From patchwork Mon Jun 19 23:36:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9798087 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 043A860381 for ; Mon, 19 Jun 2017 23:40:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 001C91FFB9 for ; Mon, 19 Jun 2017 23:40:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E9160201BD; Mon, 19 Jun 2017 23:40:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.4 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, URIBL_BLACK autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id DDF501FFB9 for ; Mon, 19 Jun 2017 23:40:38 +0000 (UTC) Received: (qmail 16003 invoked by uid 550); 19 Jun 2017 23:37:35 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 11456 invoked from network); 19 Jun 2017 23:36:58 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9DAcuC260Cd44PCEMX23gRNLcO4oXt3MtxFq12h2A5U=; b=FI3DQrfdjmXc762H7DQ0YqNJquuLdUmBQLCf2tRx4cXjIRcnLuz05QpWuVi9Y+Iis7 Y1VPf5PEIQaqV2Deh5kHEefWjtGHE+9EFgo8xMmaVBKOkWTzo904h5rOTY0x3Bo0Q06b dqFOYq0nz0JpgPrMmAtmQDu6U3FCslKHGi4yQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9DAcuC260Cd44PCEMX23gRNLcO4oXt3MtxFq12h2A5U=; b=bu4SCXycZ8sFpLxzYIy5eoI3TKh7YofAs/4/P+Xg7aNmaw2SB6pjwh9okLz8ABd+bY YnOHajnzdPNMMICNXMJHCQU280eHvL4DfHWcrpVhXVcrIkPowL16nnxIJ69tHpVuYs2A 0n831uZHKXQprrEyIy+kwQpkTb9mcvhBrlF3xR2k+4xQ9BTBLYZOJylq0T5y63YtME7x C4Op/Raz6xV+bOJZfoqg2DNAl7lEEeV4UpzWkvmf8uBnsDbb96xcR+TVA0q8sXFsgC2m 73IKM1goRqWmvk2FRtTj5nL/xU/EYMAxAWj0jgqvQc8RSdrJ/MAdAGCKFGfiMiqw3K9D MX/w== X-Gm-Message-State: AKS2vOyZ5/xPTB7kMY2BiCJlQKu5E/TVV89k/dm90nU7M7eNPiqHd4/+ Nc0vgaa6n7JdpCPw X-Received: by 10.84.230.137 with SMTP id e9mr32875000plk.100.1497915406903; Mon, 19 Jun 2017 16:36:46 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , David Windsor , linux-mm@kvack.org, linux-kernel@vger.kernel.org Date: Mon, 19 Jun 2017 16:36:16 -0700 Message-Id: <1497915397-93805-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1497915397-93805-1-git-send-email-keescook@chromium.org> References: <1497915397-93805-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 02/23] usercopy: Enforce slab cache usercopy region boundaries X-Virus-Scanned: ClamAV using ClamSMTP From: David Windsor This patch adds the enforcement component of usercopy cache whitelisting, and is modified from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. The SLAB and SLUB allocators are modified to deny all copy operations in which the kernel heap memory being modified falls outside of the cache's defined usercopy region. Signed-off-by: David Windsor [kees: adjust commit log and comments] Signed-off-by: Kees Cook --- mm/slab.c | 16 +++++++++++----- mm/slub.c | 18 +++++++++++------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/mm/slab.c b/mm/slab.c index cf77f1691588..5c78830aeea0 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -4416,7 +4416,9 @@ module_init(slab_proc_init); #ifdef CONFIG_HARDENED_USERCOPY /* - * Rejects objects that are incorrectly sized. + * Rejects incorrectly sized objects and objects that are to be copied + * to/from userspace but do not fall entirely within the containing slab + * cache's usercopy region. * * Returns NULL if check passes, otherwise const char * to name of cache * to indicate an error. @@ -4436,11 +4438,15 @@ const char *__check_heap_object(const void *ptr, unsigned long n, /* Find offset within object. */ offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep); - /* Allow address range falling entirely within object size. */ - if (offset <= cachep->object_size && n <= cachep->object_size - offset) - return NULL; + /* Make sure object falls entirely within cache's usercopy region. */ + if (offset < cachep->useroffset) + return cachep->name; + if (offset - cachep->useroffset > cachep->usersize) + return cachep->name; + if (n > cachep->useroffset - offset + cachep->usersize) + return cachep->name; - return cachep->name; + return NULL; } #endif /* CONFIG_HARDENED_USERCOPY */ diff --git a/mm/slub.c b/mm/slub.c index b8cbbc31b005..e12a2bfbca1e 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3796,7 +3796,9 @@ EXPORT_SYMBOL(__kmalloc_node); #ifdef CONFIG_HARDENED_USERCOPY /* - * Rejects objects that are incorrectly sized. + * Rejects incorrectly sized objects and objects that are to be copied + * to/from userspace but do not fall entirely within the containing slab + * cache's usercopy region. * * Returns NULL if check passes, otherwise const char * to name of cache * to indicate an error. @@ -3806,11 +3808,9 @@ const char *__check_heap_object(const void *ptr, unsigned long n, { struct kmem_cache *s; unsigned long offset; - size_t object_size; /* Find object and usable object size. */ s = page->slab_cache; - object_size = slab_ksize(s); /* Reject impossible pointers. */ if (ptr < page_address(page)) @@ -3826,11 +3826,15 @@ const char *__check_heap_object(const void *ptr, unsigned long n, offset -= s->red_left_pad; } - /* Allow address range falling entirely within object size. */ - if (offset <= object_size && n <= object_size - offset) - return NULL; + /* Make sure object falls entirely within cache's usercopy region. */ + if (offset < s->useroffset) + return s->name; + if (offset - s->useroffset > s->usersize) + return s->name; + if (n > s->useroffset - offset + s->usersize) + return s->name; - return s->name; + return NULL; } #endif /* CONFIG_HARDENED_USERCOPY */