From: Kees Cook <keescook@chromium.org> To: Eric Biggers <ebiggers3@gmail.com> Cc: "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, David Windsor <dave@nullcore.net>, Linux-MM <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org> Subject: Re: [kernel-hardening] [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0 Date: Wed, 28 Jun 2017 10:03:09 -0700 [thread overview] Message-ID: <CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com> (raw) In-Reply-To: <20170620040403.GA610@zzz.localdomain> On Mon, Jun 19, 2017 at 9:04 PM, Eric Biggers <ebiggers3@gmail.com> wrote: > Hi David + Kees, > > On Mon, Jun 19, 2017 at 04:36:35PM -0700, Kees Cook wrote: >> With all known usercopied cache whitelists now defined in the kernel, switch >> the default usercopy region of kmem_cache_create() to size 0. Any new caches >> with usercopy regions will now need to use kmem_cache_create_usercopy() >> instead of kmem_cache_create(). >> > > While I'd certainly like to see the caches be whitelisted, it needs to be made > very clear that it's being done (the cover letter for this series falsely claims > that kmem_cache_create() is unchanged) and what the consequences are. Is there Well, in the first patch it is semantically unchanged: calls to kmem_cache_create() after the first patch whitelist the entire cache object. Only from this patch on does it change behavior to no longer whitelist the object. > any specific plan for identifying caches that were missed? If it's expected for The plan for finding caches needing whitelisting is mainly code audit and operational testing. Encountering it is quite loud in that it BUGs the kernel during the hardened usercopy checks. > people to just fix them as they are found, then they need to be helped a little > --- at the very least by putting a big comment above report_usercopy() that > explains the possible reasons why the error might have triggered and what to do > about it. That sounds reasonable. It should have a comment even for the existing protections. Thanks! -Kees -- Kees Cook Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org> To: Eric Biggers <ebiggers3@gmail.com> Cc: "kernel-hardening@lists.openwall.com" <kernel-hardening@lists.openwall.com>, David Windsor <dave@nullcore.net>, Linux-MM <linux-mm@kvack.org>, LKML <linux-kernel@vger.kernel.org> Subject: Re: [kernel-hardening] [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0 Date: Wed, 28 Jun 2017 10:03:09 -0700 [thread overview] Message-ID: <CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com> (raw) In-Reply-To: <20170620040403.GA610@zzz.localdomain> On Mon, Jun 19, 2017 at 9:04 PM, Eric Biggers <ebiggers3@gmail.com> wrote: > Hi David + Kees, > > On Mon, Jun 19, 2017 at 04:36:35PM -0700, Kees Cook wrote: >> With all known usercopied cache whitelists now defined in the kernel, switch >> the default usercopy region of kmem_cache_create() to size 0. Any new caches >> with usercopy regions will now need to use kmem_cache_create_usercopy() >> instead of kmem_cache_create(). >> > > While I'd certainly like to see the caches be whitelisted, it needs to be made > very clear that it's being done (the cover letter for this series falsely claims > that kmem_cache_create() is unchanged) and what the consequences are. Is there Well, in the first patch it is semantically unchanged: calls to kmem_cache_create() after the first patch whitelist the entire cache object. Only from this patch on does it change behavior to no longer whitelist the object. > any specific plan for identifying caches that were missed? If it's expected for The plan for finding caches needing whitelisting is mainly code audit and operational testing. Encountering it is quite loud in that it BUGs the kernel during the hardened usercopy checks. > people to just fix them as they are found, then they need to be helped a little > --- at the very least by putting a big comment above report_usercopy() that > explains the possible reasons why the error might have triggered and what to do > about it. That sounds reasonable. It should have a comment even for the existing protections. Thanks! -Kees -- Kees Cook Pixel Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-06-28 17:03 UTC|newest] Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-06-19 23:36 [PATCH 00/23] Hardened usercopy whitelisting Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 01/23] usercopy: Prepare for " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 02/23] usercopy: Enforce slab cache usercopy region boundaries Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 03/23] vfs: define usercopy region in names_cache slab caches Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 04/23] vfs: copy struct mount.mnt_id to userspace using put_user() Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 05/23] befs: define usercopy region in befs_inode_cache slab cache Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 06/23] cifs: define usercopy region in cifs_request " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 07/23] exofs: define usercopy region in exofs_inode_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 08/23] ext2: define usercopy region in ext2_inode_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 09/23] ext4: define usercopy region in ext4_inode_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 10/23] vxfs: define usercopy region in vxfs_inode " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 11/23] jfs: define usercopy region in jfs_ip " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 12/23] orangefs: define usercopy region in orangefs_inode_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 13/23] ufs: define usercopy region in ufs_inode_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 14/23] fork: define usercopy region in thread_stack, task_struct, mm_struct slab caches Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 15/23] net: define usercopy region in struct proto slab cache Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 16/23] net: copy struct sctp_sock.autoclose to userspace using put_user() Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 17/23] dcache: define usercopy region in dentry_cache slab cache Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-20 4:08 ` [kernel-hardening] " Eric Biggers 2017-06-20 4:08 ` Eric Biggers 2017-06-28 16:44 ` Kees Cook 2017-06-28 16:44 ` Kees Cook 2017-06-28 16:44 ` Kees Cook 2017-06-28 16:55 ` Eric Biggers 2017-06-28 16:55 ` Eric Biggers 2017-06-28 16:55 ` Eric Biggers 2017-06-19 23:36 ` [PATCH 18/23] scsi: define usercopy region in scsi_sense_cache " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 19/23] xfs: define usercopy region in xfs_inode " Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 20/23] usercopy: convert kmalloc caches to usercopy caches Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-19 23:36 ` [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0 Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-20 4:04 ` [kernel-hardening] " Eric Biggers 2017-06-20 4:04 ` Eric Biggers 2017-06-28 17:03 ` Kees Cook [this message] 2017-06-28 17:03 ` Kees Cook 2017-06-28 17:03 ` Kees Cook 2017-06-19 23:36 ` [PATCH 22/23] usercopy: split user-controlled slabs to separate caches Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-20 4:24 ` [kernel-hardening] " Eric Biggers 2017-06-20 4:24 ` Eric Biggers 2017-06-20 4:47 ` Eric Biggers 2017-06-20 4:47 ` Eric Biggers 2017-06-20 22:27 ` Kees Cook 2017-06-20 22:27 ` Kees Cook 2017-06-20 22:27 ` Kees Cook 2017-06-20 20:24 ` Laura Abbott 2017-06-20 20:24 ` [kernel-hardening] " Laura Abbott 2017-06-20 20:24 ` Laura Abbott 2017-06-20 22:22 ` Kees Cook 2017-06-20 22:22 ` [kernel-hardening] " Kees Cook 2017-06-20 22:22 ` Kees Cook 2017-06-27 7:31 ` Michal Hocko 2017-06-27 7:31 ` [kernel-hardening] " Michal Hocko 2017-06-27 7:31 ` Michal Hocko 2017-06-27 22:07 ` Kees Cook 2017-06-27 22:07 ` [kernel-hardening] " Kees Cook 2017-06-27 22:07 ` Kees Cook 2017-06-28 8:54 ` Michal Hocko 2017-06-28 8:54 ` [kernel-hardening] " Michal Hocko 2017-06-28 8:54 ` Michal Hocko 2017-06-19 23:36 ` [PATCH 23/23] mm: Allow slab_nomerge to be set at build time Kees Cook 2017-06-19 23:36 ` [kernel-hardening] " Kees Cook 2017-06-19 23:36 ` Kees Cook 2017-06-20 4:09 ` [kernel-hardening] " Daniel Micay 2017-06-20 4:09 ` Daniel Micay 2017-06-20 22:51 ` Kees Cook 2017-06-20 22:51 ` Kees Cook 2017-06-20 22:51 ` Kees Cook 2017-06-20 4:29 ` Eric Biggers 2017-06-20 4:29 ` Eric Biggers 2017-06-20 23:09 ` Kees Cook 2017-06-20 23:09 ` Kees Cook 2017-06-20 23:09 ` Kees Cook 2017-06-20 19:41 ` [kernel-hardening] [PATCH 00/23] Hardened usercopy whitelisting Rik van Riel 2017-10-20 22:40 ` Paolo Bonzini 2017-10-20 22:40 ` [kernel-hardening] " Paolo Bonzini 2017-10-20 22:40 ` Paolo Bonzini 2017-10-20 23:25 ` Paolo Bonzini 2017-10-20 23:25 ` [kernel-hardening] " Paolo Bonzini 2017-10-20 23:25 ` Paolo Bonzini 2017-10-21 3:04 ` Kees Cook 2017-10-21 3:04 ` [kernel-hardening] " Kees Cook 2017-10-21 3:04 ` Kees Cook
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com \ --to=keescook@chromium.org \ --cc=dave@nullcore.net \ --cc=ebiggers3@gmail.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.