| Message ID | 1479376267-18486-1-git-send-email-mpe@ellerman.id.au (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Nov 17, 2016 at 1:51 AM, Michael Ellerman <mpe@ellerman.id.au> wrote: > POISON_POINTER_DELTA is defined in poison.h, and is intended to be used > to shift poison values so that they don't alias userspace. > > We should add it to ZERO_SIZE_PTR so that attackers can't use > ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace. > > Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that > x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15. > That no longer really works once we add the poison delta, so split it > into two checks. Assign x to a temporary to avoid evaluating it > twice (suggested by Kees Cook). > > Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> I continue to like this idea. If we want to avoid the loss of the 1-15 check, we could just explicitly retain it, see craziness below... > --- > include/linux/slab.h | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately. > > diff --git a/include/linux/slab.h b/include/linux/slab.h > index 084b12bad198..404419d9860f 100644 > --- a/include/linux/slab.h > +++ b/include/linux/slab.h > @@ -12,6 +12,7 @@ > #define _LINUX_SLAB_H > > #include <linux/gfp.h> > +#include <linux/poison.h> > #include <linux/types.h> > #include <linux/workqueue.h> > > @@ -109,10 +110,13 @@ > * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can. > * Both make kfree a no-op. > */ > -#define ZERO_SIZE_PTR ((void *)16) #define __ZERO_SIZE_PTR((void *)16) #define ZERO_SIZE_PTR ((void *)(__ZERO_SIZE_PTR + POISON_POINTER_DELTA)) > > -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \ > - (unsigned long)ZERO_SIZE_PTR) > +#define ZERO_OR_NULL_PTR(x) \ > + ({ \ > + void *p = (void *)(x); \ (p < __ZERO_SIZE_PTR || p == ZERO_SIZE_PTR); \ > + }) #undef __ZERO_SIZE_PTR ? Anyone else have thoughts on this? -Kees
On Thu, 17 Nov 2016, Michael Ellerman wrote: > Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that > x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15. Well yes that was done so we do not add too many branches all over the kernel..... > That no longer really works once we add the poison delta, so split it > into two checks. Assign x to a temporary to avoid evaluating it > twice (suggested by Kees Cook). And now you are doing just that.
On Fri, Nov 18, 2016 at 9:47 AM, Christoph Lameter <cl@linux.com> wrote: > On Thu, 17 Nov 2016, Michael Ellerman wrote: > >> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that >> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15. > > Well yes that was done so we do not add too many branches all over the > kernel..... There are actually very few callers of this macro. (Though it's possible they're executed frequently.) >> That no longer really works once we add the poison delta, so split it >> into two checks. Assign x to a temporary to avoid evaluating it >> twice (suggested by Kees Cook). > > And now you are doing just that. In this case, what about the original < ZERO_SIZE_PTR check Michael suggested? At least the one use in usercopy.c needs to be fixed, but otherwise, it should be fine? -Kees
On Fri, 18 Nov 2016, Kees Cook wrote: > In this case, what about the original < ZERO_SIZE_PTR check Michael > suggested? At least the one use in usercopy.c needs to be fixed, but > otherwise, it should be fine? Looks like it.
diff --git a/include/linux/slab.h b/include/linux/slab.h index 084b12bad198..404419d9860f 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -12,6 +12,7 @@ #define _LINUX_SLAB_H #include <linux/gfp.h> +#include <linux/poison.h> #include <linux/types.h> #include <linux/workqueue.h> @@ -109,10 +110,13 @@ * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can. * Both make kfree a no-op. */ -#define ZERO_SIZE_PTR ((void *)16) +#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA)) -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \ - (unsigned long)ZERO_SIZE_PTR) +#define ZERO_OR_NULL_PTR(x) \ + ({ \ + void *p = (void *)(x); \ + (p == NULL || p == ZERO_SIZE_PTR); \ + }) #include <linux/kmemleak.h> #include <linux/kasan.h>
POISON_POINTER_DELTA is defined in poison.h, and is intended to be used to shift poison values so that they don't alias userspace. We should add it to ZERO_SIZE_PTR so that attackers can't use ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace. Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15. That no longer really works once we add the poison delta, so split it into two checks. Assign x to a temporary to avoid evaluating it twice (suggested by Kees Cook). Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> --- include/linux/slab.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.