| Message ID | 1468446964-22213-12-git-send-email-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Kees Cook <keescook@chromium.org> writes: > Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the > SLUB allocator to catch any copies that may span objects. Includes a > redzone handling fix from Michael Ellerman. Actually I think you wrote the fix, I just pointed you in that direction. But anyway, this works for me, so if you like: Tested-by: Michael Ellerman <mpe@ellerman.id.au> cheers
On Wed, Jul 13, 2016 at 02:56:04PM -0700, Kees Cook wrote: > Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the > SLUB allocator to catch any copies that may span objects. Includes a > redzone handling fix from Michael Ellerman. > > Based on code from PaX and grsecurity. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > init/Kconfig | 1 + > mm/slub.c | 36 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 37 insertions(+) > > diff --git a/init/Kconfig b/init/Kconfig > index 798c2020ee7c..1c4711819dfd 100644 > --- a/init/Kconfig > +++ b/init/Kconfig > @@ -1765,6 +1765,7 @@ config SLAB > > config SLUB > bool "SLUB (Unqueued Allocator)" > + select HAVE_HARDENED_USERCOPY_ALLOCATOR Should this patch come in earlier from a build perspective? I think patch 1 introduces and uses __check_heap_object. Balbir Singh.
On Thu, Jul 14, 2016 at 7:05 PM, Balbir Singh <bsingharora@gmail.com> wrote: > On Wed, Jul 13, 2016 at 02:56:04PM -0700, Kees Cook wrote: >> Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the >> SLUB allocator to catch any copies that may span objects. Includes a >> redzone handling fix from Michael Ellerman. >> >> Based on code from PaX and grsecurity. >> >> Signed-off-by: Kees Cook <keescook@chromium.org> >> --- >> init/Kconfig | 1 + >> mm/slub.c | 36 ++++++++++++++++++++++++++++++++++++ >> 2 files changed, 37 insertions(+) >> >> diff --git a/init/Kconfig b/init/Kconfig >> index 798c2020ee7c..1c4711819dfd 100644 >> --- a/init/Kconfig >> +++ b/init/Kconfig >> @@ -1765,6 +1765,7 @@ config SLAB >> >> config SLUB >> bool "SLUB (Unqueued Allocator)" >> + select HAVE_HARDENED_USERCOPY_ALLOCATOR > > Should this patch come in earlier from a build perspective? I think > patch 1 introduces and uses __check_heap_object. __check_heap_object in patch 1 is protected by a check for CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR. It seemed better to be to do arch enablement first, and then add the per-allocator heap object size check since it was a distinct piece. I'm happy to rearrange things, though, if there's a good reason. -Kees
diff --git a/init/Kconfig b/init/Kconfig index 798c2020ee7c..1c4711819dfd 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1765,6 +1765,7 @@ config SLAB config SLUB bool "SLUB (Unqueued Allocator)" + select HAVE_HARDENED_USERCOPY_ALLOCATOR help SLUB is a slab allocator that minimizes cache line usage instead of managing queues of cached objects (SLAB approach). diff --git a/mm/slub.c b/mm/slub.c index 825ff4505336..7dee3d9a5843 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -3614,6 +3614,42 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node) EXPORT_SYMBOL(__kmalloc_node); #endif +#ifdef CONFIG_HARDENED_USERCOPY +/* + * Rejects objects that are incorrectly sized. + * + * Returns NULL if check passes, otherwise const char * to name of cache + * to indicate an error. + */ +const char *__check_heap_object(const void *ptr, unsigned long n, + struct page *page) +{ + struct kmem_cache *s; + unsigned long offset; + size_t object_size; + + /* Find object and usable object size. */ + s = page->slab_cache; + object_size = slab_ksize(s); + + /* Find offset within object. */ + offset = (ptr - page_address(page)) % s->size; + + /* Adjust for redzone and reject if within the redzone. */ + if (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) { + if (offset < s->red_left_pad) + return s->name; + offset -= s->red_left_pad; + } + + /* Allow address range falling entirely within object size. */ + if (offset <= object_size && n <= object_size - offset) + return NULL; + + return s->name; +} +#endif /* CONFIG_HARDENED_USERCOPY */ + static size_t __ksize(const void *object) { struct page *page;
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the SLUB allocator to catch any copies that may span objects. Includes a redzone handling fix from Michael Ellerman. Based on code from PaX and grsecurity. Signed-off-by: Kees Cook <keescook@chromium.org> --- init/Kconfig | 1 + mm/slub.c | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+)