| From foo@baz Sun May 27 17:33:38 CEST 2018 |
| From: David Howells <dhowells@redhat.com> |
| Date: Thu, 15 Feb 2018 22:59:00 +0000 |
| Subject: rxrpc: Work around usercopy check |
| |
| From: David Howells <dhowells@redhat.com> |
| |
| [ Upstream commit a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d ] |
| |
| Due to a check recently added to copy_to_user(), it's now not permitted to |
| copy from slab-held data to userspace unless the slab is whitelisted. This |
| affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID |
| control message in the userspace control message buffer. A warning is |
| generated by usercopy_warn() because the source is the copy of the |
| user_call_ID retained in the rxrpc_call struct. |
| |
| Work around the issue by copying the user_call_ID to a variable on the |
| stack and passing that to put_cmsg(). |
| |
| The warning generated looks like: |
| |
| Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)! |
| WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0 |
| ... |
| RIP: 0010:usercopy_warn+0x7e/0xa0 |
| ... |
| Call Trace: |
| __check_object_size+0x9c/0x1a0 |
| put_cmsg+0x98/0x120 |
| rxrpc_recvmsg+0x6fc/0x1010 [rxrpc] |
| ? finish_wait+0x80/0x80 |
| ___sys_recvmsg+0xf8/0x240 |
| ? __clear_rsb+0x25/0x3d |
| ? __clear_rsb+0x15/0x3d |
| ? __clear_rsb+0x25/0x3d |
| ? __clear_rsb+0x15/0x3d |
| ? __clear_rsb+0x25/0x3d |
| ? __clear_rsb+0x15/0x3d |
| ? __clear_rsb+0x25/0x3d |
| ? __clear_rsb+0x15/0x3d |
| ? finish_task_switch+0xa6/0x2b0 |
| ? trace_hardirqs_on_caller+0xed/0x180 |
| ? _raw_spin_unlock_irq+0x29/0x40 |
| ? __sys_recvmsg+0x4e/0x90 |
| __sys_recvmsg+0x4e/0x90 |
| do_syscall_64+0x7a/0x220 |
| entry_SYSCALL_64_after_hwframe+0x26/0x9b |
| |
| Reported-by: Jonathan Billings <jsbillings@jsbillings.org> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Acked-by: Kees Cook <keescook@chromium.org> |
| Tested-by: Jonathan Billings <jsbillings@jsbillings.org> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/rxrpc/recvmsg.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| --- a/net/rxrpc/recvmsg.c |
| +++ b/net/rxrpc/recvmsg.c |
| @@ -493,9 +493,10 @@ try_again: |
| ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, |
| sizeof(unsigned int), &id32); |
| } else { |
| + unsigned long idl = call->user_call_ID; |
| + |
| ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, |
| - sizeof(unsigned long), |
| - &call->user_call_ID); |
| + sizeof(unsigned long), &idl); |
| } |
| if (ret < 0) |
| goto error; |