• David Howells's avatar
    rxrpc: Work around usercopy check · a16b8d0c
    David Howells authored
    Due to a check recently added to copy_to_user(), it's now not permitted to
    copy from slab-held data to userspace unless the slab is whitelisted.  This
    affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
    control message in the userspace control message buffer.  A warning is
    generated by usercopy_warn() because the source is the copy of the
    user_call_ID retained in the rxrpc_call struct.
    
    Work around the issue by copying the user_call_ID to a variable on the
    stack and passing that to put_cmsg().
    
    The warning generated looks like:
    
    	Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
    	WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
    	...
    	RIP: 0010:usercopy_warn+0x7e/0xa0
    	...
    	Call Trace:
    	 __check_object_size+0x9c/0x1a0
    	 put_cmsg+0x98/0x120
    	 rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
    	 ? finish_wait+0x80/0x80
    	 ___sys_recvmsg+0xf8/0x240
    	 ? __clear_rsb+0x25/0x3d
    	 ? __clear_rsb+0x15/0x3d
    	 ? __clear_rsb+0x25/0x3d
    	 ? __clear_rsb+0x15/0x3d
    	 ? __clear_rsb+0x25/0x3d
    	 ? __clear_rsb+0x15/0x3d
    	 ? __clear_rsb+0x25/0x3d
    	 ? __clear_rsb+0x15/0x3d
    	 ? finish_task_switch+0xa6/0x2b0
    	 ? trace_hardirqs_on_caller+0xed/0x180
    	 ? _raw_spin_unlock_irq+0x29/0x40
    	 ? __sys_recvmsg+0x4e/0x90
    	 __sys_recvmsg+0x4e/0x90
    	 do_syscall_64+0x7a/0x220
    	 entry_SYSCALL_64_after_hwframe+0x26/0x9b
    Reported-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Tested-by: default avatarJonathan Billings <jsbillings@jsbillings.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    a16b8d0c
recvmsg.c 18.8 KB