| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0132ff58-f18b-6d67-8edd-fa6bd1f6927b@oracle.com>
Date: Thu, 21 Sep 2017 21:54:55 -0500
From: Dave Kleikamp <dave.kleikamp@...cle.com>
To: Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org
Cc: David Windsor <dave@...lcore.net>,
jfs-discussion@...ts.sourceforge.net,
linux-fsdevel@...r.kernel.org, netdev@...r.kernel.org,
linux-mm@...ck.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v3 09/31] jfs: Define usercopy region in jfs_ip slab cache
Acked-by: Dave Kleikamp <dave.kleikamp@...cle.com>
On 09/20/2017 03:45 PM, Kees Cook wrote:
> From: David Windsor <dave@...lcore.net>
>
> The jfs symlink pathnames, stored in struct jfs_inode_info.i_inline and
> therefore contained in the jfs_ip slab cache, need to be copied to/from
> userspace.
>
> cache object allocation:
> fs/jfs/super.c:
> jfs_alloc_inode(...):
> ...
> jfs_inode = kmem_cache_alloc(jfs_inode_cachep, GFP_NOFS);
> ...
> return &jfs_inode->vfs_inode;
>
> fs/jfs/jfs_incore.h:
> JFS_IP(struct inode *inode):
> return container_of(inode, struct jfs_inode_info, vfs_inode);
>
> fs/jfs/inode.c:
> jfs_iget(...):
> ...
> inode->i_link = JFS_IP(inode)->i_inline;
>
> example usage trace:
> readlink_copy+0x43/0x70
> vfs_readlink+0x62/0x110
> SyS_readlinkat+0x100/0x130
>
> fs/namei.c:
> readlink_copy(..., link):
> ...
> copy_to_user(..., link, len);
>
> (inlined in vfs_readlink)
> generic_readlink(dentry, ...):
> struct inode *inode = d_inode(dentry);
> const char *link = inode->i_link;
> ...
> readlink_copy(..., link);
>
> In support of usercopy hardening, this patch defines a region in the
> jfs_ip slab cache in which userspace copy operations are allowed.
>
> This region is known as the slab cache's usercopy region. Slab caches can
> now check that each copy operation involving cache-managed memory falls
> entirely within the slab's usercopy region.
>
> This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
> whitelisting code in the last public patch of grsecurity/PaX based on my
> understanding of the code. Changes or omissions from the original code are
> mine and don't reflect the original grsecurity/PaX code.
>
> Signed-off-by: David Windsor <dave@...lcore.net>
> [kees: adjust commit log, provide usage trace]
> Cc: Dave Kleikamp <shaggy@...nel.org>
> Cc: jfs-discussion@...ts.sourceforge.net
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> fs/jfs/super.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> index 2f14677169c3..e018412608d4 100644
> --- a/fs/jfs/super.c
> +++ b/fs/jfs/super.c
> @@ -966,9 +966,11 @@ static int __init init_jfs_fs(void)
> int rc;
>
> jfs_inode_cachep =
> - kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
> - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,
> - init_once);
> + kmem_cache_create_usercopy("jfs_ip", sizeof(struct jfs_inode_info),
> + 0, SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_ACCOUNT,
> + offsetof(struct jfs_inode_info, i_inline),
> + sizeof_field(struct jfs_inode_info, i_inline),
> + init_once);
> if (jfs_inode_cachep == NULL)
> return -ENOMEM;
>
>
Powered by blists - more mailing lists