From: Kees Cook <keescook@chromium.org>
To: Laura Abbott <labbott@redhat.com>
Cc: Anton Eidelman <anton@lightbitslabs.com>,
Linux-MM <linux-mm@kvack.org>,
linux-hardened@lists.openwall.com
Subject: Re: HARDENED_USERCOPY will BUG on multiple slub objects coalesced into an sk_buff fragment
Date: Fri, 1 Jun 2018 13:49:38 -0700 [thread overview]
Message-ID: <CAGXu5jKYsS2jnRcb9RhFwvB-FLdDhVyAf+=CZ0WFB9UwPdefpw@mail.gmail.com> (raw)
In-Reply-To: <55be03eb-3d0d-d43d-b0a4-669341e6d9ab@redhat.com>
On Fri, Jun 1, 2018 at 12:02 PM, Laura Abbott <labbott@redhat.com> wrote:
> (cc-ing some interested people)
>
>
>
> On 05/31/2018 05:03 PM, Anton Eidelman wrote:
>> Here's a rare issue I reproduce on 4.12.10 (centos config): full log
>> sample below.
Thanks for digging into this! Do you have any specific reproducer for
this? If so, I'd love to try a bisection, as I'm surprised this has
only now surfaced: hardened usercopy was introduced in 4.8 ...
>> An innocent process (dhcpclient) is about to receive a datagram, but
>> during skb_copy_datagram_iter() usercopy triggers a BUG in:
>> usercopy.c:check_heap_object() -> slub.c:__check_heap_object(), because
>> the sk_buff fragment being copied crosses the 64-byte slub object boundary.
>>
>> Example __check_heap_object() context:
>> n=128 << usually 128, sometimes 192.
>> object_size=64
>> s->size=64
>> page_address(page)=0xffff880233f7c000
>> ptr=0xffff880233f7c540
>>
>> My take on the root cause:
>> When adding data to an skb, new data is appended to the current
>> fragment if the new chunk immediately follows the last one: by simply
>> increasing the frag->size, skb_frag_size_add().
>> See include/linux/skbuff.h:skb_can_coalesce() callers.
Oooh, sneaky:
return page == skb_frag_page(frag) &&
off == frag->page_offset + skb_frag_size(frag);
Originally I was thinking that slab red-zoning would get triggered
too, but I see the above is checking to see if these are precisely
neighboring allocations, I think.
But then ... how does freeing actually work? I'm really not sure how
this seeming layering violation could be safe in other areas?
> The analysis makes sense. Kees, any thoughts about what
> we might do? It seems unlikely we can fix the networking
> code so do we need some kind of override in usercopy?
If this really is safe against kfree(), then I'd like to find the
logic that makes it safe and either teach skb_can_coalesce() different
rules (i.e. do not cross slab objects) or teach __check_heap_object()
about skb... which seems worse. Wheee.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2018-06-01 20:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-01 0:03 Anton Eidelman
2018-06-01 19:02 ` Laura Abbott
2018-06-01 20:49 ` Kees Cook [this message]
2018-06-01 20:58 ` Matthew Wilcox
2018-06-01 21:55 ` Kees Cook
2018-06-01 23:34 ` Anton Eidelman
2018-06-05 15:27 ` Christopher Lameter
2018-06-05 20:45 ` Anton Eidelman
2018-06-05 21:43 ` Christopher Lameter
2018-06-05 14:51 ` Christopher Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jKYsS2jnRcb9RhFwvB-FLdDhVyAf+=CZ0WFB9UwPdefpw@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=anton@lightbitslabs.com \
--cc=labbott@redhat.com \
--cc=linux-hardened@lists.openwall.com \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox