Due to a check recently added to copy_to_user(), it's now not permitted to
copy from slab-held data to userspace unless the slab is whitelisted.  This
affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID
control message in the userspace control message buffer.  A warning is
generated by usercopy_warn() because the source is the copy of the
user_call_ID retained in the rxrpc_call struct.

Work around the issue by copying the user_call_ID to a variable on the
stack and passing that to put_cmsg().

The warning generated looks like:

        Bad or missing usercopy whitelist? Kernel memory exposure attempt 
detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)!
        WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
        ...
        RIP: 0010:usercopy_warn+0x7e/0xa0
        ...
        Call Trace:
         __check_object_size+0x9c/0x1a0
         put_cmsg+0x98/0x120
         rxrpc_recvmsg+0x6fc/0x1010 [rxrpc]
         ? finish_wait+0x80/0x80
         ___sys_recvmsg+0xf8/0x240
         ? __clear_rsb+0x25/0x3d
         ? __clear_rsb+0x15/0x3d
         ? __clear_rsb+0x25/0x3d
         ? __clear_rsb+0x15/0x3d
         ? __clear_rsb+0x25/0x3d
         ? __clear_rsb+0x15/0x3d
         ? __clear_rsb+0x25/0x3d
         ? __clear_rsb+0x15/0x3d
         ? finish_task_switch+0xa6/0x2b0
         ? trace_hardirqs_on_caller+0xed/0x180
         ? _raw_spin_unlock_irq+0x29/0x40
         ? __sys_recvmsg+0x4e/0x90
         __sys_recvmsg+0x4e/0x90
         do_syscall_64+0x7a/0x220
         entry_SYSCALL_64_after_hwframe+0x26/0x9b

Reported-by: Jonathan Billings <jsbilli...@jsbillings.org>
Signed-off-by: David Howells <dhowe...@redhat.com>
Acked-by: Kees Cook <keesc...@chromium.org>
Tested-by: Jonathan Billings <jsbilli...@jsbillings.org>
---

 net/rxrpc/recvmsg.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index cc21e8db25b0..9d45d8b56744 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -517,9 +517,10 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, 
size_t len,
                        ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
                                       sizeof(unsigned int), &id32);
                } else {
+                       unsigned long idl = call->user_call_ID;
+
                        ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
-                                      sizeof(unsigned long),
-                                      &call->user_call_ID);
+                                      sizeof(unsigned long), &idl);
                }
                if (ret < 0)
                        goto error_unlock_call;

Reply via email to