| Message ID | 20250117130337.4716-2-mgorman@techsingularity.net (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Allow default HARDENED_USERCOPY to be set at compile time | expand |
On Fri, Jan 17, 2025 at 01:03:35PM +0000, Mel Gorman wrote: > There is a submenu for 'Kernel hardening options' under "Security". > Move HARDENED_USERCOPY under the hardening options as it is clearly > related. > > Signed-off-by: Mel Gorman <mgorman@techsingularity.net> > --- > security/Kconfig | 12 ------------ > security/Kconfig.hardening | 16 ++++++++++++++++ > 2 files changed, 16 insertions(+), 12 deletions(-) > > diff --git a/security/Kconfig b/security/Kconfig > index 28e685f53bd1..fe7346dc4bc3 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR > this low address space will need the permission specific to the > systems running LSM. > > -config HARDENED_USERCOPY > - bool "Harden memory copies between kernel and userspace" > - imply STRICT_DEVMEM > - help > - This option checks for obviously wrong memory regions when > - copying memory to/from the kernel (via copy_to_user() and > - copy_from_user() functions) by rejecting memory ranges that > - are larger than the specified heap object, span multiple > - separately allocated pages, are not on the process stack, > - or are part of the kernel text. This prevents entire classes > - of heap overflow exploits and similar kernel memory exposures. > - > config FORTIFY_SOURCE > bool "Harden common str/mem functions against buffer overflows" > depends on ARCH_HAS_FORTIFY_SOURCE > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index c9d5ca3d8d08..00e6e2ed0c43 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS > > endmenu > > +menu "String manipulation" I think "string" means different things to different people. I'd prefer "Bounds checking" or "Spatial safety" if it's going to be a separate menu section. > + > +config HARDENED_USERCOPY > + bool "Harden memory copies between kernel and userspace" > + imply STRICT_DEVMEM > + help > + This option checks for obviously wrong memory regions when > + copying memory to/from the kernel (via copy_to_user() and > + copy_from_user() functions) by rejecting memory ranges that > + are larger than the specified heap object, span multiple > + separately allocated pages, are not on the process stack, > + or are part of the kernel text. This prevents entire classes > + of heap overflow exploits and similar kernel memory exposures. > + > +endmenu > + > menu "Hardening of kernel data structures" Otherwise, looks good.
On Fri, Jan 17, 2025 at 8:39 AM Mel Gorman <mgorman@techsingularity.net> wrote: > > There is a submenu for 'Kernel hardening options' under "Security". > Move HARDENED_USERCOPY under the hardening options as it is clearly > related. > > Signed-off-by: Mel Gorman <mgorman@techsingularity.net> > --- > security/Kconfig | 12 ------------ > security/Kconfig.hardening | 16 ++++++++++++++++ > 2 files changed, 16 insertions(+), 12 deletions(-) Agree with Kees' comment regarding "Bounds checking" instead of "String manipulation", but beyond that this is fine with me. Acked-by: Paul Moore <paul@paul-moore.com> > diff --git a/security/Kconfig b/security/Kconfig > index 28e685f53bd1..fe7346dc4bc3 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR > this low address space will need the permission specific to the > systems running LSM. > > -config HARDENED_USERCOPY > - bool "Harden memory copies between kernel and userspace" > - imply STRICT_DEVMEM > - help > - This option checks for obviously wrong memory regions when > - copying memory to/from the kernel (via copy_to_user() and > - copy_from_user() functions) by rejecting memory ranges that > - are larger than the specified heap object, span multiple > - separately allocated pages, are not on the process stack, > - or are part of the kernel text. This prevents entire classes > - of heap overflow exploits and similar kernel memory exposures. > - > config FORTIFY_SOURCE > bool "Harden common str/mem functions against buffer overflows" > depends on ARCH_HAS_FORTIFY_SOURCE > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index c9d5ca3d8d08..00e6e2ed0c43 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS > > endmenu > > +menu "String manipulation" > + > +config HARDENED_USERCOPY > + bool "Harden memory copies between kernel and userspace" > + imply STRICT_DEVMEM > + help > + This option checks for obviously wrong memory regions when > + copying memory to/from the kernel (via copy_to_user() and > + copy_from_user() functions) by rejecting memory ranges that > + are larger than the specified heap object, span multiple > + separately allocated pages, are not on the process stack, > + or are part of the kernel text. This prevents entire classes > + of heap overflow exploits and similar kernel memory exposures. > + > +endmenu > + > menu "Hardening of kernel data structures" > > config LIST_HARDENED > -- > 2.43.0 > >
On Mon, Jan 20, 2025 at 01:10:44PM -0800, Kees Cook wrote: > On Fri, Jan 17, 2025 at 01:03:35PM +0000, Mel Gorman wrote: > > There is a submenu for 'Kernel hardening options' under "Security". > > Move HARDENED_USERCOPY under the hardening options as it is clearly > > related. > > > > Signed-off-by: Mel Gorman <mgorman@techsingularity.net> > > --- > > security/Kconfig | 12 ------------ > > security/Kconfig.hardening | 16 ++++++++++++++++ > > 2 files changed, 16 insertions(+), 12 deletions(-) > > > > diff --git a/security/Kconfig b/security/Kconfig > > index 28e685f53bd1..fe7346dc4bc3 100644 > > --- a/security/Kconfig > > +++ b/security/Kconfig > > @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR > > this low address space will need the permission specific to the > > systems running LSM. > > > > -config HARDENED_USERCOPY > > - bool "Harden memory copies between kernel and userspace" > > - imply STRICT_DEVMEM > > - help > > - This option checks for obviously wrong memory regions when > > - copying memory to/from the kernel (via copy_to_user() and > > - copy_from_user() functions) by rejecting memory ranges that > > - are larger than the specified heap object, span multiple > > - separately allocated pages, are not on the process stack, > > - or are part of the kernel text. This prevents entire classes > > - of heap overflow exploits and similar kernel memory exposures. > > - > > config FORTIFY_SOURCE > > bool "Harden common str/mem functions against buffer overflows" > > depends on ARCH_HAS_FORTIFY_SOURCE > > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > > index c9d5ca3d8d08..00e6e2ed0c43 100644 > > --- a/security/Kconfig.hardening > > +++ b/security/Kconfig.hardening > > @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS > > > > endmenu > > > > +menu "String manipulation" > > I think "string" means different things to different people. I'd prefer > "Bounds checking" or "Spatial safety" if it's going to be a separate > menu section. > I will change it to "Bounds checking" in v2. Thanks.
diff --git a/security/Kconfig b/security/Kconfig index 28e685f53bd1..fe7346dc4bc3 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR this low address space will need the permission specific to the systems running LSM. -config HARDENED_USERCOPY - bool "Harden memory copies between kernel and userspace" - imply STRICT_DEVMEM - help - This option checks for obviously wrong memory regions when - copying memory to/from the kernel (via copy_to_user() and - copy_from_user() functions) by rejecting memory ranges that - are larger than the specified heap object, span multiple - separately allocated pages, are not on the process stack, - or are part of the kernel text. This prevents entire classes - of heap overflow exploits and similar kernel memory exposures. - config FORTIFY_SOURCE bool "Harden common str/mem functions against buffer overflows" depends on ARCH_HAS_FORTIFY_SOURCE diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index c9d5ca3d8d08..00e6e2ed0c43 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS endmenu +menu "String manipulation" + +config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + imply STRICT_DEVMEM + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and + copy_from_user() functions) by rejecting memory ranges that + are larger than the specified heap object, span multiple + separately allocated pages, are not on the process stack, + or are part of the kernel text. This prevents entire classes + of heap overflow exploits and similar kernel memory exposures. + +endmenu + menu "Hardening of kernel data structures" config LIST_HARDENED
There is a submenu for 'Kernel hardening options' under "Security". Move HARDENED_USERCOPY under the hardening options as it is clearly related. Signed-off-by: Mel Gorman <mgorman@techsingularity.net> --- security/Kconfig | 12 ------------ security/Kconfig.hardening | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 12 deletions(-)