Mar 21, 2019 at 10:45:31AM -0700, Kees Cook wrote:
> > > On Wed, Mar 20, 2019 at 11:57 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > >
> > > > On Tue, Mar 19, 2019 at 10:09:13AM -0700, Eric Biggers wrote:
> > > > > On Tue, Mar 19, 2019 at 12:54:23PM +0100, Geert Uytterhoeven wrote:
> > > > > > When running the sha1-asm crypto selftest on arm with
> > > > > > CONFIG_HARDENED_USERCOPY_PAGESPAN=y:
> > > > > >
> > > > > > usercopy: Kernel memory overwrite attempt detected to spans
> > > > > > multiple pages (offset 0, size 42)!
> > > > >
> > > > > Well, this must happen with the new (in 5.1) crypto self-tests implementation
> > > > > for any crypto algorithm when CONFIG_HARDENED_USERCOPY_PAGESPAN=y. I don't
> > > > > understand why hardened usercopy considers it a bug though, as there's no buffer
> > > > > overflow. The crypto tests use copy_from_iter() to copy data into a 2-page
> > > > > buffer that was allocated with __get_free_pages():
> > > > >
> > > > > __get_free_pages(GFP_KERNEL, 1)
> > > > >
> > > > > ... where 1 means an order-1 allocation.
> > > > >
> > > > > If it copies to offset=4064 len=42, for example, then hardened usercopy
> > > > > considers it a bug even though the buffer is 8192 bytes long. Why?
> > > > >
> > > > > It isn't actually copying anything to/from userspace, BTW; it's using iov_iter
> > > > > with ITER_KVEC.
> > > > >
> > > > > - Eric
> > > >
> > > > Kees, any thoughts on why hardened usercopy rejects copies spanning a page
> > > > boundary when they seem to be fine?
> > >
> > > This is due to missing the compound page marking, if I remember
> > > correctly. However, I tend to leave the pagespan test disabled: it
> > > really isn't ready for production use -- there are a lot of missing
> > > annotations still.
> > >
> >
> > So do I need to add __GFP_COMP? Is there any actual reason to do so?
> > Why does hardened usercopy check for it?
> >
> > - Eric
>
> Hi Kees, any answer to this question?
Hi! Sorry, this got lost in my inbox. Yes, if you can add __GFP_COMP,
that would fix this case. No one has had time lately to track down all
these cases, but avoiding adding new ones would be wonderful. :)
It's in there because it's a state I'd like to get to in the kernel,
but it'll require a lot more work to get there.
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-04-10 18:31 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-19 11:54 crypto: Kernel memory overwrite attempt detected to spans multiple pages Geert Uytterhoeven
2019-03-19 11:54 ` Geert Uytterhoeven
2019-03-19 17:09 ` Eric Biggers
2019-03-19 17:09 ` Eric Biggers
2019-03-20 18:57 ` Eric Biggers
2019-03-20 18:57 ` Eric Biggers
2019-03-21 17:45 ` Kees Cook
2019-03-21 17:45 ` Kees Cook
2019-03-21 17:51 ` Eric Biggers
2019-03-21 17:51 ` Eric Biggers
2019-04-10 3:17 ` Eric Biggers
2019-04-10 3:17 ` Eric Biggers
2019-04-10 18:30 ` Kees Cook [this message]
2019-04-10 18:30 ` Kees Cook
2019-04-10 19:07 ` Eric Biggers
2019-04-10 19:07 ` Eric Biggers
2019-04-10 21:57 ` Kees Cook
2019-04-10 21:57 ` Kees Cook
2019-04-10 23:11 ` Eric Biggers
2019-04-10 23:11 ` Eric Biggers
2019-04-10 23:27 ` Kees Cook
2019-04-10 23:27 ` Kees Cook
2019-04-11 17:58 ` Eric Biggers
2019-04-11 17:58 ` Eric Biggers
2019-04-11 18:33 ` Kees Cook
2019-04-11 18:33 ` Kees Cook
2019-04-11 19:26 ` Eric Biggers
2019-04-11 19:26 ` Eric Biggers
2019-04-11 19:28 ` [PATCH] crypto: testmgr - allocate buffers with __GFP_COMP Eric Biggers
2019-04-11 19:28 ` Eric Biggers
2019-04-11 20:32 ` Kees Cook
2019-04-11 20:32 ` Kees Cook
2019-04-12 5:38 ` Dmitry Vyukov
2019-04-12 5:38 ` Dmitry Vyukov
2019-04-15 2:24 ` Matthew Wilcox
2019-04-15 2:24 ` Matthew Wilcox
2019-04-15 2:46 ` Herbert Xu
2019-04-15 2:46 ` Herbert Xu
2019-04-16 2:18 ` Matthew Wilcox
2019-04-16 2:18 ` Matthew Wilcox
2019-04-16 3:14 ` Kees Cook
2019-04-16 3:14 ` Kees Cook
2019-04-16 3:14 ` Kees Cook
2019-04-17 4:08 ` Matthew Wilcox
2019-04-17 4:08 ` Matthew Wilcox
2019-04-17 8:09 ` Russell King - ARM Linux admin
2019-04-17 8:09 ` Russell King - ARM Linux admin
2019-04-17 9:54 ` Robin Murphy
2019-04-17 9:54 ` Robin Murphy
2019-04-11 20:36 ` crypto: Kernel memory overwrite attempt detected to spans multiple pages Kees Cook
2019-04-11 20:36 ` Kees Cook
2019-04-11 20:56 ` Eric Biggers
2019-04-11 20:56 ` Eric Biggers
2019-04-11 1:37 ` Rik van Riel
2019-04-11 1:37 ` Rik van Riel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5j+SZ2+Zkc=Vp5CXQUHhiR9f_OOnca684JTRW3T0yXdaNQ@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=ebiggers@kernel.org \
--cc=geert@linux-m68k.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.