subject:"\[PATCH\] socket\: Provide bounce buffer for constant sized put

Re: [PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

2018-02-01 Thread kbuild test robot

Hi Kees,

I love your patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v4.15 next-20180201]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Kees-Cook/socket-Provide-bounce-buffer-for-constant-sized-put_cmsg/20180202-113637
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__


sparse warnings: (new ones prefixed by >>)

>> net/bluetooth/hci_sock.c:1406:17: sparse: incorrect type in initializer 
>> (invalid types) @@ expected void _val @@ got void _val @@
   net/bluetooth/hci_sock.c:1406:17: expected void _val
   net/bluetooth/hci_sock.c:1406:17: got void 
>> net/bluetooth/hci_sock.c:1406:17: sparse: expression using sizeof(void)
   In file included from include/linux/compat.h:16:0,
from include/linux/ethtool.h:17,
from include/linux/netdevice.h:41,
from include/net/sock.h:51,
from include/net/bluetooth/bluetooth.h:29,
from net/bluetooth/hci_sock.c:32:
   net/bluetooth/hci_sock.c: In function 'hci_sock_cmsg':
   include/linux/socket.h:355:19: error: variable or field '_val' declared void
_val = 14- ^
   net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
^~~~
   include/linux/socket.h:355:26: warning: dereferencing 'void pointer
_val = 20- ^~~
   net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
^~~~
   include/linux/socket.h:355:26: error: void value not ignored as it ought to 
be
_val = 26- ^
   net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
^~~~

vim +1406 net/bluetooth/hci_sock.c

767c5eb5 Marcel Holtmann 2007-09-09  1405  
767c5eb5 Marcel Holtmann 2007-09-09 @1406   put_cmsg(msg, SOL_HCI, 
HCI_CMSG_TSTAMP, len, data);
a61bbcf2 Patrick McHardy 2005-08-14  1407   }
^1da177e Linus Torvalds  2005-04-16  1408  }
^1da177e Linus Torvalds  2005-04-16  1409  

:: The code at line 1406 was first introduced by commit
:: 767c5eb5d35aeb85987143f0a730bc21d3ecfb3d [Bluetooth] Add compat handling 
for timestamp structure

:: TO: Marcel Holtmann 
:: CC: Marcel Holtmann 

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation

Re: [PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

2018-02-01 Thread kbuild test robot

Hi Kees,

I love your patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v4.15 next-20180201]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/Kees-Cook/socket-Provide-bounce-buffer-for-constant-sized-put_cmsg/20180202-113637
config: i386-randconfig-s0-201804 (attached as .config)
compiler: gcc-6 (Debian 6.4.0-9) 6.4.0 20171026
reproduce:
# save the attached .config to linux build tree
make ARCH=i386 

All error/warnings (new ones prefixed by >>):

   In file included from include/linux/skbuff.h:23:0,
from include/linux/if_ether.h:23,
from include/uapi/linux/ethtool.h:19,
from include/linux/ethtool.h:18,
from include/linux/netdevice.h:41,
from include/net/sock.h:51,
from include/net/bluetooth/bluetooth.h:29,
from net/bluetooth/hci_sock.c:32:
   net/bluetooth/hci_sock.c: In function 'hci_sock_cmsg':
>> include/linux/socket.h:355:19: error: variable or field '_val' declared void
  typeof(*(_ptr)) _val = *(_ptr);\
  ^
>> net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
  put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
  ^~~~
>> include/linux/socket.h:355:26: warning: dereferencing 'void *' pointer
  typeof(*(_ptr)) _val = *(_ptr);\
 ^~~
>> net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
  put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
  ^~~~
>> include/linux/socket.h:355:26: error: void value not ignored as it ought to 
>> be
  typeof(*(_ptr)) _val = *(_ptr);\
 ^
>> net/bluetooth/hci_sock.c:1406:3: note: in expansion of macro 'put_cmsg'
  put_cmsg(msg, SOL_HCI, HCI_CMSG_TSTAMP, len, data);
  ^~~~
--
   In file included from include/linux/kernel.h:10:0,
from include/linux/list.h:9,
from include/linux/random.h:10,
from include/linux/net.h:22,
from net/rxrpc/recvmsg.c:14:
   In function 'rxrpc_recvmsg_new_call',
   inlined from 'rxrpc_recvmsg' at net/rxrpc/recvmsg.c:539:7:
>> include/linux/compiler.h:330:38: error: call to '__compiletime_assert_119' 
>> declared with attribute error: BUILD_BUG_ON failed: sizeof(_val) != (0)
 _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
 ^
   include/linux/compiler.h:310:4: note: in definition of macro 
'__compiletime_assert'
   prefix ## suffix();\
   ^~
   include/linux/compiler.h:330:2: note: in expansion of macro 
'_compiletime_assert'
 _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
 ^~~
   include/linux/build_bug.h:47:37: note: in expansion of macro 
'compiletime_assert'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^~
   include/linux/build_bug.h:71:2: note: in expansion of macro 
'BUILD_BUG_ON_MSG'
 BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
 ^~~~
>> include/linux/socket.h:356:3: note: in expansion of macro 'BUILD_BUG_ON'
  BUILD_BUG_ON(sizeof(_val) != (_len));   \
  ^~~~
>> net/rxrpc/recvmsg.c:119:8: note: in expansion of macro 'put_cmsg'
 ret = put_cmsg(msg, SOL_RXRPC, RXRPC_NEW_CALL, 0, );
   ^~~~
   In function 'rxrpc_recvmsg_term',
   inlined from 'rxrpc_recvmsg' at net/rxrpc/recvmsg.c:562:7:
   include/linux/compiler.h:330:38: error: call to '__compiletime_assert_77' 
declared with attribute error: BUILD_BUG_ON failed: sizeof(_val) != (0)
 _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
 ^
   include/linux/compiler.h:310:4: note: in definition of macro 
'__compiletime_assert'
   prefix ## suffix();\
   ^~
   include/linux/compiler.h:330:2: note: in expansion of macro 
'_compiletime_assert'
 _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
 ^~~
   include/linux/build_bug.h:47:37: note: in expansion of macro 
'compiletime_assert'
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
^~
   include/linux/build_bug.h:71:2: note: in expansion of macro 
'BUILD_BUG_ON_MSG'
 BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
 ^~~~
>> include/linux/socket.h:356:3: note: in expansion of macro 'BUILD_BUG_ON'
  BUILD_BUG_ON(sizeof(_val) != (_len));   \
  ^~~~
   net/rxrpc/recvmsg.c:77:10: note: in expansion of macro 'put_cmsg'
   ret = put_cmsg(msg, SOL_RXRPC, RXRPC_ACK,

[PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

2018-02-01 Thread Kees Cook

Most callers of put_cmsg() use a "sizeof(foo)" for the length argument.
Within put_cmsg(), a copy_to_user() call is made with a dynamic size, as a
result of the cmsg header calculations. This means that hardened usercopy
will examine the copy, even though it was technically a fixed size and
should be implicitly whitelisted. Since most whitelists for put_cmsg()
would need to be in skbuff_head_cache on a per-protocol basis, avoid this
complexity by just providing small bounce buffers where the size is fixed.

Original report was:

Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from 
SLAB object 'skbuff_head_cache' (offset 64, size 16)!
WARNING: CPU: 0 PID: 3663 at mm/usercopy.c:81 usercopy_warn+0xdb/0x100 
mm/usercopy.c:76
...
 __check_heap_object+0x89/0xc0 mm/slab.c:4426
 check_heap_object mm/usercopy.c:236 [inline]
 __check_object_size+0x272/0x530 mm/usercopy.c:259
 check_object_size include/linux/thread_info.h:112 [inline]
 check_copy_size include/linux/thread_info.h:143 [inline]
 copy_to_user include/linux/uaccess.h:154 [inline]
 put_cmsg+0x233/0x3f0 net/core/scm.c:242
 sock_recv_errqueue+0x200/0x3e0 net/core/sock.c:2913
 packet_recvmsg+0xb2e/0x17a0 net/packet/af_packet.c:3296
 sock_recvmsg_nosec net/socket.c:803 [inline]
 sock_recvmsg+0xc9/0x110 net/socket.c:810
 ___sys_recvmsg+0x2a4/0x640 net/socket.c:2179
 __sys_recvmmsg+0x2a9/0xaf0 net/socket.c:2287
 SYSC_recvmmsg net/socket.c:2368 [inline]
 SyS_recvmmsg+0xc4/0x160 net/socket.c:2352
 entry_SYSCALL_64_fastpath+0x29/0xa0

Reported-by: syzbot+e2d6cfb305e9f3911...@syzkaller.appspotmail.com
Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
Signed-off-by: Kees Cook 
---
 include/linux/socket.h | 18 +-
 net/core/scm.c |  4 ++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index 9286a5a8c60c..b3c5a075b7b3 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -342,7 +342,23 @@ struct ucred {
 #define IPX_TYPE   1
 
 extern int move_addr_to_kernel(void __user *uaddr, int ulen, struct 
sockaddr_storage *kaddr);
-extern int put_cmsg(struct msghdr*, int level, int type, int len, void *data);
+extern int __put_cmsg(struct msghdr*, int level, int type, int len, void 
*data);
+/*
+ * Provide a bounce buffer for copying cmsg data to userspace when the size
+ * is constant. Without this, hardened usercopy will see the dynamic size
+ * calculation in __put_cmsg and try to block it. Constant sized copies
+ * should not trigger hardened usercopy checks.
+ */
+#define put_cmsg(_msg, _level, _type, _len, _ptr) ({   \
+   int _rc;\
+   if (__builtin_constant_p(_len)) {   \
+   typeof(*(_ptr)) _val = *(_ptr); \
+   BUILD_BUG_ON(sizeof(_val) != (_len));   \
+   _rc = __put_cmsg(_msg, _level, _type, sizeof(_val), &_val); \
+   } else {\
+   _rc = __put_cmsg(_msg, _level, _type, _len, _ptr);  \
+   }   \
+   _rc;})
 
 struct timespec;
 
diff --git a/net/core/scm.c b/net/core/scm.c
index b1ff8a441748..3a3ecf528800 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -213,7 +213,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, 
struct scm_cookie *p)
 }
 EXPORT_SYMBOL(__scm_send);
 
-int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
+int __put_cmsg(struct msghdr *msg, int level, int type, int len, void *data)
 {
struct cmsghdr __user *cm
= (__force struct cmsghdr __user *)msg->msg_control;
@@ -250,7 +250,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int 
len, void *data)
 out:
return err;
 }
-EXPORT_SYMBOL(put_cmsg);
+EXPORT_SYMBOL(__put_cmsg);
 
 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
 {
-- 
2.7.4


-- 
Kees Cook
Pixel Security

Re: [PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

Re: [PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

[PATCH] socket: Provide bounce buffer for constant sized put_cmsg()

3 matches

Site Navigation

Mail list logo

Footer information