mm: Hardened usercopy
This is the start of porting PAX_USERCOPY into the mainline kernel. This
is the first set of features, controlled by CONFIG_HARDENED_USERCOPY. The
work is based on code by PaX Team and Brad Spengler, and an earlier port
from Casey Schaufler. Additional non-slab page tests are from Rik van Riel.
This patch contains the logic for validating several conditions when
performing copy_to_user() and copy_from_user() on the kernel object
being copied to/from:
- address range doesn't wrap around
- address range isn't NULL or zero-allocated (with a non-zero copy size)
- if on the slab allocator:
- object size must be less than or equal to copy size (when check is
implemented in the allocator, which appear in subsequent patches)
- otherwise, object must not span page allocations (excepting Reserved
and CMA ranges)
- if on the stack
- object must not extend before/after the current process stack
- object must be contained by a valid stack frame (when there is
arch/build support for identifying stack frames)
- object must not overlap with kernel text
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Tested-by: Michael Ellerman <mpe@ellerman.id.au>
This commit is contained in:
Kees Cook
@@ -118,6 +118,34 @@ config LSM_MMAP_MIN_ADDR
|
||||
this low address space will need the permission specific to the
|
||||
systems running LSM.
|
||||
|
||||
config HAVE_HARDENED_USERCOPY_ALLOCATOR
|
||||
bool
|
||||
help
|
||||
The heap allocator implements __check_heap_object() for
|
||||
validating memory ranges against heap object sizes in
|
||||
support of CONFIG_HARDENED_USERCOPY.
|
||||
|
||||
config HAVE_ARCH_HARDENED_USERCOPY
|
||||
bool
|
||||
help
|
||||
The architecture supports CONFIG_HARDENED_USERCOPY by
|
||||
calling check_object_size() just before performing the
|
||||
userspace copies in the low level implementation of
|
||||
copy_to_user() and copy_from_user().
|
||||
|
||||
config HARDENED_USERCOPY
|
||||
bool "Harden memory copies between kernel and userspace"
|
||||
depends on HAVE_ARCH_HARDENED_USERCOPY
|
||||
select BUG
|
||||
help
|
||||
This option checks for obviously wrong memory regions when
|
||||
copying memory to/from the kernel (via copy_to_user() and
|
||||
copy_from_user() functions) by rejecting memory ranges that
|
||||
are larger than the specified heap object, span multiple
|
||||
separately allocates pages, are not on the process stack,
|
||||
or are part of the kernel text. This kills entire classes
|
||||
of heap overflow exploits and similar kernel memory exposures.
|
||||
|
||||
source security/selinux/Kconfig
|
||||
source security/smack/Kconfig
|
||||
source security/tomoyo/Kconfig
|
||||
|
||||
Reference in New Issue
Block a user