From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1758884AbdKPHqA (ORCPT <rfc822;w@1wt.eu>);
        Thu, 16 Nov 2017 02:46:00 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:36313 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750867AbdKPHpw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 16 Nov 2017 02:45:52 -0500
X-Google-Smtp-Source: AGs4zMZXAl6DSmJKj9a7ZStUjGG1SbOxA34T2xTH/G9xZCoEgcVgOSh6VksPWmScLQZ6KHWT2QJY2C/E4nTF+497hOo=
MIME-Version: 1.0
In-Reply-To: <20171113072941.GA110963@beast>
References: <20171113072941.GA110963@beast>
From: Kees Cook <keescook@chromium.org>
Date: Wed, 15 Nov 2017 23:45:49 -0800
X-Google-Sender-Auth: xp-eQRauna24K4p607QNrd6YWx0
Message-ID: <CAGXu5jKvB=pff18gRRwieFBUKtc6cD6wYBiqO754010UnmXR7w@mail.gmail.com>
Subject: Re: [GIT PULL] usercopy whitelisting for v4.15-rc1
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>, David Windsor <dave@nullcore.net>,
        Paolo Bonzini <pbonzini@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Nov 12, 2017 at 11:29 PM, Kees Cook <keescook@chromium.org> wrote:
> Please pull these hardened usercopy whitelisting changes for v4.15-rc1.
> This significantly narrows the areas of memory that can be copied to/from
> userspace in the face of usercopy bugs.

Just wanted to make sure this pull request was still on your radar.
Let me know if you want me to do a full resend.

Thanks!

-Kees

> The following changes since commit 9e66317d3c92ddaab330c125dfe9d06eee268aff:
>
>   Linux 4.14-rc3 (2017-10-01 14:54:54 -0700)
>
> are available in the git repository at:
>
>   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.15-rc1
>
> for you to fetch changes up to 3889a28c449c01cebe166e413a58742002c2352b:
>
>   lkdtm: Update usercopy tests for whitelisting (2017-11-08 15:40:04 -0800)
>
> ----------------------------------------------------------------
> Currently, hardened usercopy performs dynamic bounds checking on slab
> cache objects. This is good, but still leaves a lot of kernel memory
> available to be copied to/from userspace in the face of bugs. To further
> restrict what memory is available for copying, this creates a way to
> whitelist specific areas of a given slab cache object for copying to/from
> userspace, allowing much finer granularity of access control. Slab caches
> that are never exposed to userspace can declare no whitelist for their
> objects, thereby keeping them unavailable to userspace via dynamic copy
> operations. (Note, an implicit form of whitelisting is the use of constant
> sizes in usercopy operations and get_user()/put_user(); these bypass
> hardened usercopy checks since these sizes cannot change at runtime.)
>
> ----------------------------------------------------------------
> David Windsor (23):
>       usercopy: Prepare for usercopy whitelisting
>       usercopy: Enforce slab cache usercopy region boundaries
>       usercopy: Mark kmalloc caches as usercopy caches
>       dcache: Define usercopy region in dentry_cache slab cache
>       vfs: Define usercopy region in names_cache slab caches
>       vfs: Copy struct mount.mnt_id to userspace using put_user()
>       ext4: Define usercopy region in ext4_inode_cache slab cache
>       ext2: Define usercopy region in ext2_inode_cache slab cache
>       jfs: Define usercopy region in jfs_ip slab cache
>       befs: Define usercopy region in befs_inode_cache slab cache
>       exofs: Define usercopy region in exofs_inode_cache slab cache
>       orangefs: Define usercopy region in orangefs_inode_cache slab cache
>       ufs: Define usercopy region in ufs_inode_cache slab cache
>       vxfs: Define usercopy region in vxfs_inode slab cache
>       cifs: Define usercopy region in cifs_request slab cache
>       scsi: Define usercopy region in scsi_sense_cache slab cache
>       net: Define usercopy region in struct proto slab cache
>       ip: Define usercopy region in IP proto slab cache
>       caif: Define usercopy region in caif proto slab cache
>       sctp: Define usercopy region in SCTP proto slab cache
>       sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
>       fork: Define usercopy region in mm_struct slab caches
>       fork: Define usercopy region in thread_stack slab caches
>
> Kees Cook (8):
>       net: Restrict unwhitelisted proto caches to size 0
>       fork: Provide usercopy whitelisting for task_struct
>       x86: Implement thread_struct whitelist for hardened usercopy
>       arm64: Implement thread_struct whitelist for hardened usercopy
>       arm: Implement thread_struct whitelist for hardened usercopy
>       usercopy: Allow for temporary fallback for non-whitelisted usercopy
>       usercopy: Restrict non-usercopy caches to size 0
>       lkdtm: Update usercopy tests for whitelisting
>
> Paolo Bonzini (2):
>       kvm: whitelist struct kvm_vcpu_arch
>       kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
>
>  arch/Kconfig                       | 11 +++++
>  arch/arm/Kconfig                   |  1 +
>  arch/arm/include/asm/processor.h   |  7 +++
>  arch/arm64/Kconfig                 |  1 +
>  arch/arm64/include/asm/processor.h |  8 ++++
>  arch/x86/Kconfig                   |  1 +
>  arch/x86/include/asm/processor.h   |  8 ++++
>  arch/x86/kvm/x86.c                 |  7 +--
>  drivers/misc/lkdtm.h               |  4 +-
>  drivers/misc/lkdtm_core.c          |  4 +-
>  drivers/misc/lkdtm_usercopy.c      | 88 +++++++++++++++++++++-----------------
>  drivers/scsi/scsi_lib.c            |  9 ++--
>  fs/befs/linuxvfs.c                 | 14 +++---
>  fs/cifs/cifsfs.c                   | 10 +++--
>  fs/dcache.c                        |  9 ++--
>  fs/exofs/super.c                   |  7 ++-
>  fs/ext2/super.c                    | 12 +++---
>  fs/ext4/super.c                    | 12 +++---
>  fs/fhandle.c                       |  3 +-
>  fs/freevxfs/vxfs_super.c           |  8 +++-
>  fs/jfs/super.c                     |  8 ++--
>  fs/orangefs/super.c                | 15 ++++---
>  fs/ufs/super.c                     | 13 +++---
>  include/linux/sched/task.h         | 14 ++++++
>  include/linux/slab.h               | 27 +++++++++---
>  include/linux/slab_def.h           |  3 ++
>  include/linux/slub_def.h           |  3 ++
>  include/linux/stddef.h             |  2 +
>  include/net/sctp/structs.h         |  9 +++-
>  include/net/sock.h                 |  2 +
>  kernel/fork.c                      | 31 +++++++++++---
>  mm/slab.c                          | 35 ++++++++++++---
>  mm/slab.h                          |  8 +++-
>  mm/slab_common.c                   | 54 ++++++++++++++++++-----
>  mm/slub.c                          | 46 ++++++++++++++++----
>  mm/usercopy.c                      | 12 ++++++
>  net/caif/caif_socket.c             |  2 +
>  net/core/sock.c                    |  4 +-
>  net/ipv4/raw.c                     |  2 +
>  net/ipv6/raw.c                     |  2 +
>  net/sctp/socket.c                  | 10 ++++-
>  security/Kconfig                   | 12 ++++++
>  virt/kvm/kvm_main.c                |  7 ++-
>  43 files changed, 407 insertions(+), 138 deletions(-)
>
> --
> Kees Cook
> Pixel Security



-- 
Kees Cook
Pixel Security