From patchwork Mon Jul 25 19:16:24 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laura Abbott X-Patchwork-Id: 9246373 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id EF30760869 for ; Mon, 25 Jul 2016 19:19:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DDDA3200E7 for ; Mon, 25 Jul 2016 19:19:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D26F920951; Mon, 25 Jul 2016 19:19:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 71384205A4 for ; Mon, 25 Jul 2016 19:19:34 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bRlO6-0001XF-LR; Mon, 25 Jul 2016 19:18:02 +0000 Received: from mail-it0-f54.google.com ([209.85.214.54]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bRlMx-0000wT-P5 for linux-arm-kernel@lists.infradead.org; Mon, 25 Jul 2016 19:16:54 +0000 Received: by mail-it0-f54.google.com with SMTP id f6so91962034ith.1 for ; Mon, 25 Jul 2016 12:16:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:cc:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=1alCQ/YBsVzJqQWPZrNwmdfhELVQ9bxw+LYCj445z2A=; b=NrMzKlaOydETU+flIU2p/n/nLsUtY5NLA0trAr7kwbLaKluD1py0exSanpKZ5XT5uu y6dFoy770wsHvSamS8hviYP71WcCD5vPY6oVCYoTdkh3Bwj1uohjcSyIGoIUygW5mURO jAFsFfa7M5/XqhoBDh60UpCTABTpmLgC0SOtE5QrswvDNtAxfuj+fXbt9e2wmkxk50Qh eXaSrWP8gjVZSDDillzwsggUykqEyAG4c6v/xcq0nBVu5VlSBiaaUN2qcoSXkvBUpaF5 gyRK9va40vGI/In9rZ+/z5RzsUT0LeH76BuvDLDEQfhmyjMi7bX6XS4crw+Kk0zqdsSb rOAw== X-Gm-Message-State: AEkoouux9mLijiTiCAoHHzyg3Gx0mdHqwcPNe8SF5luWOcTeuL70qX9AoHNmNQIuf7uc/Zm9 X-Received: by 10.36.208.71 with SMTP id m68mr22567397itg.63.1469474190133; Mon, 25 Jul 2016 12:16:30 -0700 (PDT) Received: from ?IPv6:2601:602:9800:177f::337f? ([2601:602:9800:177f::337f]) by smtp.gmail.com with ESMTPSA id z128sm12136642iof.4.2016.07.25.12.16.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Jul 2016 12:16:28 -0700 (PDT) From: Laura Abbott Subject: Re: [PATCH v4 12/12] mm: SLUB hardened usercopy support To: Kees Cook , kernel-hardening@lists.openwall.com References: <1469046427-12696-1-git-send-email-keescook@chromium.org> <1469046427-12696-13-git-send-email-keescook@chromium.org> Message-ID: <0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com> Date: Mon, 25 Jul 2016 12:16:24 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <1469046427-12696-13-git-send-email-keescook@chromium.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160725_121652_101533_EF782AEF X-CRM114-Status: GOOD ( 22.21 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kara , Benjamin Herrenschmidt , Balbir Singh , Will Deacon , linux-mm@kvack.org, sparclinux@vger.kernel.org, linux-ia64@vger.kernel.org, Christoph Lameter , Andrea Arcangeli , linux-arch@vger.kernel.org, Michael Ellerman , x86@kernel.org, Russell King , linux-arm-kernel@lists.infradead.org, Catalin Marinas , PaX Team , Borislav Petkov , Mathias Krause , Fenghua Yu , Rik van Riel , Vitaly Wool , David Rientjes , Tony Luck , Andy Lutomirski , Josh Poimboeuf , Andrew Morton , Dmitry Vyukov , Laura Abbott , Brad Spengler , Ard Biesheuvel , linux-kernel@vger.kernel.org, Pekka Enberg , Daniel Micay , Casey Schaufler , Joonsoo Kim , linuxppc-dev@lists.ozlabs.org, "David S. Miller" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP On 07/20/2016 01:27 PM, Kees Cook wrote: > Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the > SLUB allocator to catch any copies that may span objects. Includes a > redzone handling fix discovered by Michael Ellerman. > > Based on code from PaX and grsecurity. > > Signed-off-by: Kees Cook > Tested-by: Michael Ellerman > --- > init/Kconfig | 1 + > mm/slub.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 37 insertions(+) > > diff --git a/init/Kconfig b/init/Kconfig > index 798c2020ee7c..1c4711819dfd 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1765,6 +1765,7 @@ config SLAB > > config SLUB > bool "SLUB (Unqueued Allocator)" > + select HAVE_HARDENED_USERCOPY_ALLOCATOR > help > SLUB is a slab allocator that minimizes cache line usage > instead of managing queues of cached objects (SLAB approach). > diff --git a/mm/slub.c b/mm/slub.c > index 825ff4505336..7dee3d9a5843 100644 > --- a/mm/slub.c > +++ b/mm/slub.c > @@ -3614,6 +3614,42 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) > EXPORT_SYMBOL(__kmalloc_node); > #endif > > +#ifdef CONFIG_HARDENED_USERCOPY > +/* > + * Rejects objects that are incorrectly sized. > + * > + * Returns NULL if check passes, otherwise const char * to name of cache > + * to indicate an error. > + */ > +const char *__check_heap_object(const void *ptr, unsigned long n, > + struct page *page) > +{ > + struct kmem_cache *s; > + unsigned long offset; > + size_t object_size; > + > + /* Find object and usable object size. */ > + s = page->slab_cache; > + object_size = slab_ksize(s); > + > + /* Find offset within object. */ > + offset = (ptr - page_address(page)) % s->size; > + > + /* Adjust for redzone and reject if within the redzone. */ > + if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) { > + if (offset < s->red_left_pad) > + return s->name; > + offset -= s->red_left_pad; > + } > + > + /* Allow address range falling entirely within object size. */ > + if (offset <= object_size && n <= object_size - offset) > + return NULL; > + > + return s->name; > +} > +#endif /* CONFIG_HARDENED_USERCOPY */ > + I compared this against what check_valid_pointer does for SLUB_DEBUG checking. I was hoping we could utilize that function to avoid duplication but a) __check_heap_object needs to allow accesses anywhere in the object, not just the beginning b) accessing page->objects is racy without the addition of locking in SLUB_DEBUG. Still, the ptr < page_address(page) check from __check_heap_object would be good to add to avoid generating garbage large offsets and trying to infer C math. With that, you can add Reviwed-by: Laura Abbott > static size_t __ksize(const void *object) > { > struct page *page; > Thanks, Laura diff --git a/mm/slub.c b/mm/slub.c index 7dee3d9..5370e4f 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3632,6 +3632,9 @@ const char *__check_heap_object(const void *ptr, unsigned long n, s = page->slab_cache; object_size = slab_ksize(s); + if (ptr < page_address(page)) + return s->name; + /* Find offset within object. */ offset = (ptr - page_address(page)) % s->size;