From: Kees Cook <keescook@chromium.org>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
David Windsor <dave@nullcore.net>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [kernel-hardening] [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0
Date: Wed, 28 Jun 2017 10:03:09 -0700 [thread overview]
Message-ID: <CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com> (raw)
In-Reply-To: <20170620040403.GA610@zzz.localdomain>
On Mon, Jun 19, 2017 at 9:04 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> Hi David + Kees,
>
> On Mon, Jun 19, 2017 at 04:36:35PM -0700, Kees Cook wrote:
>> With all known usercopied cache whitelists now defined in the kernel, switch
>> the default usercopy region of kmem_cache_create() to size 0. Any new caches
>> with usercopy regions will now need to use kmem_cache_create_usercopy()
>> instead of kmem_cache_create().
>>
>
> While I'd certainly like to see the caches be whitelisted, it needs to be made
> very clear that it's being done (the cover letter for this series falsely claims
> that kmem_cache_create() is unchanged) and what the consequences are. Is there
Well, in the first patch it is semantically unchanged: calls to
kmem_cache_create() after the first patch whitelist the entire cache
object. Only from this patch on does it change behavior to no longer
whitelist the object.
> any specific plan for identifying caches that were missed? If it's expected for
The plan for finding caches needing whitelisting is mainly code audit
and operational testing. Encountering it is quite loud in that it BUGs
the kernel during the hardened usercopy checks.
> people to just fix them as they are found, then they need to be helped a little
> --- at the very least by putting a big comment above report_usercopy() that
> explains the possible reasons why the error might have triggered and what to do
> about it.
That sounds reasonable. It should have a comment even for the existing
protections.
Thanks!
-Kees
--
Kees Cook
Pixel Security
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
David Windsor <dave@nullcore.net>, Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [kernel-hardening] [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0
Date: Wed, 28 Jun 2017 10:03:09 -0700 [thread overview]
Message-ID: <CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com> (raw)
In-Reply-To: <20170620040403.GA610@zzz.localdomain>
On Mon, Jun 19, 2017 at 9:04 PM, Eric Biggers <ebiggers3@gmail.com> wrote:
> Hi David + Kees,
>
> On Mon, Jun 19, 2017 at 04:36:35PM -0700, Kees Cook wrote:
>> With all known usercopied cache whitelists now defined in the kernel, switch
>> the default usercopy region of kmem_cache_create() to size 0. Any new caches
>> with usercopy regions will now need to use kmem_cache_create_usercopy()
>> instead of kmem_cache_create().
>>
>
> While I'd certainly like to see the caches be whitelisted, it needs to be made
> very clear that it's being done (the cover letter for this series falsely claims
> that kmem_cache_create() is unchanged) and what the consequences are. Is there
Well, in the first patch it is semantically unchanged: calls to
kmem_cache_create() after the first patch whitelist the entire cache
object. Only from this patch on does it change behavior to no longer
whitelist the object.
> any specific plan for identifying caches that were missed? If it's expected for
The plan for finding caches needing whitelisting is mainly code audit
and operational testing. Encountering it is quite loud in that it BUGs
the kernel during the hardened usercopy checks.
> people to just fix them as they are found, then they need to be helped a little
> --- at the very least by putting a big comment above report_usercopy() that
> explains the possible reasons why the error might have triggered and what to do
> about it.
That sounds reasonable. It should have a comment even for the existing
protections.
Thanks!
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-06-28 17:03 UTC|newest]
Thread overview: 127+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 23:36 [PATCH 00/23] Hardened usercopy whitelisting Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 01/23] usercopy: Prepare for " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 02/23] usercopy: Enforce slab cache usercopy region boundaries Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 03/23] vfs: define usercopy region in names_cache slab caches Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 04/23] vfs: copy struct mount.mnt_id to userspace using put_user() Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 05/23] befs: define usercopy region in befs_inode_cache slab cache Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 06/23] cifs: define usercopy region in cifs_request " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 07/23] exofs: define usercopy region in exofs_inode_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 08/23] ext2: define usercopy region in ext2_inode_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 09/23] ext4: define usercopy region in ext4_inode_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 10/23] vxfs: define usercopy region in vxfs_inode " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 11/23] jfs: define usercopy region in jfs_ip " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 12/23] orangefs: define usercopy region in orangefs_inode_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 13/23] ufs: define usercopy region in ufs_inode_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 14/23] fork: define usercopy region in thread_stack, task_struct, mm_struct slab caches Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 15/23] net: define usercopy region in struct proto slab cache Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 16/23] net: copy struct sctp_sock.autoclose to userspace using put_user() Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 17/23] dcache: define usercopy region in dentry_cache slab cache Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-20 4:08 ` [kernel-hardening] " Eric Biggers
2017-06-20 4:08 ` Eric Biggers
2017-06-28 16:44 ` Kees Cook
2017-06-28 16:44 ` Kees Cook
2017-06-28 16:44 ` Kees Cook
2017-06-28 16:55 ` Eric Biggers
2017-06-28 16:55 ` Eric Biggers
2017-06-28 16:55 ` Eric Biggers
2017-06-19 23:36 ` [PATCH 18/23] scsi: define usercopy region in scsi_sense_cache " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 19/23] xfs: define usercopy region in xfs_inode " Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 20/23] usercopy: convert kmalloc caches to usercopy caches Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-19 23:36 ` [PATCH 21/23] usercopy: Restrict non-usercopy caches to size 0 Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-20 4:04 ` [kernel-hardening] " Eric Biggers
2017-06-20 4:04 ` Eric Biggers
2017-06-28 17:03 ` Kees Cook [this message]
2017-06-28 17:03 ` Kees Cook
2017-06-28 17:03 ` Kees Cook
2017-06-19 23:36 ` [PATCH 22/23] usercopy: split user-controlled slabs to separate caches Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-20 4:24 ` [kernel-hardening] " Eric Biggers
2017-06-20 4:24 ` Eric Biggers
2017-06-20 4:47 ` Eric Biggers
2017-06-20 4:47 ` Eric Biggers
2017-06-20 22:27 ` Kees Cook
2017-06-20 22:27 ` Kees Cook
2017-06-20 22:27 ` Kees Cook
2017-06-20 20:24 ` Laura Abbott
2017-06-20 20:24 ` [kernel-hardening] " Laura Abbott
2017-06-20 20:24 ` Laura Abbott
2017-06-20 22:22 ` Kees Cook
2017-06-20 22:22 ` [kernel-hardening] " Kees Cook
2017-06-20 22:22 ` Kees Cook
2017-06-27 7:31 ` Michal Hocko
2017-06-27 7:31 ` [kernel-hardening] " Michal Hocko
2017-06-27 7:31 ` Michal Hocko
2017-06-27 22:07 ` Kees Cook
2017-06-27 22:07 ` [kernel-hardening] " Kees Cook
2017-06-27 22:07 ` Kees Cook
2017-06-28 8:54 ` Michal Hocko
2017-06-28 8:54 ` [kernel-hardening] " Michal Hocko
2017-06-28 8:54 ` Michal Hocko
2017-06-19 23:36 ` [PATCH 23/23] mm: Allow slab_nomerge to be set at build time Kees Cook
2017-06-19 23:36 ` [kernel-hardening] " Kees Cook
2017-06-19 23:36 ` Kees Cook
2017-06-20 4:09 ` [kernel-hardening] " Daniel Micay
2017-06-20 4:09 ` Daniel Micay
2017-06-20 22:51 ` Kees Cook
2017-06-20 22:51 ` Kees Cook
2017-06-20 22:51 ` Kees Cook
2017-06-20 4:29 ` Eric Biggers
2017-06-20 4:29 ` Eric Biggers
2017-06-20 23:09 ` Kees Cook
2017-06-20 23:09 ` Kees Cook
2017-06-20 23:09 ` Kees Cook
2017-06-20 19:41 ` [kernel-hardening] [PATCH 00/23] Hardened usercopy whitelisting Rik van Riel
2017-10-20 22:40 ` Paolo Bonzini
2017-10-20 22:40 ` [kernel-hardening] " Paolo Bonzini
2017-10-20 22:40 ` Paolo Bonzini
2017-10-20 23:25 ` Paolo Bonzini
2017-10-20 23:25 ` [kernel-hardening] " Paolo Bonzini
2017-10-20 23:25 ` Paolo Bonzini
2017-10-21 3:04 ` Kees Cook
2017-10-21 3:04 ` [kernel-hardening] " Kees Cook
2017-10-21 3:04 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jLcZO3XHBd7i7Gnww4vwRpH10m2FvczEecnC_ars-N+Ow@mail.gmail.com \
--to=keescook@chromium.org \
--cc=dave@nullcore.net \
--cc=ebiggers3@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.