• Kees Cook's avatar
    net: Whitelist the skbuff_head_cache "cb" field · 79a8a642
    Kees Cook authored
    Most callers of put_cmsg() use a "sizeof(foo)" for the length argument.
    Within put_cmsg(), a copy_to_user() call is made with a dynamic size, as a
    result of the cmsg header calculations. This means that hardened usercopy
    will examine the copy, even though it was technically a fixed size and
    should be implicitly whitelisted. All the put_cmsg() calls being built
    from values in skbuff_head_cache are coming out of the protocol-defined
    "cb" field, so whitelist this field entirely instead of creating per-use
    bounce buffers, for which there are concerns about performance.
    
    Original report was:
    
    Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLAB object 'skbuff_head_cache' (offset 64, size 16)!
    WARNING: CPU: 0 PID: 3663 at mm/usercopy.c:81 usercopy_warn+0xdb/0x100 mm/usercopy.c:76
    ...
     __check_heap_object+0x89/0xc0 mm/slab.c:4426
     check_heap_object mm/usercopy.c:236 [inline]
     __check_object_size+0x272/0x530 mm/usercopy.c:259
     check_object_size include/linux/thread_info.h:112 [inline]
     check_copy_size include/linux/thread_info.h:143 [inline]
     copy_to_user include/linux/uaccess.h:154 [inline]
     put_cmsg+0x233/0x3f0 net/core/scm.c:242
     sock_recv_errqueue+0x200/0x3e0 net/core/sock.c:2913
     packet_recvmsg+0xb2e/0x17a0 net/packet/af_packet.c:3296
     sock_recvmsg_nosec net/socket.c:803 [inline]
     sock_recvmsg+0xc9/0x110 net/socket.c:810
     ___sys_recvmsg+0x2a4/0x640 net/socket.c:2179
     __sys_recvmmsg+0x2a9/0xaf0 net/socket.c:2287
     SYSC_recvmmsg net/socket.c:2368 [inline]
     SyS_recvmmsg+0xc4/0x160 net/socket.c:2352
     entry_SYSCALL_64_fastpath+0x29/0xa0
    
    Reported-by: syzbot+e2d6cfb305e9f3911dea@syzkaller.appspotmail.com
    Fixes: 6d07d1cd ("usercopy: Restrict non-usercopy caches to size 0")
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    79a8a642
skbuff.c 135 KB