[{"id":1773230,"web_url":"http://patchwork.ozlabs.org/comment/1773230/","msgid":"<0132ff58-f18b-6d67-8edd-fa6bd1f6927b@oracle.com>","list_archive_url":null,"date":"2017-09-22T02:54:55","subject":"Re: [PATCH v3 09/31] jfs: Define usercopy region in jfs_ip slab\n\tcache","submitter":{"id":12300,"url":"http://patchwork.ozlabs.org/api/people/12300/","name":"Dave Kleikamp","email":"dave.kleikamp@oracle.com"},"content":"Acked-by: Dave Kleikamp \n\nOn 09/20/2017 03:45 PM, Kees Cook wrote:\n> From: David Windsor \n> \n> The jfs symlink pathnames, stored in struct jfs_inode_info.i_inline and\n> therefore contained in the jfs_ip slab cache, need to be copied to/from\n> userspace.\n> \n> cache object allocation:\n> fs/jfs/super.c:\n> jfs_alloc_inode(...):\n> ...\n> jfs_inode = kmem_cache_alloc(jfs_inode_cachep, GFP_NOFS);\n> ...\n> return &jfs_inode->vfs_inode;\n> \n> fs/jfs/jfs_incore.h:\n> JFS_IP(struct inode *inode):\n> return container_of(inode, struct jfs_inode_info, vfs_inode);\n> \n> fs/jfs/inode.c:\n> jfs_iget(...):\n> ...\n> inode->i_link = JFS_IP(inode)->i_inline;\n> \n> example usage trace:\n> readlink_copy+0x43/0x70\n> vfs_readlink+0x62/0x110\n> SyS_readlinkat+0x100/0x130\n> \n> fs/namei.c:\n> readlink_copy(..., link):\n> ...\n> copy_to_user(..., link, len);\n> \n> (inlined in vfs_readlink)\n> generic_readlink(dentry, ...):\n> struct inode *inode = d_inode(dentry);\n> const char *link = inode->i_link;\n> ...\n> readlink_copy(..., link);\n> \n> In support of usercopy hardening, this patch defines a region in the\n> jfs_ip slab cache in which userspace copy operations are allowed.\n> \n> This region is known as the slab cache's usercopy region. Slab caches can\n> now check that each copy operation involving cache-managed memory falls\n> entirely within the slab's usercopy region.\n> \n> This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY\n> whitelisting code in the last public patch of grsecurity/PaX based on my\n> understanding of the code. Changes or omissions from the original code are\n> mine and don't reflect the original grsecurity/PaX code.\n> \n> Signed-off-by: David Windsor \n> [kees: adjust commit log, provide usage trace]\n> Cc: Dave Kleikamp \n> Cc: jfs-discussion@lists.sourceforge.net\n> Signed-off-by: Kees Cook \n> ---\n> fs/jfs/super.c | 8 +++++---\n> 1 file changed, 5 insertions(+), 3 deletions(-)\n> \n> diff --git a/fs/jfs/super.c b/fs/jfs/super.c\n> index 2f14677169c3..e018412608d4 100644\n> --- a/fs/jfs/super.c\n> +++ b/fs/jfs/super.c\n> @@ -966,9 +966,11 @@ static int __init init_jfs_fs(void)\n> \tint rc;\n> \n> \tjfs_inode_cachep =\n> -\t kmem_cache_create(\"jfs_ip\", sizeof(struct jfs_inode_info), 0,\n> -\t\t\t SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,\n> -\t\t\t init_once);\n> +\t kmem_cache_create_usercopy(\"jfs_ip\", sizeof(struct jfs_inode_info),\n> +\t\t\t0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,\n> +\t\t\toffsetof(struct jfs_inode_info, i_inline),\n> +\t\t\tsizeof_field(struct jfs_inode_info, i_inline),\n> +\t\t\tinit_once);\n> \tif (jfs_inode_cachep == NULL)\n> \t\treturn -ENOMEM;\n> \n>","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xyyll3L6mz9sRW\n\tfor ;\n\tFri, 22 Sep 2017 12:55:47 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751809AbdIVCzh (ORCPT );\n\tThu, 21 Sep 2017 22:55:37 -0400","from userp1040.oracle.com ([156.151.31.81]:19694 \"EHLO\n\tuserp1040.oracle.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751653AbdIVCzf (ORCPT\n\t); Thu, 21 Sep 2017 22:55:35 -0400","from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])\n\tby userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with\n\tESMTP id v8M2t6kK000611\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Fri, 22 Sep 2017 02:55:06 GMT","from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235])\n\tby userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id\n\tv8M2t4wY000704\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Fri, 22 Sep 2017 02:55:04 GMT","from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7])\n\tby aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v8M2t2Yn022306; \n\tFri, 22 Sep 2017 02:55:02 GMT","from [192.168.1.74] (/99.156.91.244)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Thu, 21 Sep 2017 19:55:02 -0700"],"Subject":"Re: [PATCH v3 09/31] jfs: Define usercopy region in jfs_ip slab\n\tcache","To":"Kees Cook , linux-kernel@vger.kernel.org","Cc":"David Windsor , jfs-discussion@lists.sourceforge.net,\n\tlinux-fsdevel@vger.kernel.org, netdev@vger.kernel.org,\n\tlinux-mm@kvack.org, kernel-hardening@lists.openwall.com","References":"<1505940337-79069-1-git-send-email-keescook@chromium.org>\n\t<1505940337-79069-10-git-send-email-keescook@chromium.org>","From":"Dave Kleikamp ","Message-ID":"<0132ff58-f18b-6d67-8edd-fa6bd1f6927b@oracle.com>","Date":"Thu, 21 Sep 2017 21:54:55 -0500","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101\n\tThunderbird/52.3.0","MIME-Version":"1.0","In-Reply-To":"<1505940337-79069-10-git-send-email-keescook@chromium.org>","Content-Type":"text/plain; charset=utf-8","Content-Language":"en-US","Content-Transfer-Encoding":"7bit","X-Source-IP":"userv0022.oracle.com [156.151.31.74]","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}}]