lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 17 Nov 2016 20:51:07 +1100
From:   Michael Ellerman <mpe@...erman.id.au>
To:     akpm@...ux-foundation.org
Cc:     cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
        iamjoonsoo.kim@....com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
        keescook@...omium.org
Subject: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR

POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
to shift poison values so that they don't alias userspace.

We should add it to ZERO_SIZE_PTR so that attackers can't use
ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.

Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
That no longer really works once we add the poison delta, so split it
into two checks. Assign x to a temporary to avoid evaluating it
twice (suggested by Kees Cook).

Signed-off-by: Michael Ellerman <mpe@...erman.id.au>
---
 include/linux/slab.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.

diff --git a/include/linux/slab.h b/include/linux/slab.h
index 084b12bad198..404419d9860f 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
 #define	_LINUX_SLAB_H
 
 #include <linux/gfp.h>
+#include <linux/poison.h>
 #include <linux/types.h>
 #include <linux/workqueue.h>
 
@@ -109,10 +110,13 @@
  * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
  * Both make kfree a no-op.
  */
-#define ZERO_SIZE_PTR ((void *)16)
+#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA))
 
-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
-				(unsigned long)ZERO_SIZE_PTR)
+#define ZERO_OR_NULL_PTR(x)				\
+	({						\
+		void *p = (void *)(x);			\
+		(p == NULL || p == ZERO_SIZE_PTR);	\
+	})
 
 #include <linux/kmemleak.h>
 #include <linux/kasan.h>
-- 
2.7.4

Powered by blists - more mailing lists