Skip to content
Snippets Groups Projects
Select Git revision
  • a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d
  • master default
  • android-container
  • nanopc-t4
  • for-kernelci
  • WIP-syscall
  • v4.16-rc5
  • v4.16-rc4
  • v4.16-rc3
  • v4.16-rc2
  • v4.16-rc1
  • v4.15
  • v4.15-rc9
  • v4.15-rc8
  • v4.15-rc7
  • v4.15-rc6
  • v4.15-rc5
  • v4.15-rc4
  • v4.15-rc3
  • v4.15-rc2
  • v4.15-rc1
  • v4.14
  • v4.14-rc8
  • v4.14-rc7
  • v4.14-rc6
  • v4.14-rc5
26 results

recvmsg.c

Blame
    • David Howells's avatar
      a16b8d0c
      rxrpc: Work around usercopy check · a16b8d0c
      David Howells authored
      
      Due to a check recently added to copy_to_user(), it's now not permitted to
      copy from slab-held data to userspace unless the slab is whitelisted.  This
      affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
      control message in the userspace control message buffer.  A warning is
      generated by usercopy_warn() because the source is the copy of the
      user_call_ID retained in the rxrpc_call struct.
      
      Work around the issue by copying the user_call_ID to a variable on the
      stack and passing that to put_cmsg().
      
      The warning generated looks like:
      
      	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
      	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      	...
      	RIP: 0010:usercopy_warn+0x7e/0xa0
      	...
      	Call Trace:
      	 __check_object_size+0x9c/0x1a0
      	 put_cmsg+0x98/0x120
      	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
      	 ? finish_wait+0x80/0x80
      	 ___sys_recvmsg+0xf8/0x240
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? finish_task_switch+0xa6/0x2b0
      	 ? trace_hardirqs_on_caller+0xed/0x180
      	 ? _raw_spin_unlock_irq+0x29/0x40
      	 ? __sys_recvmsg+0x4e/0x90
      	 __sys_recvmsg+0x4e/0x90
      	 do_syscall_64+0x7a/0x220
      	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
      
      Reported-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a16b8d0c
      History
      rxrpc: Work around usercopy check
      David Howells authored
      
      Due to a check recently added to copy_to_user(), it's now not permitted to
      copy from slab-held data to userspace unless the slab is whitelisted.  This
      affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
      control message in the userspace control message buffer.  A warning is
      generated by usercopy_warn() because the source is the copy of the
      user_call_ID retained in the rxrpc_call struct.
      
      Work around the issue by copying the user_call_ID to a variable on the
      stack and passing that to put_cmsg().
      
      The warning generated looks like:
      
      	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
      	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      	...
      	RIP: 0010:usercopy_warn+0x7e/0xa0
      	...
      	Call Trace:
      	 __check_object_size+0x9c/0x1a0
      	 put_cmsg+0x98/0x120
      	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
      	 ? finish_wait+0x80/0x80
      	 ___sys_recvmsg+0xf8/0x240
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? __clear_rsb+0x25/0x3d
      	 ? __clear_rsb+0x15/0x3d
      	 ? finish_task_switch+0xa6/0x2b0
      	 ? trace_hardirqs_on_caller+0xed/0x180
      	 ? _raw_spin_unlock_irq+0x29/0x40
      	 ? __sys_recvmsg+0x4e/0x90
      	 __sys_recvmsg+0x4e/0x90
      	 do_syscall_64+0x7a/0x220
      	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
      
      Reported-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    test_cgrp2_array_pin.c 2.24 KiB
    /* Copyright (c) 2016 Facebook
     *
     * This program is free software; you can redistribute it and/or
     * modify it under the terms of version 2 of the GNU General Public
     * License as published by the Free Software Foundation.
     */
    #include <linux/unistd.h>
    #include <linux/bpf.h>
    
    #include <stdio.h>
    #include <stdint.h>
    #include <unistd.h>
    #include <string.h>
    #include <errno.h>
    #include <fcntl.h>
    
    #include "libbpf.h"
    
    static void usage(void)
    {
    	printf("Usage: test_cgrp2_array_pin [...]\n");
    	printf("       -F <file>   File to pin an BPF cgroup array\n");
    	printf("       -U <file>   Update an already pinned BPF cgroup array\n");
    	printf("       -v <value>  Full path of the cgroup2\n");
    	printf("       -h          Display this help\n");
    }
    
    int main(int argc, char **argv)
    {
    	const char *pinned_file = NULL, *cg2 = NULL;
    	int create_array = 1;
    	int array_key = 0;
    	int array_fd = -1;
    	int cg2_fd = -1;
    	int ret = -1;
    	int opt;
    
    	while ((opt = getopt(argc, argv, "F:U:v:")) != -1) {
    		switch (opt) {
    		/* General args */
    		case 'F':
    			pinned_file = optarg;
    			break;
    		case 'U':
    			pinned_file = optarg;
    			create_array = 0;
    			break;
    		case 'v':
    			cg2 = optarg;
    			break;
    		default:
    			usage();
    			goto out;
    		}
    	}
    
    	if (!cg2 || !pinned_file) {
    		usage();
    		goto out;
    	}
    
    	cg2_fd = open(cg2, O_RDONLY);
    	if (cg2_fd < 0) {
    		fprintf(stderr, "open(%s,...): %s(%d)\n",
    			cg2, strerror(errno), errno);
    		goto out;
    	}
    
    	if (create_array) {
    		array_fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_ARRAY,
    					  sizeof(uint32_t), sizeof(uint32_t),
    					  1, 0);
    		if (array_fd < 0) {
    			fprintf(stderr,
    				"bpf_create_map(BPF_MAP_TYPE_CGROUP_ARRAY,...): %s(%d)\n",
    				strerror(errno), errno);
    			goto out;
    		}
    	} else {
    		array_fd = bpf_obj_get(pinned_file);
    		if (array_fd < 0) {
    			fprintf(stderr, "bpf_obj_get(%s): %s(%d)\n",
    				pinned_file, strerror(errno), errno);
    			goto out;
    		}
    	}
    
    	ret = bpf_update_elem(array_fd, &array_key, &cg2_fd, 0);
    	if (ret) {
    		perror("bpf_update_elem");
    		goto out;
    	}
    
    	if (create_array) {
    		ret = bpf_obj_pin(array_fd, pinned_file);
    		if (ret) {
    			fprintf(stderr, "bpf_obj_pin(..., %s): %s(%d)\n",
    				pinned_file, strerror(errno), errno);
    			goto out;
    		}
    	}
    
    out:
    	if (array_fd != -1)
    		close(array_fd);
    	if (cg2_fd != -1)
    		close(cg2_fd);
    	return ret;
    }