From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 9AAA0C433FE
	for <linux-mm@archiver.kernel.org>; Wed, 23 Mar 2022 15:40:34 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 033A16B0072; Wed, 23 Mar 2022 11:40:34 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id ED8126B0073; Wed, 23 Mar 2022 11:40:33 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D794A6B0074; Wed, 23 Mar 2022 11:40:33 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27])
	by kanga.kvack.org (Postfix) with ESMTP id C54D46B0072
	for <linux-mm@kvack.org>; Wed, 23 Mar 2022 11:40:33 -0400 (EDT)
Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay12.hostedemail.com (Postfix) with ESMTP id 667F8120379
	for <linux-mm@kvack.org>; Wed, 23 Mar 2022 15:40:33 +0000 (UTC)
X-FDA: 79276063146.09.032204A
Received: from mail-pg1-f180.google.com (mail-pg1-f180.google.com [209.85.215.180])
	by imf20.hostedemail.com (Postfix) with ESMTP id E3E021C003E
	for <linux-mm@kvack.org>; Wed, 23 Mar 2022 15:40:32 +0000 (UTC)
Received: by mail-pg1-f180.google.com with SMTP id bc27so1426744pgb.4
        for <linux-mm@kvack.org>; Wed, 23 Mar 2022 08:40:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=tZzHA745yMNG0CGi0w7nKGLCvOOf60jkvqsbdnRb89M=;
        b=iNLTx1MkU692XhbU/pjEg6oXIWD15fomaPRZ4oW3JJzH3KzlvOHBxqYr3RP16I8BsM
         PQB/aJJCoSn3Bf5C0iUtZUgR/DiaO2QauRmpfS9c/26CRq2dWzEV6G+MzRR7m7sDBrA9
         9I1dVEv+ES/8kqvSV10MRviLD3mH5S69ZCr5k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=tZzHA745yMNG0CGi0w7nKGLCvOOf60jkvqsbdnRb89M=;
        b=mqSWFS7uA0tqJfdXgChgWVWvrfKjYHDd4m13yIXMg2/2s26XlrOIGbb+Ro+C4lpU8a
         AUcmjcZgsnCeYNAlTUuLqaltit3AxKKVMPpMcgEYmw6olCc6ESgE3gYMBGlCR2NG146W
         b/zut9K/RybOGpV86cO7vcKZT962xayjxrXoYIsEL4tXiuoMjmInNsyirxmRKzEmeMyz
         AFl2XugL8cyo3uaU9X7mTNmFXnGjYbjxmfd4BTB3wjvb8XSb1TakamhVmA7ZQp/yxfZy
         0H6TD5BFoitbKSJE9w31/nnYd2oVBouFWbw55LzM3qwwOa5fljnSuI8NL8qzGu1IGEOy
         zKBw==
X-Gm-Message-State: AOAM533WjAs586F74vBisx1ooOYsb4cR+76v2eQfcMT+qEFm9+WbNwJf
	hcCIDMMtgx6BxZA13AWAHjumjg==
X-Google-Smtp-Source: ABdhPJw3iGwMMA64SlcWNC/iNJPMHMmKHCz1X+Poh60YG/Rm403iC+8KBQtxt/XL7udZyTinHEg8vw==
X-Received: by 2002:aa7:91d5:0:b0:4fa:6d3c:55d9 with SMTP id z21-20020aa791d5000000b004fa6d3c55d9mr544396pfa.41.1648050031778;
        Wed, 23 Mar 2022 08:40:31 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id 2-20020a620502000000b004f6d2975cbesm304447pff.116.2022.03.23.08.40.31
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 23 Mar 2022 08:40:31 -0700 (PDT)
Date: Wed, 23 Mar 2022 08:40:30 -0700
From: Kees Cook <keescook@chromium.org>
To: Christoph Hellwig <hch@lst.de>
Cc: kernel test robot <oliver.sang@intel.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>,
	Bart Van Assche <bvanassche@acm.org>,
	John Garry <john.garry@huawei.com>,
	LKML <linux-kernel@vger.kernel.org>, lkp@lists.01.org,
	lkp@intel.com, "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	linux-mm@kvack.org, linux-hardening@vger.kernel.org
Subject: Re: [scsi]  6aded12b10: kernel_BUG_at_mm/usercopy.c
Message-ID: <202203230809.D63BF9511@keescook>
References: <20220320143453.GD6208@xsang-OptiPlex-9020>
 <20220323071409.GA25480@lst.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20220323071409.GA25480@lst.de>
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: E3E021C003E
X-Stat-Signature: 9occbncxysyog88ury9qemmmeui93b5d
Authentication-Results: imf20.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=iNLTx1Mk;
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf20.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.180 as permitted sender) smtp.mailfrom=keescook@chromium.org
X-Rspam-User: 
X-HE-Tag: 1648050032-684085
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Mar 23, 2022 at 08:14:10AM +0100, Christoph Hellwig wrote:
> The actual warning is;
> 
> [   34.496096][  T331] usercopy: Kernel memory overwrite attempt detected to spans multiple pages (off set 0, size 6)!
> 
> This is for the cmnd field in struct scsi_cmnd, which is allocated by
> the block layer as part of the request allocator.  So with a specific
> packing it can legitimately span pages.
> 
> Kees: how can we annotate that this is ok?

The main problem is that CONFIG_HARDENED_USERCOPY_PAGESPAN=y is broken
(and nothing should be setting it).

This series removes it:
https://lore.kernel.org/linux-hardening/20220110231530.665970-1-willy@infradead.org/

Matthew, what's the status of that series? Will it make the current
merge window?

As for the SCSI changes, I'm a bit worried about type confusion, as I
don't see anything actually validating types/sizes when converting:

static inline void *blk_mq_rq_to_pdu(struct request *rq)
{
        return rq + 1;
}

But I guess that ship has sailed. :P

Regardless, I'm concerned that disabling PAGESPAN will just uncover
further checks, though. Where is allocation happening? The check is here:

static int scsi_fill_sghdr_rq(struct scsi_device *sdev, struct request *rq,
                struct sg_io_hdr *hdr, fmode_t mode)
{
        struct scsi_cmnd *scmd = blk_mq_rq_to_pdu(rq);

        if (hdr->cmd_len < 6)
                return -EMSGSIZE;
        if (copy_from_user(scmd->cmnd, hdr->cmdp, hdr->cmd_len))
                return -EFAULT;
	...
}

I don't see any earlier marking for this copy_from_user(), so I assume
the old allocation was a plain kmalloc().

For comparision, a related marking can be seen for a copy_to_user() case
in commit 0afe76e88c57 ("scsi: Define usercopy region in scsi_sense_cache
slab cache")

I *think* the allocation is happening in scsi_ioctl_reset()? But that's
a plain kmalloc(), so I'm not sure why PAGESPAN would have tripped...
are there other allocation paths?

-- 
Kees Cook