| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Aug 2016 15:29:22 -0700 From: Kees Cook <keescook@...omium.org> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Rik van Riel <riel@...hat.com>, Laura Abbott <labbott@...oraproject.org>, linux-kernel@...r.kernel.org, linux-mm@...ck.org, xiaolong.ye@...el.com Subject: [PATCH] usercopy: Skip multi-page bounds checking on SLOB When an allocator does not mark all allocations as PageSlab, or does not mark multipage allocations with __GFP_COMP, hardened usercopy cannot correctly validate the allocation. SLOB lacks this, so short-circuit the checking for the allocators that aren't marked with CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR. This also updates the config help and corrects a typo in the usercopy comments. Reported-by: xiaolong.ye@...el.com Signed-off-by: Kees Cook <keescook@...omium.org> --- mm/usercopy.c | 11 ++++++++++- security/Kconfig | 5 +++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/mm/usercopy.c b/mm/usercopy.c index 8ebae91a6b55..855944b05cc7 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -172,6 +172,15 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n, return NULL; } +#ifndef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR + /* + * If the allocator isn't marking multi-page allocations as + * either __GFP_COMP or PageSlab, we cannot correctly perform + * bounds checking of multi-page allocations, so we stop here. + */ + return NULL; +#endif + /* Allow kernel data region (if not marked as Reserved). */ if (ptr >= (const void *)_sdata && end <= (const void *)_edata) return NULL; @@ -192,7 +201,7 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n, return NULL; /* - * Reject if range is entirely either Reserved (i.e. special or + * Allow if range is entirely either Reserved (i.e. special or * device memory), or CMA. Otherwise, reject since the object spans * several independently allocated pages. */ diff --git a/security/Kconfig b/security/Kconfig index df28f2b6f3e1..08dce0327d5b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -122,8 +122,9 @@ config HAVE_HARDENED_USERCOPY_ALLOCATOR bool help The heap allocator implements __check_heap_object() for - validating memory ranges against heap object sizes in - support of CONFIG_HARDENED_USERCOPY. + validating memory ranges against heap object sizes in support + of CONFIG_HARDENED_USERCOPY. It must mark all managed pages as + PageSlab(), or set __GFP_COMP for multi-page allocations. config HAVE_ARCH_HARDENED_USERCOPY bool -- 2.7.4 -- Kees Cook Nexus Security
Powered by blists - more mailing lists