/dev/mem: Add bounce buffer for copy-out
authorKees Cook <keescook@chromium.org>
Fri, 1 Dec 2017 21:19:39 +0000 (13:19 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 24 Mar 2018 10:01:24 +0000 (11:01 +0100)
[ Upstream commit 22ec1a2aea73b9dfe340dff7945bd85af4cc6280 ]

As done for /proc/kcore in

  commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data")

this adds a bounce buffer when reading memory via /dev/mem. This
is needed to allow kernel text memory to be read out when built with
CONFIG_HARDENED_USERCOPY (which refuses to read out kernel text) and
without CONFIG_STRICT_DEVMEM (which would have refused to read any RAM
contents at all).

Since this build configuration isn't common (most systems with
CONFIG_HARDENED_USERCOPY also have CONFIG_STRICT_DEVMEM), this also tries
to inform Kconfig about the recommended settings.

This patch is modified from Brad Spengler/PaX Team's changes to /dev/mem
code in the last public patch of grsecurity/PaX based on my understanding
of the code. Changes or omissions from the original code are mine and
don't reflect the original grsecurity/PaX code.

Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/char/mem.c
security/Kconfig

index 970e1242a282a097405cf30d0c87e7518bca67f4..3a70dba2c645ac1b7ab905c3bf4faa571e2e420d 100644 (file)
@@ -107,6 +107,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
        phys_addr_t p = *ppos;
        ssize_t read, sz;
        void *ptr;
+       char *bounce;
+       int err;
 
        if (p != *ppos)
                return 0;
@@ -129,15 +131,22 @@ static ssize_t read_mem(struct file *file, char __user *buf,
        }
 #endif
 
+       bounce = kmalloc(PAGE_SIZE, GFP_KERNEL);
+       if (!bounce)
+               return -ENOMEM;
+
        while (count > 0) {
                unsigned long remaining;
                int allowed;
 
                sz = size_inside_page(p, count);
 
+               err = -EPERM;
                allowed = page_is_allowed(p >> PAGE_SHIFT);
                if (!allowed)
-                       return -EPERM;
+                       goto failed;
+
+               err = -EFAULT;
                if (allowed == 2) {
                        /* Show zeros for restricted memory. */
                        remaining = clear_user(buf, sz);
@@ -149,24 +158,32 @@ static ssize_t read_mem(struct file *file, char __user *buf,
                         */
                        ptr = xlate_dev_mem_ptr(p);
                        if (!ptr)
-                               return -EFAULT;
-
-                       remaining = copy_to_user(buf, ptr, sz);
+                               goto failed;
 
+                       err = probe_kernel_read(bounce, ptr, sz);
                        unxlate_dev_mem_ptr(p, ptr);
+                       if (err)
+                               goto failed;
+
+                       remaining = copy_to_user(buf, bounce, sz);
                }
 
                if (remaining)
-                       return -EFAULT;
+                       goto failed;
 
                buf += sz;
                p += sz;
                count -= sz;
                read += sz;
        }
+       kfree(bounce);
 
        *ppos += read;
        return read;
+
+failed:
+       kfree(bounce);
+       return err;
 }
 
 static ssize_t write_mem(struct file *file, const char __user *buf,
index b5c2b5d0c6c0ebd1523ee3aa34fbf14dce97a448..87f2a6f842fd8bff16d14f34101a70fb264502c4 100644 (file)
@@ -154,6 +154,7 @@ config HARDENED_USERCOPY
        bool "Harden memory copies between kernel and userspace"
        depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
        select BUG
+       imply STRICT_DEVMEM
        help
          This option checks for obviously wrong memory regions when
          copying memory to/from the kernel (via copy_to_user() and