[PATCH] mm: usercopy: Check for module addresses

[PATCH] mm: usercopy: Check for module addresses

[Laura Abbott]

While running a compile on arm64, I hit a memory exposure

usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:75!
Internal error: Oops - BUG: 0 [#1] SMP
Modules linked in: ip6t_rpfilter ip6t_REJECT
nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
task: fffffe03df944c00 task.stack: fffffe00d128c000
PC is at __check_object_size+0x70/0x3f0
LR is at __check_object_size+0x70/0x3f0
...
[<fffffc00082b4280>] __check_object_size+0x70/0x3f0
[<fffffc00082cdc30>] filldir64+0x158/0x1a0
[<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
[<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
[<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
[<fffffc00082cde58>] SyS_getdents64+0x88/0x120
[<fffffc0008082c70>] el0_svc_naked+0x24/0x28

fffffc0000f3b1a8 is a module address. Modules may have compiled in
strings which could get copied to userspace. In this instance, it
looks like "." which matches with a size of 1 byte. Extend the
is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
all possible cases.

Signed-off-by: Laura Abbott <labbott@redhat.com>
---
Longer term, it would be good to expand the check for to regions like
regular kernel memory.
---
 mm/usercopy.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mm/usercopy.c b/mm/usercopy.c
index 8ebae91..d8b5bd3 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -145,8 +145,11 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
 	 * Some architectures (arm64) return true for virt_addr_valid() on
 	 * vmalloced addresses. Work around this by checking for vmalloc
 	 * first.
+	 *
+	 * We also need to check for module addresses explicitly since we
+	 * may copy static data from modules to userspace
 	 */
-	if (is_vmalloc_addr(ptr))
+	if (is_vmalloc_or_module_addr(ptr))
 		return NULL;
 
 	if (!virt_addr_valid(ptr))
-- 
2.7.4

Re: [PATCH] mm: usercopy: Check for module addresses

[Kees Cook]

On Tue, Sep 20, 2016 at 8:56 AM, Laura Abbott <labbott@redhat.com> wrote:
> While running a compile on arm64, I hit a memory exposure
>
> usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
> ------------[ cut here ]------------
> kernel BUG at mm/usercopy.c:75!
> Internal error: Oops - BUG: 0 [#1] SMP
> Modules linked in: ip6t_rpfilter ip6t_REJECT
> nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
> llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
> nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
> iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
> nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
> ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
> xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
> mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
> auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
> sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
> CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
> Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
> task: fffffe03df944c00 task.stack: fffffe00d128c000
> PC is at __check_object_size+0x70/0x3f0
> LR is at __check_object_size+0x70/0x3f0
> ...
> [<fffffc00082b4280>] __check_object_size+0x70/0x3f0
> [<fffffc00082cdc30>] filldir64+0x158/0x1a0
> [<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
> [<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
> [<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
> [<fffffc00082cde58>] SyS_getdents64+0x88/0x120
> [<fffffc0008082c70>] el0_svc_naked+0x24/0x28
>
> fffffc0000f3b1a8 is a module address. Modules may have compiled in
> strings which could get copied to userspace. In this instance, it
> looks like "." which matches with a size of 1 byte. Extend the
> is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
> all possible cases.
>
> Signed-off-by: Laura Abbott <labbott@redhat.com>
> ---
> Longer term, it would be good to expand the check for to regions like
> regular kernel memory.
> ---
>  mm/usercopy.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 8ebae91..d8b5bd3 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -145,8 +145,11 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
>          * Some architectures (arm64) return true for virt_addr_valid() on
>          * vmalloced addresses. Work around this by checking for vmalloc
>          * first.
> +        *
> +        * We also need to check for module addresses explicitly since we
> +        * may copy static data from modules to userspace
>          */
> -       if (is_vmalloc_addr(ptr))
> +       if (is_vmalloc_or_module_addr(ptr))
>                 return NULL;

I still don't understand why this happens on arm64 and not x86.
(Really what I don't understand is what virt_addr_valid() is actually
checking -- they seem to be checking very different things between x86
and arm64.)

Regardless, I'll get this pushed to Linus and try to make the -rc8 cut.

Thanks!

-Kees

>
>         if (!virt_addr_valid(ptr))
> --
> 2.7.4
>



-- 
Kees Cook
Nexus Security

Re: [PATCH] mm: usercopy: Check for module addresses

[Laura Abbott]

On 09/20/2016 04:01 PM, Kees Cook wrote:
> On Tue, Sep 20, 2016 at 8:56 AM, Laura Abbott <labbott@redhat.com> wrote:
>> While running a compile on arm64, I hit a memory exposure
>>
>> usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes)
>> ------------[ cut here ]------------
>> kernel BUG at mm/usercopy.c:75!
>> Internal error: Oops - BUG: 0 [#1] SMP
>> Modules linked in: ip6t_rpfilter ip6t_REJECT
>> nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp
>> llc ebtable_nat ip6table_security ip6table_raw ip6table_nat
>> nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle
>> iptable_security iptable_raw iptable_nat nf_conntrack_ipv4
>> nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle
>> ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac
>> xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma
>> mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd
>> auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan
>> sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys
>> CPU: 0 PID: 19744 Comm: updatedb Tainted: G        W 4.8.0-rc3-threadinfo+ #1
>> Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016
>> task: fffffe03df944c00 task.stack: fffffe00d128c000
>> PC is at __check_object_size+0x70/0x3f0
>> LR is at __check_object_size+0x70/0x3f0
>> ...
>> [<fffffc00082b4280>] __check_object_size+0x70/0x3f0
>> [<fffffc00082cdc30>] filldir64+0x158/0x1a0
>> [<fffffc0000f327e8>] __fat_readdir+0x4a0/0x558 [fat]
>> [<fffffc0000f328d4>] fat_readdir+0x34/0x40 [fat]
>> [<fffffc00082cd8f8>] iterate_dir+0x190/0x1e0
>> [<fffffc00082cde58>] SyS_getdents64+0x88/0x120
>> [<fffffc0008082c70>] el0_svc_naked+0x24/0x28
>>
>> fffffc0000f3b1a8 is a module address. Modules may have compiled in
>> strings which could get copied to userspace. In this instance, it
>> looks like "." which matches with a size of 1 byte. Extend the
>> is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover
>> all possible cases.
>>
>> Signed-off-by: Laura Abbott <labbott@redhat.com>
>> ---
>> Longer term, it would be good to expand the check for to regions like
>> regular kernel memory.
>> ---
>>  mm/usercopy.c | 5 ++++-
>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/mm/usercopy.c b/mm/usercopy.c
>> index 8ebae91..d8b5bd3 100644
>> --- a/mm/usercopy.c
>> +++ b/mm/usercopy.c
>> @@ -145,8 +145,11 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
>>          * Some architectures (arm64) return true for virt_addr_valid() on
>>          * vmalloced addresses. Work around this by checking for vmalloc
>>          * first.
>> +        *
>> +        * We also need to check for module addresses explicitly since we
>> +        * may copy static data from modules to userspace
>>          */
>> -       if (is_vmalloc_addr(ptr))
>> +       if (is_vmalloc_or_module_addr(ptr))
>>                 return NULL;
>
> I still don't understand why this happens on arm64 and not x86.
> (Really what I don't understand is what virt_addr_valid() is actually
> checking -- they seem to be checking very different things between x86
> and arm64.)

virt_addr_valid is supposed to return true if and only if virt_to_page
returns a valid pointer. arm64 is currently returning true in some
cases it shouldn't. I finally got to work on a patch to fix it up so
hopefully once that gets submitted we can drop these extra checks.

>
> Regardless, I'll get this pushed to Linus and try to make the -rc8 cut.
>
> Thanks!
>
> -Kees
>
>>
>>         if (!virt_addr_valid(ptr))
>> --
>> 2.7.4
>>
>
>
>