On Wed, Jan 2, 2019 at 12:41 PM <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > > The patch titled > Subject: mm/usercopy.c: no check page span for stack objects > has been added to the -mm tree. Its filename is > usercopy-no-check-page-span-for-stack-objects.patch > > This patch should soon appear at > http://ozlabs.org/~akpm/mmots/broken-out/usercopy-no-check-page-span-for-stack-objects.patch > and later at > http://ozlabs.org/~akpm/mmotm/broken-out/usercopy-no-check-page-span-for-stack-objects.patch > > Before you just go and hit "reply", please: > a) Consider who else should be cc'ed > b) Prefer to cc a suitable mailing list as well > c) Ideally: find the original patch on the mailing list and do a > reply-to-all to that, adding suitable additional cc's > > *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** > > The -mm tree is included into linux-next and is updated > there every 3-4 working days > > ------------------------------------------------------ > From: Qian Cai <cai@xxxxxx> > Subject: mm/usercopy.c: no check page span for stack objects > > It is easy to trigger this with CONFIG_HARDENED_USERCOPY_PAGESPAN=y, > > usercopy: Kernel memory overwrite attempt detected to spans multiple > pages (offset 0, size 23)! > kernel BUG at mm/usercopy.c:102! > > For example, > > print_worker_info > char name[WQ_NAME_LEN] = { }; > char desc[WORKER_DESC_LEN] = { }; > probe_kernel_read(name, wq->name, sizeof(name) - 1); > probe_kernel_read(desc, worker->desc, sizeof(desc) - 1); > __copy_from_user_inatomic > check_object_size > check_heap_object > check_page_span > > This is because on-stack variables could cross PAGE_SIZE boundary, and > failed this check, > > if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) == > ((unsigned long)end & (unsigned long)PAGE_MASK))) > > ptr = FFFF889007D7EFF8 > end = FFFF889007D7F00E > > Hence, fix it by checking if it is a stack object first. > > Link: http://lkml.kernel.org/r/20181231030254.99441-1-cai@xxxxxx > Signed-off-by: Qian Cai <cai@xxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Acked-by: Kees Cook <keescook@xxxxxxxxxxxx> I was planning on doing this already, so yes please. :) I do want to include a comment update as well. I'll send that as a fix. -Kees > --- > > mm/usercopy.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > --- a/mm/usercopy.c~usercopy-no-check-page-span-for-stack-objects > +++ a/mm/usercopy.c > @@ -262,9 +262,6 @@ void __check_object_size(const void *ptr > /* Check for invalid addresses. */ > check_bogus_address((const unsigned long)ptr, n, to_user); > > - /* Check for bad heap object. */ > - check_heap_object(ptr, n, to_user); > - > /* Check for bad stack object. */ > switch (check_stack_object(ptr, n)) { > case NOT_STACK: > @@ -282,6 +279,9 @@ void __check_object_size(const void *ptr > usercopy_abort("process stack", NULL, to_user, 0, n); > } > > + /* Check for bad heap object. */ > + check_heap_object(ptr, n, to_user); > + > /* Check for object in kernel to avoid text exposure. */ > check_kernel_text_object((const unsigned long)ptr, n, to_user); > } > _ > > Patches currently in -mm which might be from cai@xxxxxx are > > mm-page_owner-fix-for-deferred-struct-page-init.patch > usercopy-no-check-page-span-for-stack-objects.patch > -- Kees Cook
