[4.19,007/267] make user_access_begin() do access_ok()

Message ID	20200619141649.210759168@linuxfoundation.org
State	Superseded
Headers	show Return-Path: <SRS0=CyoZ=AA=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Linus Torvalds <torvalds@linux-foundation.org>, Miles Chen <miles.chen@mediatek.com> Subject: [PATCH 4.19 007/267] make user_access_begin() do access_ok() Date: Fri, 19 Jun 2020 16:29:52 +0200 Message-Id: <20200619141649.210759168@linuxfoundation.org> In-Reply-To: <20200619141648.840376470@linuxfoundation.org> References: <20200619141648.840376470@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.19,002/267] net_failover: fixed rollback in net_failover_open() [4.19,004/267] vxlan: Avoid infinite loop when suppressing NS messages with invalid options [4.19,006/267] selftests: bpf: fix use of undeclared RET_IF macro [4.19,007/267] make user_access_begin() do access_ok() [4.19,010/267] x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() [4.19,011/267] lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() [4.19,012/267] btrfs: merge btrfs_find_device and find_device [4.19,015/267] Input: mms114 - fix handling of mms345l [4.19,017/267] sched/fair: Dont NUMA balance for kthreads [4.19,020/267] powerpc/xive: Clear the page tables for the ESB IO mapping [4.19,021/267] ath9k_htc: Silence undersized packet warnings [4.19,023/267] x86/cpu/amd: Make erratum #1054 a legacy erratum [4.19,024/267] perf probe: Accept the instance number of kretprobe event [4.19,027/267] btrfs: tree-checker: Check level for leaves and nodes [4.19,029/267] x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs [4.19,033/267] ALSA: es1688: Add the missed snd_card_free() [4.19,034/267] ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines [4.19,036/267] ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock [4.19,040/267] ACPI: PM: Avoid using power resources if there are none for D0 [4.19,041/267] cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages [4.19,043/267] spi: dw: Fix controller unregister order [4.19,046/267] PM: runtime: clk: Fix clk_pm_runtime_get() error path [4.19,047/267] crypto: cavium/nitrox - Fix nitrox_get_first_device() when ndevlist is fully iterated [4.19,050/267] KVM: x86: Fix APIC page invalidation race [4.19,052/267] KVM: x86/mmu: Consolidate "is MMIO SPTE" code [4.19,053/267] KVM: x86: only do L1TF workaround on affected processors [4.19,055/267] x86/speculation: Add support for STIBP always-on preferred mode [4.19,057/267] x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches. [4.19,059/267] spi: Fix controller unregister order [4.19,060/267] spi: pxa2xx: Fix controller unregister order [4.19,062/267] spi: pxa2xx: Balance runtime PM enable/disable on error [4.19,063/267] spi: pxa2xx: Fix runtime PM ref imbalance on probe error [4.19,067/267] selftests/net: in rxtimestamp getopt_long needs terminating null entry [4.19,068/267] ovl: initialize error in ovl_copy_xattr [4.19,070/267] video: fbdev: w100fb: Fix a potential double free. [4.19,071/267] KVM: nSVM: fix condition for filtering async PF [4.19,073/267] KVM: nVMX: Consult only the "basic" exit reason when routing nested exit [4.19,075/267] KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits [4.19,076/267] KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts [4.19,078/267] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx [4.19,081/267] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb [4.19,083/267] drm/vkms: Hold gem object while still in-use [4.19,085/267] fat: dont allow to mount if the FAT length == 0 [4.19,086/267] perf: Add cond_resched() to task_function_call() [4.19,090/267] mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() [4.19,091/267] xen/pvcalls-back: test for errors when calling backend_connect() [4.19,094/267] drm: bridge: adv7511: Extend list of audio sample rates [4.19,095/267] crypto: ccp -- dont "select" CONFIG_DMADEVICES [4.19,098/267] spi: pxa2xx: Apply CS clk quirk to BXT [4.19,099/267] net: atlantic: make hw_get_regs optional [4.19,101/267] efi/libstub/x86: Work around LLVM ELF quirk build regression [4.19,102/267] arm64: cacheflush: Fix KGDB trap detection [4.19,103/267] spi: dw: Zero DMA Tx and Rx configurations on stack [4.19,105/267] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K [4.19,106/267] MIPS: Loongson: Build ATI Radeon GPU driver as module [4.19,110/267] spi: dw: Enable interrupts in accordance with DMA xfer mode [4.19,111/267] clocksource: dw_apb_timer: Make CPU-affiliation being optional [4.19,112/267] clocksource: dw_apb_timer_of: Fix missing clockevent timers [4.19,114/267] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE [4.19,115/267] batman-adv: Revert "disable ethtool link speed detection when auto negotiation off" [4.19,116/267] mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error [4.19,120/267] staging: android: ion: use vmap instead of vm_map_ram [4.19,123/267] e1000: Distribute switch variables for initialization [4.19,126/267] media: dvb: return -EREMOTEIO on i2c transfer failure. [4.19,128/267] MIPS: Make sparse_init() using top-down allocation [4.19,130/267] audit: fix a net reference leak in audit_list_rules_send() [4.19,133/267] net: bcmgenet: set Rx mode before starting netif [4.19,137/267] drivers/perf: hisi: Fix typo in events attribute array [4.19,138/267] net: lpc-enet: fix error return code in lpc_mii_init() [4.19,139/267] media: cec: silence shift wrapping warning in __cec_s_log_addrs() [4.19,141/267] powerpc/spufs: fix copy_to_user while atomic [4.19,143/267] Crypto/chcr: fix for ccm(aes) failed test [4.19,146/267] kgdb: Fix spurious true from in_dbg_master() [4.19,148/267] xfs: fix duplicate verification from xfs_qm_dqflush() [4.19,149/267] platform/x86: intel-vbtn: Use acpi_evaluate_integer() [4.19,150/267] platform/x86: intel-vbtn: Split keymap into buttons and switches parts [4.19,151/267] platform/x86: intel-vbtn: Do not advertise switches to userspace if they are not t... [4.19,152/267] platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Port... [4.19,154/267] ath10k: Remove msdu from idr when management pkt send fails [4.19,155/267] wcn36xx: Fix error handling path in wcn36xx_probe() [4.19,156/267] net: qed*: Reduce RX and TX default ring count when running inside kdump kernel [4.19,159/267] veth: Adjust hard_start offset on redirect XDP frames [4.19,161/267] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() [4.19,162/267] mwifiex: Fix memory corruption in dump_station [4.19,165/267] mips: Add udelay lpj numbers adjustment [4.19,166/267] crypto: stm32/crc32 - fix ext4 chksum BUG_ON() [4.19,169/267] x86/mm: Stop printing BRK addresses [4.19,170/267] m68k: mac: Dont call via_flush_cache() on Mac IIfx [4.19,174/267] PCI: Dont disable decoding when mmio_always_on is set [4.19,176/267] bcache: fix refcount underflow in bcache_device_free() [4.19,177/267] mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk [4.19,178/267] staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core [4.19,179/267] mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core [4.19,182/267] spi: dw: Return any value retrieved from the dma_transfer callback [4.19,183/267] cpuidle: Fix three reference count leaks [4.19,186/267] platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis... [4.19,187/267] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN [4.19,189/267] btrfs: send: emit file capabilities after chown [4.19,194/267] ima: Directly assign the ima_default_policy pointer to ima_rules [4.19,195/267] evm: Fix possible memory leak in evm_calc_hmac_or_hash() [4.19,196/267] ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max [4.19,198/267] ext4: fix race between ext4_sync_parent() and rename() [4.19,202/267] PCI: Add ACS quirk for iProc PAXB [4.19,203/267] PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints [4.19,205/267] pci:ipmi: Move IPMI PCI class id defines to pci_ids.h [4.19,206/267] hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs [4.19,209/267] PCI: Move Synopsys HAPS platform device IDs [4.19,211/267] misc: pci_endpoint_test: Add the layerscape EP device support [4.19,212/267] misc: pci_endpoint_test: Add support to test PCI EP in AM654x [4.19,213/267] PCI: Add Synopsys endpoint EDDA Device ID [4.19,215/267] PCI: Enable NVIDIA HDA controllers [4.19,217/267] x86/amd_nb: Add PCI device IDs for family 17h, model 70h [4.19,218/267] ALSA: lx6464es - add support for LX6464ESe pci express variant [4.19,221/267] PCI: vmd: Add device id for VMD device 8086:9A0B [4.19,222/267] x86/amd_nb: Add Family 19h PCI IDs [4.19,223/267] PCI: Add Loongson vendor ID [4.19,225/267] PCI: Make ACS quirk implementations more uniform [4.19,227/267] PCI: Generalize multi-function power dependency device links [4.19,229/267] btrfs: fix wrong file range cleanup after an error filling dealloc range [4.19,232/267] e1000e: Disable TSO for buffer overrun workaround [4.19,234/267] carl9170: remove P2P_GO support [4.19,236/267] Bluetooth: hci_bcm: fix freeing not-requested IRQ [4.19,238/267] b43: Fix connection problem with WPA3 [4.19,241/267] igb: Report speed and duplex as unknown when device is runtime suspended [4.19,242/267] power: vexpress: add suppress_bind_attrs to true [4.19,244/267] pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs [4.19,246/267] sparc32: fix register window handling in genregs32_[gs]et() [4.19,247/267] sparc64: fix misuses of access_process_vm() in genregs32_[sg]et() [4.19,251/267] ARM: tegra: Correct PL310 Auxiliary Control Register initialization [4.19,252/267] ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensors bus [4.19,253/267] ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin [4.19,254/267] ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries [4.19,256/267] powerpc/64s: Dont let DT CPU features set FSCR_DSCR [4.19,257/267] powerpc/64s: Save FSCR to init_task.thread.fscr after feature init [4.19,260/267] sunrpc: clean up properly in gss_mech_unregister() [4.19,262/267] mtd: rawnand: pasemi: Fix the probe error path [4.19,263/267] w1: omap-hdq: cleanup to add missing newline for some dev_dbg [4.19,264/267] perf probe: Do not show the skipped events

Message ID

20200619141649.210759168@linuxfoundation.org

State

Superseded

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Miles Chen <miles.chen@mediatek.com>
Subject: [PATCH 4.19 007/267] make user_access_begin() do access_ok()
Date: Fri, 19 Jun 2020 16:29:52 +0200
Message-Id: <20200619141649.210759168@linuxfoundation.org>
In-Reply-To: <20200619141648.840376470@linuxfoundation.org>
References: <20200619141648.840376470@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman June 19, 2020, 2:29 p.m. UTC

From: Linus Torvalds <torvalds@linux-foundation.org>

commit 594cc251fdd0d231d342d88b2fdff4bc42fb0690 upstream.

Originally, the rule used to be that you'd have to do access_ok()
separately, and then user_access_begin() before actually doing the
direct (optimized) user access.

But experience has shown that people then decide not to do access_ok()
at all, and instead rely on it being implied by other operations or
similar.  Which makes it very hard to verify that the access has
actually been range-checked.

If you use the unsafe direct user accesses, hardware features (either
SMAP - Supervisor Mode Access Protection - on x86, or PAN - Privileged
Access Never - on ARM) do force you to use user_access_begin().  But
nothing really forces the range check.

By putting the range check into user_access_begin(), we actually force
people to do the right thing (tm), and the range check vill be visible
near the actual accesses.  We have way too long a history of people
trying to avoid them.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/uaccess.h             |   12 +++++++++++-
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   16 ++++++++++++++--
 include/linux/uaccess.h                    |    2 +-
 kernel/compat.c                            |    6 ++----
 kernel/exit.c                              |    6 ++----
 lib/strncpy_from_user.c                    |    9 +++++----
 lib/strnlen_user.c                         |    9 +++++----
 7 files changed, 40 insertions(+), 20 deletions(-)

--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -711,7 +711,17 @@  extern struct movsl_mask {
  * checking before using them, but you have to surround them with the
  * user_access_begin/end() pair.
  */
-#define user_access_begin()	__uaccess_begin()
+static __must_check inline bool user_access_begin(int type,
+						  const void __user *ptr,
+						  size_t len)
+{
+	if (unlikely(!access_ok(type, ptr, len)))
+		return 0;
+	__uaccess_begin();
+	return 1;
+}
+
+#define user_access_begin(a, b, c)	user_access_begin(a, b, c)
 #define user_access_end()	__uaccess_end()
 
 #define unsafe_put_user(x, ptr, err_label)					\
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1604,7 +1604,9 @@  static int eb_copy_relocations(const str
 		 * happened we would make the mistake of assuming that the
 		 * relocations were valid.
 		 */
-		user_access_begin();
+		if (!user_access_begin(VERIFY_WRITE, urelocs, size))
+			goto end_user;
+
 		for (copied = 0; copied < nreloc; copied++)
 			unsafe_put_user(-1,
 					&urelocs[copied].presumed_offset,
@@ -2649,7 +2651,17 @@  i915_gem_execbuffer2_ioctl(struct drm_de
 		unsigned int i;
 
 		/* Copy the new buffer offsets back to the user's exec list. */
-		user_access_begin();
+		/*
+		 * Note: count * sizeof(*user_exec_list) does not overflow,
+		 * because we checked 'count' in check_buffer_count().
+		 *
+		 * And this range already got effectively checked earlier
+		 * when we did the "copy_from_user()" above.
+		 */
+		if (!user_access_begin(VERIFY_WRITE, user_exec_list,
+				       count * sizeof(*user_exec_list)))
+			goto end_user;
+
 		for (i = 0; i < args->buffer_count; i++) {
 			if (!(exec2_list[i].offset & UPDATE))
 				continue;
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -267,7 +267,7 @@  extern long strncpy_from_unsafe(char *ds
 	probe_kernel_read(&retval, addr, sizeof(retval))
 
 #ifndef user_access_begin
-#define user_access_begin() do { } while (0)
+#define user_access_begin(type, ptr, len) access_ok(type, ptr, len)
 #define user_access_end() do { } while (0)
 #define unsafe_get_user(x, ptr, err) do { if (unlikely(__get_user(x, ptr))) goto err; } while (0)
 #define unsafe_put_user(x, ptr, err) do { if (unlikely(__put_user(x, ptr))) goto err; } while (0)
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -354,10 +354,9 @@  long compat_get_bitmap(unsigned long *ma
 	bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
 	nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-	if (!access_ok(VERIFY_READ, umask, bitmap_size / 8))
+	if (!user_access_begin(VERIFY_READ, umask, bitmap_size / 8))
 		return -EFAULT;
 
-	user_access_begin();
 	while (nr_compat_longs > 1) {
 		compat_ulong_t l1, l2;
 		unsafe_get_user(l1, umask++, Efault);
@@ -384,10 +383,9 @@  long compat_put_bitmap(compat_ulong_t __
 	bitmap_size = ALIGN(bitmap_size, BITS_PER_COMPAT_LONG);
 	nr_compat_longs = BITS_TO_COMPAT_LONGS(bitmap_size);
 
-	if (!access_ok(VERIFY_WRITE, umask, bitmap_size / 8))
+	if (!user_access_begin(VERIFY_WRITE, umask, bitmap_size / 8))
 		return -EFAULT;
 
-	user_access_begin();
 	while (nr_compat_longs > 1) {
 		unsigned long m = *mask++;
 		unsafe_put_user((compat_ulong_t)m, umask++, Efault);
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -1617,10 +1617,9 @@  SYSCALL_DEFINE5(waitid, int, which, pid_
 	if (!infop)
 		return err;
 
-	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+	if (!user_access_begin(VERIFY_WRITE, infop, sizeof(*infop)))
 		return -EFAULT;
 
-	user_access_begin();
 	unsafe_put_user(signo, &infop->si_signo, Efault);
 	unsafe_put_user(0, &infop->si_errno, Efault);
 	unsafe_put_user(info.cause, &infop->si_code, Efault);
@@ -1745,10 +1744,9 @@  COMPAT_SYSCALL_DEFINE5(waitid,
 	if (!infop)
 		return err;
 
-	if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
+	if (!user_access_begin(VERIFY_WRITE, infop, sizeof(*infop)))
 		return -EFAULT;
 
-	user_access_begin();
 	unsafe_put_user(signo, &infop->si_signo, Efault);
 	unsafe_put_user(0, &infop->si_errno, Efault);
 	unsafe_put_user(info.cause, &infop->si_code, Efault);
--- a/lib/strncpy_from_user.c
+++ b/lib/strncpy_from_user.c
@@ -115,10 +115,11 @@  long strncpy_from_user(char *dst, const
 
 		kasan_check_write(dst, count);
 		check_object_size(dst, count, false);
-		user_access_begin();
-		retval = do_strncpy_from_user(dst, src, count, max);
-		user_access_end();
-		return retval;
+		if (user_access_begin(VERIFY_READ, src, max)) {
+			retval = do_strncpy_from_user(dst, src, count, max);
+			user_access_end();
+			return retval;
+		}
 	}
 	return -EFAULT;
 }
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -114,10 +114,11 @@  long strnlen_user(const char __user *str
 		unsigned long max = max_addr - src_addr;
 		long retval;
 
-		user_access_begin();
-		retval = do_strnlen_user(str, count, max);
-		user_access_end();
-		return retval;
+		if (user_access_begin(VERIFY_READ, str, max)) {
+			retval = do_strnlen_user(str, count, max);
+			user_access_end();
+			return retval;
+		}
 	}
 	return 0;
 }

[4.19,007/267] make user_access_begin() do access_ok()

Commit Message

Patch