From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF247C433EF for ; Wed, 12 Jan 2022 23:08:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D79A46B0072; Wed, 12 Jan 2022 18:08:58 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D29996B0073; Wed, 12 Jan 2022 18:08:58 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BC9636B0074; Wed, 12 Jan 2022 18:08:58 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0162.hostedemail.com [216.40.44.162]) by kanga.kvack.org (Postfix) with ESMTP id AB16A6B0072 for ; Wed, 12 Jan 2022 18:08:58 -0500 (EST) Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 6A34918019B2F for ; Wed, 12 Jan 2022 23:08:58 +0000 (UTC) X-FDA: 79023177156.12.D5CE21C Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by imf09.hostedemail.com (Postfix) with ESMTP id 10F7F140004 for ; Wed, 12 Jan 2022 23:08:57 +0000 (UTC) Received: by mail-pl1-f181.google.com with SMTP id n11so4819501plf.4 for ; Wed, 12 Jan 2022 15:08:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=jJzahq+HPzX/abuwJWvinR+DS76x14ce5ZSXd6cNEYE=; b=E9iLXzrcm7o1xcsO8pvfhfYnYrjB2FzW9LgBFU9t3KlEGJDV0pg3F+Fp9G5xBILuAA x5joBChWFQC8bDg2/jkRVXOZZNLnUUPbQY7ueXiER6+SrXHiMudPUZ8sVcZSVtvsnIq4 fMo+pvQKRK0KiZjHzXzNOpz/4flD8m6X+Y4R0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=jJzahq+HPzX/abuwJWvinR+DS76x14ce5ZSXd6cNEYE=; b=ty60tNHxCdPnChW7HDynvnOUd20ypcarmJ7T7sNKioEqFwxyyX7chdV7lMbPaPTai1 bymQvwjfy+UGncgZx0mOAS0/rsJnbgpmXxCtVLffn2Q/uSj3OhLGixtiYGhghhnt++hO q2y1nJXZV4jkw+7uooUDMedcUSGnCo2ZMhbm5mEHok3ykNRFrpOFRUDsaKEuuddGtynf XliSqsQftHNmuQOEOfASa8D0in1+pHZNNSsaaQ5BTpzr+5E7dznJq1A9cRXy98imghAK +YLcgfnLqj5D5jKiGoZuudtOMlCxtLEx4oPgKKyae4hhwX3inubwkO4S9nQaMAZqV2Cm BEGQ== X-Gm-Message-State: AOAM5322bCKLqdwmJugHw1jJeDWhONkedCNS9UQRD+nGstOsDr4ZnTOa sP9N8w0Sk7GaB7PpW4RxTPtHog== X-Google-Smtp-Source: ABdhPJz7MEpgx/LSUyvQMh757t0bn4rWS2glxQz6eus1r7MhmMDlH4+p+I8M4Y+vt1QYbyww+pE8jw== X-Received: by 2002:a63:9712:: with SMTP id n18mr1615797pge.594.1642028936695; Wed, 12 Jan 2022 15:08:56 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id g7sm626536pfu.2.2022.01.12.15.08.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Jan 2022 15:08:56 -0800 (PST) Date: Wed, 12 Jan 2022 15:08:55 -0800 From: Kees Cook To: "Matthew Wilcox (Oracle)" Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 4/4] usercopy: Remove HARDENED_USERCOPY_PAGESPAN Message-ID: <202201121508.2646AB2@keescook> References: <20220110231530.665970-1-willy@infradead.org> <20220110231530.665970-5-willy@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220110231530.665970-5-willy@infradead.org> X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 10F7F140004 X-Stat-Signature: arnsrriyp4yoh6rt7qfh46obkuhh4uos Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=E9iLXzrc; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.181 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-HE-Tag: 1642028937-789487 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Jan 10, 2022 at 11:15:30PM +0000, Matthew Wilcox (Oracle) wrote: > There isn't enough information to make this a useful check any more; > the useful parts of it were moved in earlier patches, so remove this > set of checks now. > > Signed-off-by: Matthew Wilcox (Oracle) Thank you! Acked-by: Kees Cook > --- > mm/usercopy.c | 61 ------------------------------------------------ > security/Kconfig | 13 +---------- > 2 files changed, 1 insertion(+), 73 deletions(-) > > diff --git a/mm/usercopy.c b/mm/usercopy.c > index e1cb98087a05..94831945d9e7 100644 > --- a/mm/usercopy.c > +++ b/mm/usercopy.c > @@ -158,64 +158,6 @@ static inline void check_bogus_address(const unsigned long ptr, unsigned long n, > usercopy_abort("null address", NULL, to_user, ptr, n); > } > > -/* Checks for allocs that are marked in some way as spanning multiple pages. */ > -static inline void check_page_span(const void *ptr, unsigned long n, > - struct page *page, bool to_user) > -{ > -#ifdef CONFIG_HARDENED_USERCOPY_PAGESPAN > - const void *end = ptr + n - 1; > - bool is_reserved, is_cma; > - > - /* > - * Sometimes the kernel data regions are not marked Reserved (see > - * check below). And sometimes [_sdata,_edata) does not cover > - * rodata and/or bss, so check each range explicitly. > - */ > - > - /* Allow reads of kernel rodata region (if not marked as Reserved). */ > - if (ptr >= (const void *)__start_rodata && > - end <= (const void *)__end_rodata) { > - if (!to_user) > - usercopy_abort("rodata", NULL, to_user, 0, n); > - return; > - } > - > - /* Allow kernel data region (if not marked as Reserved). */ > - if (ptr >= (const void *)_sdata && end <= (const void *)_edata) > - return; > - > - /* Allow kernel bss region (if not marked as Reserved). */ > - if (ptr >= (const void *)__bss_start && > - end <= (const void *)__bss_stop) > - return; > - > - /* Is the object wholly within one base page? */ > - if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) == > - ((unsigned long)end & (unsigned long)PAGE_MASK))) > - return; > - > - /* > - * Reject if range is entirely either Reserved (i.e. special or > - * device memory), or CMA. Otherwise, reject since the object spans > - * several independently allocated pages. > - */ > - is_reserved = PageReserved(page); > - is_cma = is_migrate_cma_page(page); > - if (!is_reserved && !is_cma) > - usercopy_abort("spans multiple pages", NULL, to_user, 0, n); > - > - for (ptr += PAGE_SIZE; ptr <= end; ptr += PAGE_SIZE) { > - page = virt_to_head_page(ptr); > - if (is_reserved && !PageReserved(page)) > - usercopy_abort("spans Reserved and non-Reserved pages", > - NULL, to_user, 0, n); > - if (is_cma && !is_migrate_cma_page(page)) > - usercopy_abort("spans CMA and non-CMA pages", NULL, > - to_user, 0, n); > - } > -#endif > -} > - > static inline void check_heap_object(const void *ptr, unsigned long n, > bool to_user) > { > @@ -257,9 +199,6 @@ static inline void check_heap_object(const void *ptr, unsigned long n, > unsigned long offset = ptr - folio_address(folio); > if (offset + n > folio_size(folio)) > usercopy_abort("page alloc", NULL, to_user, offset, n); > - } else { > - /* Verify object does not incorrectly span multiple pages. */ > - check_page_span(ptr, n, folio_page(folio, 0), to_user); > } > } > > diff --git a/security/Kconfig b/security/Kconfig > index 0b847f435beb..5b289b329a51 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -160,20 +160,9 @@ config HARDENED_USERCOPY > copy_from_user() functions) by rejecting memory ranges that > are larger than the specified heap object, span multiple > separately allocated pages, are not on the process stack, > - or are part of the kernel text. This kills entire classes > + or are part of the kernel text. This prevents entire classes > of heap overflow exploits and similar kernel memory exposures. > > -config HARDENED_USERCOPY_PAGESPAN > - bool "Refuse to copy allocations that span multiple pages" > - depends on HARDENED_USERCOPY > - depends on EXPERT > - help > - When a multi-page allocation is done without __GFP_COMP, > - hardened usercopy will reject attempts to copy it. There are, > - however, several cases of this in the kernel that have not all > - been removed. This config is intended to be used only while > - trying to find such users. > - > config FORTIFY_SOURCE > bool "Harden common str/mem functions against buffer overflows" > depends on ARCH_HAS_FORTIFY_SOURCE > -- > 2.33.0 > -- Kees Cook