[GIT PULL] hardened usercopy whitelisting for v4.16-rc1

From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
	Christian Borntraeger <borntraeger@de.ibm.com>,
	Christoffer Dall <christoffer.dall@linaro.org>,
	Christoph Lameter <cl@linux.com>,
	Dave Kleikamp <dave.kleikamp@oracle.com>, Jan Kara <jack@suse.cz>,
	Luis de Bethencourt <luisbg@kernel.org>,
	Marc Zyngier <marc.zyngier@arm.com>,
	Rik van Riel <riel@redhat.com>, David Windsor <dave@nullcore.net>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Matthew Garrett <mjg59@google.com>
Subject: [GIT PULL] hardened usercopy whitelisting for v4.16-rc1
Date: Mon, 29 Jan 2018 02:54:22 -0800	[thread overview]
Message-ID: <20180129105422.GA29502@beast> (raw)

Hi Linus,

Please pull these hardened usercopy changes for v4.16-rc1. This is very
close to what I sent for v4.15, though now it has a couple more Acks,
I reorganized the WARN-by-default to be earlier in the series where
hopefully it stands out better, and I improved reporting (while also
dropping the nearly meaningless %p usage). The bulk of this series
has been living happily in linux-next for almost two devel cycles now,
so my impression is that it's baked well enough for prime-time.

One merge conflict with net (sctp) appeared about 3 weeks ago, which
should prefer the usercopy version (since it uses a constant size for
the copy). Noted here: https://lkml.org/lkml/2018/1/11/757

Thanks!

-Kees

The following changes since commit ae64f9bd1d3621b5e60d7363bc20afb46aede215:

  Linux 4.15-rc2 (2017-12-03 11:01:47 -0500)

are available in the git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/usercopy-v4.16-rc1

for you to fetch changes up to e47e311843dece8073146f3606871280ee9beb87:

  lkdtm: Update usercopy tests for whitelisting (2018-01-15 12:08:09 -0800)

----------------------------------------------------------------
Currently, hardened usercopy performs dynamic bounds checking on slab
cache objects. This is good, but still leaves a lot of kernel memory
available to be copied to/from userspace in the face of bugs. To further
restrict what memory is available for copying, this creates a way to
whitelist specific areas of a given slab cache object for copying to/from
userspace, allowing much finer granularity of access control. Slab caches
that are never exposed to userspace can declare no whitelist for their
objects, thereby keeping them unavailable to userspace via dynamic copy
operations. (Note, an implicit form of whitelisting is the use of constant
sizes in usercopy operations and get_user()/put_user(); these bypass all
hardened usercopy checks since these sizes cannot change at runtime.)

This new check is WARN-by-default, so any mistakes can be found over the
next several releases without breaking anyone's system.

The series has roughly the following sections:
- remove %p and improve reporting with offset
- prepare infrastructure and whitelist kmalloc
- update VFS subsystem with whitelists
- update SCSI subsystem with whitelists
- update network subsystem with whitelists
- update process memory with whitelists
- update per-architecture thread_struct with whitelists
- update KVM with whitelists and fix ioctl bug
- mark all other allocations as not whitelisted
- update lkdtm for more sensible test overage

----------------------------------------------------------------
David Windsor (22):
      usercopy: Prepare for usercopy whitelisting
      usercopy: Mark kmalloc caches as usercopy caches
      dcache: Define usercopy region in dentry_cache slab cache
      vfs: Define usercopy region in names_cache slab caches
      vfs: Copy struct mount.mnt_id to userspace using put_user()
      ext4: Define usercopy region in ext4_inode_cache slab cache
      ext2: Define usercopy region in ext2_inode_cache slab cache
      jfs: Define usercopy region in jfs_ip slab cache
      befs: Define usercopy region in befs_inode_cache slab cache
      exofs: Define usercopy region in exofs_inode_cache slab cache
      orangefs: Define usercopy region in orangefs_inode_cache slab cache
      ufs: Define usercopy region in ufs_inode_cache slab cache
      vxfs: Define usercopy region in vxfs_inode slab cache
      cifs: Define usercopy region in cifs_request slab cache
      scsi: Define usercopy region in scsi_sense_cache slab cache
      net: Define usercopy region in struct proto slab cache
      ip: Define usercopy region in IP proto slab cache
      caif: Define usercopy region in caif proto slab cache
      sctp: Define usercopy region in SCTP proto slab cache
      sctp: Copy struct sctp_sock.autoclose to userspace using put_user()
      fork: Define usercopy region in mm_struct slab caches
      fork: Define usercopy region in thread_stack slab caches

Kees Cook (14):
      usercopy: Remove pointer from overflow report
      usercopy: Enhance and rename report_usercopy()
      usercopy: Include offset in hardened usercopy report
      lkdtm/usercopy: Adjust test to include an offset to check reporting
      stddef.h: Introduce sizeof_field()
      usercopy: WARN() on slab cache usercopy region violations
      usercopy: Allow strict enforcement of whitelists
      net: Restrict unwhitelisted proto caches to size 0
      fork: Provide usercopy whitelisting for task_struct
      x86: Implement thread_struct whitelist for hardened usercopy
      arm64: Implement thread_struct whitelist for hardened usercopy
      arm: Implement thread_struct whitelist for hardened usercopy
      usercopy: Restrict non-usercopy caches to size 0
      lkdtm: Update usercopy tests for whitelisting

Paolo Bonzini (2):
      kvm: whitelist struct kvm_vcpu_arch
      kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl

 arch/Kconfig                       |  11 +++
 arch/arm/Kconfig                   |   1 +
 arch/arm/include/asm/processor.h   |  10 +++
 arch/arm64/Kconfig                 |   1 +
 arch/arm64/include/asm/processor.h |  10 +++
 arch/x86/Kconfig                   |   1 +
 arch/x86/include/asm/processor.h   |   8 +++
 arch/x86/kvm/x86.c                 |   7 +-
 drivers/misc/lkdtm.h               |   4 +-
 drivers/misc/lkdtm_core.c          |   4 +-
 drivers/misc/lkdtm_usercopy.c      | 101 ++++++++++++++++------------
 drivers/scsi/scsi_lib.c            |   9 +--
 fs/befs/linuxvfs.c                 |  14 ++--
 fs/cifs/cifsfs.c                   |  10 +--
 fs/dcache.c                        |   9 +--
 fs/exofs/super.c                   |   7 +-
 fs/ext2/super.c                    |  12 ++--
 fs/ext4/super.c                    |  12 ++--
 fs/fhandle.c                       |   3 +-
 fs/freevxfs/vxfs_super.c           |   8 ++-
 fs/jfs/super.c                     |   8 ++-
 fs/orangefs/super.c                |  15 +++--
 fs/ufs/super.c                     |  13 ++--
 include/linux/sched/task.h         |  14 ++++
 include/linux/slab.h               |  41 ++++++++----
 include/linux/slab_def.h           |   3 +
 include/linux/slub_def.h           |   3 +
 include/linux/stddef.h             |  10 ++-
 include/linux/uaccess.h            |   8 +++
 include/net/sctp/structs.h         |   9 ++-
 include/net/sock.h                 |   2 +
 kernel/fork.c                      |  31 +++++++--
 mm/slab.c                          |  36 +++++++---
 mm/slab.h                          |   8 ++-
 mm/slab_common.c                   |  62 ++++++++++++++---
 mm/slub.c                          |  49 ++++++++++----
 mm/usercopy.c                      | 133 +++++++++++++++++++++----------------
 net/caif/caif_socket.c             |   2 +
 net/core/sock.c                    |   4 +-
 net/ipv4/raw.c                     |   2 +
 net/ipv6/raw.c                     |   2 +
 net/sctp/socket.c                  |  10 ++-
 security/Kconfig                   |  14 ++++
 tools/objtool/check.c              |   1 +
 virt/kvm/kvm_main.c                |   8 ++-
 45 files changed, 515 insertions(+), 215 deletions(-)

-- 
Kees Cook
Pixel Security