Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 816509,
    "url": "http://patchwork.ozlabs.org/api/patches/816509/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/1505940337-79069-27-git-send-email-keescook@chromium.org/",
    "project": {
        "id": 7,
        "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api",
        "name": "Linux network development",
        "link_name": "netdev",
        "list_id": "netdev.vger.kernel.org",
        "list_email": "netdev@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<1505940337-79069-27-git-send-email-keescook@chromium.org>",
    "list_archive_url": null,
    "date": "2017-09-20T20:45:32",
    "name": "[v3,26/31] fork: Provide usercopy whitelisting for task_struct",
    "commit_ref": null,
    "pull_url": null,
    "state": "not-applicable",
    "archived": true,
    "hash": "b8956014e50717ec8614c8a82b9c0a20dbaabf79",
    "submitter": {
        "id": 10641,
        "url": "http://patchwork.ozlabs.org/api/people/10641/?format=api",
        "name": "Kees Cook",
        "email": "keescook@chromium.org"
    },
    "delegate": {
        "id": 34,
        "url": "http://patchwork.ozlabs.org/api/users/34/?format=api",
        "username": "davem",
        "first_name": "David",
        "last_name": "Miller",
        "email": "davem@davemloft.net"
    },
    "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/1505940337-79069-27-git-send-email-keescook@chromium.org/mbox/",
    "series": [
        {
            "id": 4231,
            "url": "http://patchwork.ozlabs.org/api/series/4231/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=4231",
            "date": "2017-09-20T20:45:22",
            "name": "Hardened usercopy whitelisting",
            "version": 3,
            "mbox": "http://patchwork.ozlabs.org/series/4231/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/816509/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/816509/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<netdev-owner@vger.kernel.org>",
        "X-Original-To": "patchwork-incoming@ozlabs.org",
        "Delivered-To": "patchwork-incoming@ozlabs.org",
        "Authentication-Results": [
            "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)",
            "ozlabs.org; dkim=pass (1024-bit key;\n\tunprotected) header.d=chromium.org header.i=@chromium.org\n\theader.b=\"oGHnA4bl\"; dkim-atps=neutral"
        ],
        "Received": [
            "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xyBtj5xdvz9sBZ\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 21 Sep 2017 06:59:09 +1000 (AEST)",
            "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752155AbdITU7I (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 20 Sep 2017 16:59:08 -0400",
            "from mail-pf0-f174.google.com ([209.85.192.174]:43390 \"EHLO\n\tmail-pf0-f174.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751928AbdITUwx (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 20 Sep 2017 16:52:53 -0400",
            "by mail-pf0-f174.google.com with SMTP id y29so2127059pff.0\n\tfor <netdev@vger.kernel.org>; Wed, 20 Sep 2017 13:52:53 -0700 (PDT)",
            "from www.outflux.net\n\t(173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])\n\tby smtp.gmail.com with ESMTPSA id\n\te69sm8968081pfc.79.2017.09.20.13.52.45\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tWed, 20 Sep 2017 13:52:46 -0700 (PDT)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=chromium.org; s=google;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references\n\t:mime-version:content-transfer-encoding;\n\tbh=+pRBL2cqMl4JJW+wjTw82xOcOAuJzz0A6deB5UclAH4=;\n\tb=oGHnA4blLrtebM6Eo6orX755urqLqlBxETzQ88faCf4SRaHPVKXUX5R+L+j01A8/cO\n\tO0eVBIeLY8fod71yMSbDSLzGd8wd3ca72TAgv/C/15iWHPsoE2TCFvVI1Pg9Gi9C8oo9\n\tb7k/JiSJas+VpPSTyNbz4Xz3UO7e5TfzlGiuM=",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references:mime-version:content-transfer-encoding;\n\tbh=+pRBL2cqMl4JJW+wjTw82xOcOAuJzz0A6deB5UclAH4=;\n\tb=Bmc13db4193+EPZLtbV3P1oisNVeDEWjqM1/K2p29gJid8oFpOz1TuMy5A/fM5S0UT\n\tNBZtzBy5OstgO0zqUavKXgHKqmbCpLcfk5g6VEW1TiHrPVdiWoylbk2vRp/fH3Qqk1ud\n\t+AitYOOXzhehb1wRGftOyktvXiOD1tTiiueKYmu1azXDP5469LBqWCdHKIQqw2J86hsD\n\tNW8XsAvZDMgIeL31//OJv2wf/4t7K2IVK7lxw8zOoMfx+2AIgPdeacuUaYmKTM3sj7Tt\n\tzHKizgKVuSW68cUjvArYcei+BIh6G9yyBLYZ3wkvFRlr1XXM7KmMSOEVTBqgxjGrbw8S\n\t7hKQ==",
        "X-Gm-Message-State": "AHPjjUgK9fhy+t6+0ieby30NPkVLYvBWPS+WDfxxnmvK+KabrW/hZTfo\n\t3Gp7zdYqOrg4N0NBLgsbjnDECw==",
        "X-Google-Smtp-Source": "AOwi7QBfDQ8PJ7uQWWXFG8OhhWmaWIN5yES/tIlmkMqeVInu2R0OhyxjhTLgxFDMRlZQWY4tgPst0g==",
        "X-Received": "by 10.99.112.94 with SMTP id a30mr3432985pgn.304.1505940772809; \n\tWed, 20 Sep 2017 13:52:52 -0700 (PDT)",
        "From": "Kees Cook <keescook@chromium.org>",
        "To": "linux-kernel@vger.kernel.org",
        "Cc": "Kees Cook <keescook@chromium.org>, Andrew Morton\n\t<akpm@linux-foundation.org>, Nicholas Piggin <npiggin@gmail.com>,\n\tLaura Abbott <labbott@redhat.com>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?=\n\t<mic@digikod.net>,         Ingo Molnar <mingo@kernel.org>,\n\tThomas Gleixner <tglx@linutronix.de>, \n\tAndy Lutomirski <luto@kernel.org>, linux-fsdevel@vger.kernel.org,\n\tnetdev@vger.kernel.org, linux-mm@kvack.org,\n\tkernel-hardening@lists.openwall.com, David Windsor <dave@nullcore.net>",
        "Subject": "[PATCH v3 26/31] fork: Provide usercopy whitelisting for task_struct",
        "Date": "Wed, 20 Sep 2017 13:45:32 -0700",
        "Message-Id": "<1505940337-79069-27-git-send-email-keescook@chromium.org>",
        "X-Mailer": "git-send-email 2.7.4",
        "In-Reply-To": "<1505940337-79069-1-git-send-email-keescook@chromium.org>",
        "References": "<1505940337-79069-1-git-send-email-keescook@chromium.org>",
        "MIME-Version": "1.0",
        "Content-Type": "text/plain; charset=UTF-8",
        "Content-Transfer-Encoding": "8bit",
        "Sender": "netdev-owner@vger.kernel.org",
        "Precedence": "bulk",
        "List-ID": "<netdev.vger.kernel.org>",
        "X-Mailing-List": "netdev@vger.kernel.org"
    },
    "content": "While the blocked and saved_sigmask fields of task_struct are copied to\nuserspace (via sigmask_to_save() and setup_rt_frame()), it is always\ncopied with a static length (i.e. sizeof(sigset_t)), so they are implictly\nwhitelisted.\n\nThe only portion of task_struct that is potentially dynamically sized and\nmay be copied to userspace is in the architecture-specific thread_struct\nat the end of task_struct.\n\ncache object allocation:\n    kernel/fork.c:\n        alloc_task_struct_node(...):\n            return kmem_cache_alloc_node(task_struct_cachep, ...);\n\n        dup_task_struct(...):\n            ...\n            tsk = alloc_task_struct_node(node);\n\n        copy_process(...):\n            ...\n            dup_task_struct(...)\n\n        _do_fork(...):\n            ...\n            copy_process(...)\n\nexample usage trace:\n\n    arch/x86/kernel/fpu/signal.c:\n        __fpu__restore_sig(...):\n            ...\n            struct task_struct *tsk = current;\n            struct fpu *fpu = &tsk->thread.fpu;\n            ...\n            __copy_from_user(&fpu->state.xsave, ..., state_size);\n\n        fpu__restore_sig(...):\n            ...\n            return __fpu__restore_sig(...);\n\n    arch/x86/kernel/signal.c:\n        restore_sigcontext(...):\n            ...\n            fpu__restore_sig(...)\n\nThis introduces arch_thread_struct_whitelist() to let an architecture\ndeclare specifically where the whitelist should be within thread_struct.\nIf undefined, the entire thread_struct field is left whitelisted.\n\nCc: Andrew Morton <akpm@linux-foundation.org>\nCc: Nicholas Piggin <npiggin@gmail.com>\nCc: Laura Abbott <labbott@redhat.com>\nCc: \"Mickaël Salaün\" <mic@digikod.net>\nCc: Ingo Molnar <mingo@kernel.org>\nCc: Thomas Gleixner <tglx@linutronix.de>\nCc: Andy Lutomirski <luto@kernel.org>\nSigned-off-by: Kees Cook <keescook@chromium.org>\nAcked-by: Rik van Riel <riel@redhat.com>\n---\n arch/Kconfig               | 11 +++++++++++\n include/linux/sched/task.h | 14 ++++++++++++++\n kernel/fork.c              | 22 ++++++++++++++++++++--\n 3 files changed, 45 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/arch/Kconfig b/arch/Kconfig\nindex 1aafb4efbb51..43f2e7b033ca 100644\n--- a/arch/Kconfig\n+++ b/arch/Kconfig\n@@ -241,6 +241,17 @@ config ARCH_INIT_TASK\n config ARCH_TASK_STRUCT_ALLOCATOR\n \tbool\n \n+config HAVE_ARCH_THREAD_STRUCT_WHITELIST\n+\tbool\n+\tdepends on !ARCH_TASK_STRUCT_ALLOCATOR\n+\thelp\n+\t  An architecture should select this to provide hardened usercopy\n+\t  knowledge about what region of the thread_struct should be\n+\t  whitelisted for copying to userspace. Normally this is only the\n+\t  FPU registers. Specifically, arch_thread_struct_whitelist()\n+\t  should be implemented. Without this, the entire thread_struct\n+\t  field in task_struct will be left whitelisted.\n+\n # Select if arch has its private alloc_thread_stack() function\n config ARCH_THREAD_STACK_ALLOCATOR\n \tbool\ndiff --git a/include/linux/sched/task.h b/include/linux/sched/task.h\nindex 79a2a744648d..a5e6f0913f74 100644\n--- a/include/linux/sched/task.h\n+++ b/include/linux/sched/task.h\n@@ -103,6 +103,20 @@ extern int arch_task_struct_size __read_mostly;\n # define arch_task_struct_size (sizeof(struct task_struct))\n #endif\n \n+#ifndef CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST\n+/*\n+ * If an architecture has not declared a thread_struct whitelist we\n+ * must assume something there may need to be copied to userspace.\n+ */\n+static inline void arch_thread_struct_whitelist(unsigned long *offset,\n+\t\t\t\t\t\tunsigned long *size)\n+{\n+\t*offset = 0;\n+\t/* Handle dynamically sized thread_struct. */\n+\t*size = arch_task_struct_size - offsetof(struct task_struct, thread);\n+}\n+#endif\n+\n #ifdef CONFIG_VMAP_STACK\n static inline struct vm_struct *task_stack_vm_area(const struct task_struct *t)\n {\ndiff --git a/kernel/fork.c b/kernel/fork.c\nindex 720109dc723a..d8dcd8f8e82f 100644\n--- a/kernel/fork.c\n+++ b/kernel/fork.c\n@@ -454,6 +454,21 @@ static void set_max_threads(unsigned int max_threads_suggested)\n int arch_task_struct_size __read_mostly;\n #endif\n \n+static void task_struct_whitelist(unsigned long *offset, unsigned long *size)\n+{\n+\t/* Fetch thread_struct whitelist for the architecture. */\n+\tarch_thread_struct_whitelist(offset, size);\n+\n+\t/*\n+\t * Handle zero-sized whitelist or empty thread_struct, otherwise\n+\t * adjust offset to position of thread_struct in task_struct.\n+\t */\n+\tif (unlikely(*size == 0))\n+\t\t*offset = 0;\n+\telse\n+\t\t*offset += offsetof(struct task_struct, thread);\n+}\n+\n void __init fork_init(void)\n {\n \tint i;\n@@ -462,11 +477,14 @@ void __init fork_init(void)\n #define ARCH_MIN_TASKALIGN\t0\n #endif\n \tint align = max_t(int, L1_CACHE_BYTES, ARCH_MIN_TASKALIGN);\n+\tunsigned long useroffset, usersize;\n \n \t/* create a slab on which task_structs can be allocated */\n-\ttask_struct_cachep = kmem_cache_create(\"task_struct\",\n+\ttask_struct_whitelist(&useroffset, &usersize);\n+\ttask_struct_cachep = kmem_cache_create_usercopy(\"task_struct\",\n \t\t\tarch_task_struct_size, align,\n-\t\t\tSLAB_PANIC|SLAB_NOTRACK|SLAB_ACCOUNT, NULL);\n+\t\t\tSLAB_PANIC|SLAB_NOTRACK|SLAB_ACCOUNT,\n+\t\t\tuseroffset, usersize, NULL);\n #endif\n \n \t/* do the arch specific task caches init */\n",
    "prefixes": [
        "v3",
        "26/31"
    ]
}