From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy
Date: Thu, 07 Jul 2016 12:19:36 -0400 [thread overview]
Message-ID: <1467908376.13253.15.camel@redhat.com> (raw)
In-Reply-To: <1467843928-29351-2-git-send-email-keescook@chromium.org>
[-- Attachment #1: Type: text/plain, Size: 14639 bytes --]
On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
> This is the start of porting PAX_USERCOPY into the mainline kernel.
> This
> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY.
> The
> work is based on code by PaX Team and Brad Spengler, and an earlier
> port
> from Casey Schaufler. Additional non-slab page tests are from Rik van
> Riel.
Feel free to add my S-O-B for the code I wrote. The rest
looks good, too.
There may be some room for optimization later on, by putting
the most likely branches first, annotating with likely/unlikely,
etc, but I suspect the less likely checks are already towards
the ends of the functions.
Signed-off-by: Rik van Riel <riel@redhat.com>
> This patch contains the logic for validating several conditions when
> performing copy_to_user() and copy_from_user() on the kernel object
> being copied to/from:
> - address range doesn't wrap around
> - address range isn't NULL or zero-allocated (with a non-zero copy
> size)
> - if on the slab allocator:
> - object size must be less than or equal to copy size (when check
> is
> implemented in the allocator, which appear in subsequent patches)
> - otherwise, object must not span page allocations
> - if on the stack
> - object must not extend before/after the current process task
> - object must be contained by the current stack frame (when there
> is
> arch/build support for identifying stack frames)
> - object must not overlap with kernel text
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/Kconfig | 7 ++
> include/linux/slab.h | 12 +++
> include/linux/thread_info.h | 15 +++
> mm/Makefile | 4 +
> mm/usercopy.c | 239
> ++++++++++++++++++++++++++++++++++++++++++++
> security/Kconfig | 27 +++++
> 6 files changed, 304 insertions(+)
> create mode 100644 mm/usercopy.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d794384a0404..3ea04d8dcf62 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG
>
> endchoice
>
> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + bool
> + help
> + An architecture should select this if it has a secondary
> linear
> + mapping of the kernel text. This is used to verify that
> kernel
> + text exposures are not visible under
> CONFIG_HARDENED_USERCOPY.
> +
> config HAVE_CONTEXT_TRACKING
> bool
> help
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index aeb3e6d00a66..96a16a3fb7cb 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -155,6 +155,18 @@ void kfree(const void *);
> void kzfree(const void *);
> size_t ksize(const void *);
>
> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
> +const char *__check_heap_object(const void *ptr, unsigned long n,
> + struct page *page);
> +#else
> +static inline const char *__check_heap_object(const void *ptr,
> + unsigned long n,
> + struct page *page)
> +{
> + return NULL;
> +}
> +#endif
> +
> /*
> * Some archs want to perform DMA into kmalloc caches and need a
> guaranteed
> * alignment larger than the alignment of a 64-bit integer.
> diff --git a/include/linux/thread_info.h
> b/include/linux/thread_info.h
> index b4c2a485b28a..a02200db9c33 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -146,6 +146,21 @@ static inline bool
> test_and_clear_restore_sigmask(void)
> #error "no set_restore_sigmask() provided and default one won't
> work"
> #endif
>
> +#ifdef CONFIG_HARDENED_USERCOPY
> +extern void __check_object_size(const void *ptr, unsigned long n,
> + bool to_user);
> +
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{
> + __check_object_size(ptr, n, to_user);
> +}
> +#else
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{ }
> +#endif /* CONFIG_HARDENED_USERCOPY */
> +
> #endif /* __KERNEL__ */
>
> #endif /* _LINUX_THREAD_INFO_H */
> diff --git a/mm/Makefile b/mm/Makefile
> index 78c6f7dedb83..32d37247c7e5 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
> KCOV_INSTRUMENT_mmzone.o := n
> KCOV_INSTRUMENT_vmstat.o := n
>
> +# Since __builtin_frame_address does work as used, disable the
> warning.
> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
> +
> mmu-y := nommu.o
> mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
> mlock.o mmap.o mprotect.o mremap.o
> msync.o rmap.o \
> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
> obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
> obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
> obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> new file mode 100644
> index 000000000000..ad2765dd6dc4
> --- /dev/null
> +++ b/mm/usercopy.c
> @@ -0,0 +1,239 @@
> +/*
> + * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
> + * which are designed to protect kernel memory from needless
> exposure
> + * and overwrite under many unintended conditions. This code is
> based
> + * on PAX_USERCOPY, which is:
> + *
> + * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
> + * Security Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/mm.h>
> +#include <linux/slab.h>
> +#include <asm/sections.h>
> +
> +/*
> + * Checks if a given pointer and length is contained by the current
> + * stack frame (if possible).
> + *
> + * 0: not at all on the stack
> + * 1: fully on the stack (when can't do frame-checking)
> + * 2: fully inside the current stack frame
> + * -1: error condition (invalid stack position or bad stack
> frame)
> + */
> +static noinline int check_stack_object(const void *obj, unsigned
> long len)
> +{
> + const void * const stack = task_stack_page(current);
> + const void * const stackend = stack + THREAD_SIZE;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + const void *frame = NULL;
> + const void *oldframe;
> +#endif
> +
> + /* Object is not on the stack at all. */
> + if (obj + len <= stack || stackend <= obj)
> + return 0;
> +
> + /*
> + * Reject: object partially overlaps the stack (passing the
> + * the check above means at least one end is within the
> stack,
> + * so if this check fails, the other end is outside the
> stack).
> + */
> + if (obj < stack || stackend < obj + len)
> + return -1;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + oldframe = __builtin_frame_address(1);
> + if (oldframe)
> + frame = __builtin_frame_address(2);
> + /*
> + * low ----------------------------------------------> high
> + * [saved bp][saved ip][args][local vars][saved bp][saved
> ip]
> + * ^----------------^
> + * allow copies only within here
> + */
> + while (stack <= frame && frame < stackend) {
> + /*
> + * If obj + len extends past the last frame, this
> + * check won't pass and the next frame will be 0,
> + * causing us to bail out and correctly report
> + * the copy as invalid.
> + */
> + if (obj + len <= frame)
> + return obj >= oldframe + 2 * sizeof(void *)
> ? 2 : -1;
> + oldframe = frame;
> + frame = *(const void * const *)frame;
> + }
> + return -1;
> +#else
> + return 1;
> +#endif
> +}
> +
> +static void report_usercopy(const void *ptr, unsigned long len,
> + bool to_user, const char *type)
> +{
> + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu
> bytes)\n",
> + to_user ? "exposure" : "overwrite",
> + to_user ? "from" : "to", ptr, type ? : "unknown",
> len);
> + dump_stack();
> + do_group_exit(SIGKILL);
> +}
> +
> +/* Returns true if any portion of [ptr,ptr+n) over laps with
> [low,high). */
> +static bool overlaps(const void *ptr, unsigned long n, unsigned long
> low,
> + unsigned long high)
> +{
> + unsigned long check_low = (uintptr_t)ptr;
> + unsigned long check_high = check_low + n;
> +
> + /* Does not overlap if entirely above or entirely below. */
> + if (check_low >= high || check_high < low)
> + return false;
> +
> + return true;
> +}
> +
> +/* Is this address range in the kernel text area? */
> +static inline const char *check_kernel_text_object(const void *ptr,
> + unsigned long n)
> +{
> + unsigned long textlow = (unsigned long)_stext;
> + unsigned long texthigh = (unsigned long)_etext;
> +
> + if (overlaps(ptr, n, textlow, texthigh))
> + return "<kernel text>";
> +
> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + /* Check against linear mapping as well. */
> + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),
> + (unsigned long)__va(__pa(texthigh))))
> + return "<linear kernel text>";
> +#endif
> +
> + return NULL;
> +}
> +
> +static inline const char *check_bogus_address(const void *ptr,
> unsigned long n)
> +{
> + /* Reject if object wraps past end of memory. */
> + if (ptr + n < ptr)
> + return "<wrapped address>";
> +
> + /* Reject if NULL or ZERO-allocation. */
> + if (ZERO_OR_NULL_PTR(ptr))
> + return "<null>";
> +
> + return NULL;
> +}
> +
> +static inline const char *check_heap_object(const void *ptr,
> unsigned long n)
> +{
> + struct page *page, *endpage;
> + const void *end = ptr + n - 1;
> +
> + if (!virt_addr_valid(ptr))
> + return NULL;
> +
> + page = virt_to_head_page(ptr);
> +
> + /* Check slab allocator for flags and size. */
> + if (PageSlab(page))
> + return __check_heap_object(ptr, n, page);
> +
> + /* Is the object wholly within one base page? */
> + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)
> ==
> + ((unsigned long)end & (unsigned long)PAGE_MASK)))
> + return NULL;
> +
> + /* Allow if start and end are inside the same compound page.
> */
> + endpage = virt_to_head_page(end);
> + if (likely(endpage == page))
> + return NULL;
> +
> + /* Allow special areas, device memory, and sometimes kernel
> data. */
> + if (PageReserved(page) && PageReserved(endpage))
> + return NULL;
> +
> + /*
> + * Sometimes the kernel data regions are not marked
> Reserved. And
> + * sometimes [_sdata,_edata) does not cover rodata and/or
> bss,
> + * so check each range explicitly.
> + */
> +
> + /* Allow kernel data region (if not marked as Reserved). */
> + if (ptr >= (const void *)_sdata && end <= (const void
> *)_edata)
> + return NULL;
> +
> + /* Allow kernel rodata region (if not marked as Reserved).
> */
> + if (ptr >= (const void *)__start_rodata &&
> + end <= (const void *)__end_rodata)
> + return NULL;
> +
> + /* Allow kernel bss region (if not marked as Reserved). */
> + if (ptr >= (const void *)__bss_start &&
> + end <= (const void *)__bss_stop)
> + return NULL;
> +
> + /* Uh oh. The "object" spans several independently allocated
> pages. */
> + return "<spans multiple pages>";
> +}
> +
> +/*
> + * Validates that the given object is one of:
> + * - known safe heap object
> + * - known safe stack object
> + * - not in kernel text
> + */
> +void __check_object_size(const void *ptr, unsigned long n, bool
> to_user)
> +{
> + const char *err;
> +
> + /* Skip all tests if size is zero. */
> + if (!n)
> + return;
> +
> + /* Check for invalid addresses. */
> + err = check_bogus_address(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad heap object. */
> + err = check_heap_object(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad stack object. */
> + switch (check_stack_object(ptr, n)) {
> + case 0:
> + /* Object is not touching the current process stack.
> */
> + break;
> + case 1:
> + case 2:
> + /*
> + * Object is either in the correct frame (when it
> + * is possible to check) or just generally on the
> + * process stack (when frame checking not
> available).
> + */
> + return;
> + default:
> + err = "<process stack>";
> + goto report;
> + }
> +
> + /* Check for object in kernel to avoid text exposure. */
> + err = check_kernel_text_object(ptr, n);
> + if (!err)
> + return;
> +
> +report:
> + report_usercopy(ptr, n, to_user, err);
> +}
> +EXPORT_SYMBOL(__check_object_size);
> diff --git a/security/Kconfig b/security/Kconfig
> index 176758cdfa57..63340ad0b9f9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific
> to the
> systems running LSM.
>
> +config HAVE_HARDENED_USERCOPY_ALLOCATOR
> + bool
> + help
> + The heap allocator implements __check_heap_object() for
> + validating memory ranges against heap object sizes in
> + support of CONFIG_HARDENED_USERCOPY.
> +
> +config HAVE_ARCH_HARDENED_USERCOPY
> + bool
> + help
> + The architecture supports CONFIG_HARDENED_USERCOPY by
> + calling check_object_size() just before performing the
> + userspace copies in the low level implementation of
> + copy_to_user() and copy_from_user().
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + depends on HAVE_ARCH_HARDENED_USERCOPY
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges
> that
> + are larger than the specified heap object, span multiple
> + separately allocates pages, are not on the process stack,
> + or are part of the kernel text. This kills entire classes
> + of heap overflow exploits and similar kernel memory
> exposures.
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
--
All Rights Reversed.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@red>
Subject: Re: [PATCH 1/9] mm: Hardened usercopy
Date: Thu, 07 Jul 2016 12:19:36 -0400 [thread overview]
Message-ID: <1467908376.13253.15.camel@redhat.com> (raw)
In-Reply-To: <1467843928-29351-2-git-send-email-keescook@chromium.org>
[-- Attachment #1: Type: text/plain, Size: 14639 bytes --]
On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
> This is the start of porting PAX_USERCOPY into the mainline kernel.
> This
> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY.
> The
> work is based on code by PaX Team and Brad Spengler, and an earlier
> port
> from Casey Schaufler. Additional non-slab page tests are from Rik van
> Riel.
Feel free to add my S-O-B for the code I wrote. The rest
looks good, too.
There may be some room for optimization later on, by putting
the most likely branches first, annotating with likely/unlikely,
etc, but I suspect the less likely checks are already towards
the ends of the functions.
Signed-off-by: Rik van Riel <riel@redhat.com>
> This patch contains the logic for validating several conditions when
> performing copy_to_user() and copy_from_user() on the kernel object
> being copied to/from:
> - address range doesn't wrap around
> - address range isn't NULL or zero-allocated (with a non-zero copy
> size)
> - if on the slab allocator:
> - object size must be less than or equal to copy size (when check
> is
> implemented in the allocator, which appear in subsequent patches)
> - otherwise, object must not span page allocations
> - if on the stack
> - object must not extend before/after the current process task
> - object must be contained by the current stack frame (when there
> is
> arch/build support for identifying stack frames)
> - object must not overlap with kernel text
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/Kconfig | 7 ++
> include/linux/slab.h | 12 +++
> include/linux/thread_info.h | 15 +++
> mm/Makefile | 4 +
> mm/usercopy.c | 239
> ++++++++++++++++++++++++++++++++++++++++++++
> security/Kconfig | 27 +++++
> 6 files changed, 304 insertions(+)
> create mode 100644 mm/usercopy.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d794384a0404..3ea04d8dcf62 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG
>
> endchoice
>
> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + bool
> + help
> + An architecture should select this if it has a secondary
> linear
> + mapping of the kernel text. This is used to verify that
> kernel
> + text exposures are not visible under
> CONFIG_HARDENED_USERCOPY.
> +
> config HAVE_CONTEXT_TRACKING
> bool
> help
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index aeb3e6d00a66..96a16a3fb7cb 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -155,6 +155,18 @@ void kfree(const void *);
> void kzfree(const void *);
> size_t ksize(const void *);
>
> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
> +const char *__check_heap_object(const void *ptr, unsigned long n,
> + struct page *page);
> +#else
> +static inline const char *__check_heap_object(const void *ptr,
> + unsigned long n,
> + struct page *page)
> +{
> + return NULL;
> +}
> +#endif
> +
> /*
> * Some archs want to perform DMA into kmalloc caches and need a
> guaranteed
> * alignment larger than the alignment of a 64-bit integer.
> diff --git a/include/linux/thread_info.h
> b/include/linux/thread_info.h
> index b4c2a485b28a..a02200db9c33 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -146,6 +146,21 @@ static inline bool
> test_and_clear_restore_sigmask(void)
> #error "no set_restore_sigmask() provided and default one won't
> work"
> #endif
>
> +#ifdef CONFIG_HARDENED_USERCOPY
> +extern void __check_object_size(const void *ptr, unsigned long n,
> + bool to_user);
> +
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{
> + __check_object_size(ptr, n, to_user);
> +}
> +#else
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{ }
> +#endif /* CONFIG_HARDENED_USERCOPY */
> +
> #endif /* __KERNEL__ */
>
> #endif /* _LINUX_THREAD_INFO_H */
> diff --git a/mm/Makefile b/mm/Makefile
> index 78c6f7dedb83..32d37247c7e5 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
> KCOV_INSTRUMENT_mmzone.o := n
> KCOV_INSTRUMENT_vmstat.o := n
>
> +# Since __builtin_frame_address does work as used, disable the
> warning.
> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
> +
> mmu-y := nommu.o
> mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
> mlock.o mmap.o mprotect.o mremap.o
> msync.o rmap.o \
> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
> obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
> obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
> obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> new file mode 100644
> index 000000000000..ad2765dd6dc4
> --- /dev/null
> +++ b/mm/usercopy.c
> @@ -0,0 +1,239 @@
> +/*
> + * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
> + * which are designed to protect kernel memory from needless
> exposure
> + * and overwrite under many unintended conditions. This code is
> based
> + * on PAX_USERCOPY, which is:
> + *
> + * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
> + * Security Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/mm.h>
> +#include <linux/slab.h>
> +#include <asm/sections.h>
> +
> +/*
> + * Checks if a given pointer and length is contained by the current
> + * stack frame (if possible).
> + *
> + * 0: not at all on the stack
> + * 1: fully on the stack (when can't do frame-checking)
> + * 2: fully inside the current stack frame
> + * -1: error condition (invalid stack position or bad stack
> frame)
> + */
> +static noinline int check_stack_object(const void *obj, unsigned
> long len)
> +{
> + const void * const stack = task_stack_page(current);
> + const void * const stackend = stack + THREAD_SIZE;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + const void *frame = NULL;
> + const void *oldframe;
> +#endif
> +
> + /* Object is not on the stack at all. */
> + if (obj + len <= stack || stackend <= obj)
> + return 0;
> +
> + /*
> + * Reject: object partially overlaps the stack (passing the
> + * the check above means at least one end is within the
> stack,
> + * so if this check fails, the other end is outside the
> stack).
> + */
> + if (obj < stack || stackend < obj + len)
> + return -1;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + oldframe = __builtin_frame_address(1);
> + if (oldframe)
> + frame = __builtin_frame_address(2);
> + /*
> + * low ----------------------------------------------> high
> + * [saved bp][saved ip][args][local vars][saved bp][saved
> ip]
> + * ^----------------^
> + * allow copies only within here
> + */
> + while (stack <= frame && frame < stackend) {
> + /*
> + * If obj + len extends past the last frame, this
> + * check won't pass and the next frame will be 0,
> + * causing us to bail out and correctly report
> + * the copy as invalid.
> + */
> + if (obj + len <= frame)
> + return obj >= oldframe + 2 * sizeof(void *)
> ? 2 : -1;
> + oldframe = frame;
> + frame = *(const void * const *)frame;
> + }
> + return -1;
> +#else
> + return 1;
> +#endif
> +}
> +
> +static void report_usercopy(const void *ptr, unsigned long len,
> + bool to_user, const char *type)
> +{
> + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu
> bytes)\n",
> + to_user ? "exposure" : "overwrite",
> + to_user ? "from" : "to", ptr, type ? : "unknown",
> len);
> + dump_stack();
> + do_group_exit(SIGKILL);
> +}
> +
> +/* Returns true if any portion of [ptr,ptr+n) over laps with
> [low,high). */
> +static bool overlaps(const void *ptr, unsigned long n, unsigned long
> low,
> + unsigned long high)
> +{
> + unsigned long check_low = (uintptr_t)ptr;
> + unsigned long check_high = check_low + n;
> +
> + /* Does not overlap if entirely above or entirely below. */
> + if (check_low >= high || check_high < low)
> + return false;
> +
> + return true;
> +}
> +
> +/* Is this address range in the kernel text area? */
> +static inline const char *check_kernel_text_object(const void *ptr,
> + unsigned long n)
> +{
> + unsigned long textlow = (unsigned long)_stext;
> + unsigned long texthigh = (unsigned long)_etext;
> +
> + if (overlaps(ptr, n, textlow, texthigh))
> + return "<kernel text>";
> +
> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + /* Check against linear mapping as well. */
> + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),
> + (unsigned long)__va(__pa(texthigh))))
> + return "<linear kernel text>";
> +#endif
> +
> + return NULL;
> +}
> +
> +static inline const char *check_bogus_address(const void *ptr,
> unsigned long n)
> +{
> + /* Reject if object wraps past end of memory. */
> + if (ptr + n < ptr)
> + return "<wrapped address>";
> +
> + /* Reject if NULL or ZERO-allocation. */
> + if (ZERO_OR_NULL_PTR(ptr))
> + return "<null>";
> +
> + return NULL;
> +}
> +
> +static inline const char *check_heap_object(const void *ptr,
> unsigned long n)
> +{
> + struct page *page, *endpage;
> + const void *end = ptr + n - 1;
> +
> + if (!virt_addr_valid(ptr))
> + return NULL;
> +
> + page = virt_to_head_page(ptr);
> +
> + /* Check slab allocator for flags and size. */
> + if (PageSlab(page))
> + return __check_heap_object(ptr, n, page);
> +
> + /* Is the object wholly within one base page? */
> + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)
> ==
> + ((unsigned long)end & (unsigned long)PAGE_MASK)))
> + return NULL;
> +
> + /* Allow if start and end are inside the same compound page.
> */
> + endpage = virt_to_head_page(end);
> + if (likely(endpage == page))
> + return NULL;
> +
> + /* Allow special areas, device memory, and sometimes kernel
> data. */
> + if (PageReserved(page) && PageReserved(endpage))
> + return NULL;
> +
> + /*
> + * Sometimes the kernel data regions are not marked
> Reserved. And
> + * sometimes [_sdata,_edata) does not cover rodata and/or
> bss,
> + * so check each range explicitly.
> + */
> +
> + /* Allow kernel data region (if not marked as Reserved). */
> + if (ptr >= (const void *)_sdata && end <= (const void
> *)_edata)
> + return NULL;
> +
> + /* Allow kernel rodata region (if not marked as Reserved).
> */
> + if (ptr >= (const void *)__start_rodata &&
> + end <= (const void *)__end_rodata)
> + return NULL;
> +
> + /* Allow kernel bss region (if not marked as Reserved). */
> + if (ptr >= (const void *)__bss_start &&
> + end <= (const void *)__bss_stop)
> + return NULL;
> +
> + /* Uh oh. The "object" spans several independently allocated
> pages. */
> + return "<spans multiple pages>";
> +}
> +
> +/*
> + * Validates that the given object is one of:
> + * - known safe heap object
> + * - known safe stack object
> + * - not in kernel text
> + */
> +void __check_object_size(const void *ptr, unsigned long n, bool
> to_user)
> +{
> + const char *err;
> +
> + /* Skip all tests if size is zero. */
> + if (!n)
> + return;
> +
> + /* Check for invalid addresses. */
> + err = check_bogus_address(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad heap object. */
> + err = check_heap_object(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad stack object. */
> + switch (check_stack_object(ptr, n)) {
> + case 0:
> + /* Object is not touching the current process stack.
> */
> + break;
> + case 1:
> + case 2:
> + /*
> + * Object is either in the correct frame (when it
> + * is possible to check) or just generally on the
> + * process stack (when frame checking not
> available).
> + */
> + return;
> + default:
> + err = "<process stack>";
> + goto report;
> + }
> +
> + /* Check for object in kernel to avoid text exposure. */
> + err = check_kernel_text_object(ptr, n);
> + if (!err)
> + return;
> +
> +report:
> + report_usercopy(ptr, n, to_user, err);
> +}
> +EXPORT_SYMBOL(__check_object_size);
> diff --git a/security/Kconfig b/security/Kconfig
> index 176758cdfa57..63340ad0b9f9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific
> to the
> systems running LSM.
>
> +config HAVE_HARDENED_USERCOPY_ALLOCATOR
> + bool
> + help
> + The heap allocator implements __check_heap_object() for
> + validating memory ranges against heap object sizes in
> + support of CONFIG_HARDENED_USERCOPY.
> +
> +config HAVE_ARCH_HARDENED_USERCOPY
> + bool
> + help
> + The architecture supports CONFIG_HARDENED_USERCOPY by
> + calling check_object_size() just before performing the
> + userspace copies in the low level implementation of
> + copy_to_user() and copy_from_user().
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + depends on HAVE_ARCH_HARDENED_USERCOPY
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges
> that
> + are larger than the specified heap object, span multiple
> + separately allocates pages, are not on the process stack,
> + or are part of the kernel text. This kills entire classes
> + of heap overflow exploits and similar kernel memory
> exposures.
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
--
All Rights Reversed.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/9] mm: Hardened usercopy
Date: Thu, 07 Jul 2016 12:19:36 -0400 [thread overview]
Message-ID: <1467908376.13253.15.camel@redhat.com> (raw)
Message-ID: <20160707161936.gNgaytng5TDOdfK64SMCDdGBw3x6BN0YSVmJj2RpLzw@z> (raw)
In-Reply-To: <1467843928-29351-2-git-send-email-keescook@chromium.org>
[-- Attachment #1: Type: text/plain, Size: 14639 bytes --]
On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
> This is the start of porting PAX_USERCOPY into the mainline kernel.
> This
> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY.
> The
> work is based on code by PaX Team and Brad Spengler, and an earlier
> port
> from Casey Schaufler. Additional non-slab page tests are from Rik van
> Riel.
Feel free to add my S-O-B for the code I wrote. The rest
looks good, too.
There may be some room for optimization later on, by putting
the most likely branches first, annotating with likely/unlikely,
etc, but I suspect the less likely checks are already towards
the ends of the functions.
Signed-off-by: Rik van Riel <riel@redhat.com>
> This patch contains the logic for validating several conditions when
> performing copy_to_user() and copy_from_user() on the kernel object
> being copied to/from:
> - address range doesn't wrap around
> - address range isn't NULL or zero-allocated (with a non-zero copy
> size)
> - if on the slab allocator:
> - object size must be less than or equal to copy size (when check
> is
> implemented in the allocator, which appear in subsequent patches)
> - otherwise, object must not span page allocations
> - if on the stack
> - object must not extend before/after the current process task
> - object must be contained by the current stack frame (when there
> is
> arch/build support for identifying stack frames)
> - object must not overlap with kernel text
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/Kconfig | 7 ++
> include/linux/slab.h | 12 +++
> include/linux/thread_info.h | 15 +++
> mm/Makefile | 4 +
> mm/usercopy.c | 239
> ++++++++++++++++++++++++++++++++++++++++++++
> security/Kconfig | 27 +++++
> 6 files changed, 304 insertions(+)
> create mode 100644 mm/usercopy.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d794384a0404..3ea04d8dcf62 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG
>
> endchoice
>
> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + bool
> + help
> + An architecture should select this if it has a secondary
> linear
> + mapping of the kernel text. This is used to verify that
> kernel
> + text exposures are not visible under
> CONFIG_HARDENED_USERCOPY.
> +
> config HAVE_CONTEXT_TRACKING
> bool
> help
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index aeb3e6d00a66..96a16a3fb7cb 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -155,6 +155,18 @@ void kfree(const void *);
> void kzfree(const void *);
> size_t ksize(const void *);
>
> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
> +const char *__check_heap_object(const void *ptr, unsigned long n,
> + struct page *page);
> +#else
> +static inline const char *__check_heap_object(const void *ptr,
> + unsigned long n,
> + struct page *page)
> +{
> + return NULL;
> +}
> +#endif
> +
> /*
> * Some archs want to perform DMA into kmalloc caches and need a
> guaranteed
> * alignment larger than the alignment of a 64-bit integer.
> diff --git a/include/linux/thread_info.h
> b/include/linux/thread_info.h
> index b4c2a485b28a..a02200db9c33 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -146,6 +146,21 @@ static inline bool
> test_and_clear_restore_sigmask(void)
> #error "no set_restore_sigmask() provided and default one won't
> work"
> #endif
>
> +#ifdef CONFIG_HARDENED_USERCOPY
> +extern void __check_object_size(const void *ptr, unsigned long n,
> + bool to_user);
> +
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{
> + __check_object_size(ptr, n, to_user);
> +}
> +#else
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{ }
> +#endif /* CONFIG_HARDENED_USERCOPY */
> +
> #endif /* __KERNEL__ */
>
> #endif /* _LINUX_THREAD_INFO_H */
> diff --git a/mm/Makefile b/mm/Makefile
> index 78c6f7dedb83..32d37247c7e5 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
> KCOV_INSTRUMENT_mmzone.o := n
> KCOV_INSTRUMENT_vmstat.o := n
>
> +# Since __builtin_frame_address does work as used, disable the
> warning.
> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
> +
> mmu-y := nommu.o
> mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
> mlock.o mmap.o mprotect.o mremap.o
> msync.o rmap.o \
> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
> obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
> obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
> obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> new file mode 100644
> index 000000000000..ad2765dd6dc4
> --- /dev/null
> +++ b/mm/usercopy.c
> @@ -0,0 +1,239 @@
> +/*
> + * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
> + * which are designed to protect kernel memory from needless
> exposure
> + * and overwrite under many unintended conditions. This code is
> based
> + * on PAX_USERCOPY, which is:
> + *
> + * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
> + * Security Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/mm.h>
> +#include <linux/slab.h>
> +#include <asm/sections.h>
> +
> +/*
> + * Checks if a given pointer and length is contained by the current
> + * stack frame (if possible).
> + *
> + * 0: not at all on the stack
> + * 1: fully on the stack (when can't do frame-checking)
> + * 2: fully inside the current stack frame
> + * -1: error condition (invalid stack position or bad stack
> frame)
> + */
> +static noinline int check_stack_object(const void *obj, unsigned
> long len)
> +{
> + const void * const stack = task_stack_page(current);
> + const void * const stackend = stack + THREAD_SIZE;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + const void *frame = NULL;
> + const void *oldframe;
> +#endif
> +
> + /* Object is not on the stack at all. */
> + if (obj + len <= stack || stackend <= obj)
> + return 0;
> +
> + /*
> + * Reject: object partially overlaps the stack (passing the
> + * the check above means at least one end is within the
> stack,
> + * so if this check fails, the other end is outside the
> stack).
> + */
> + if (obj < stack || stackend < obj + len)
> + return -1;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + oldframe = __builtin_frame_address(1);
> + if (oldframe)
> + frame = __builtin_frame_address(2);
> + /*
> + * low ----------------------------------------------> high
> + * [saved bp][saved ip][args][local vars][saved bp][saved
> ip]
> + * ^----------------^
> + * allow copies only within here
> + */
> + while (stack <= frame && frame < stackend) {
> + /*
> + * If obj + len extends past the last frame, this
> + * check won't pass and the next frame will be 0,
> + * causing us to bail out and correctly report
> + * the copy as invalid.
> + */
> + if (obj + len <= frame)
> + return obj >= oldframe + 2 * sizeof(void *)
> ? 2 : -1;
> + oldframe = frame;
> + frame = *(const void * const *)frame;
> + }
> + return -1;
> +#else
> + return 1;
> +#endif
> +}
> +
> +static void report_usercopy(const void *ptr, unsigned long len,
> + bool to_user, const char *type)
> +{
> + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu
> bytes)\n",
> + to_user ? "exposure" : "overwrite",
> + to_user ? "from" : "to", ptr, type ? : "unknown",
> len);
> + dump_stack();
> + do_group_exit(SIGKILL);
> +}
> +
> +/* Returns true if any portion of [ptr,ptr+n) over laps with
> [low,high). */
> +static bool overlaps(const void *ptr, unsigned long n, unsigned long
> low,
> + unsigned long high)
> +{
> + unsigned long check_low = (uintptr_t)ptr;
> + unsigned long check_high = check_low + n;
> +
> + /* Does not overlap if entirely above or entirely below. */
> + if (check_low >= high || check_high < low)
> + return false;
> +
> + return true;
> +}
> +
> +/* Is this address range in the kernel text area? */
> +static inline const char *check_kernel_text_object(const void *ptr,
> + unsigned long n)
> +{
> + unsigned long textlow = (unsigned long)_stext;
> + unsigned long texthigh = (unsigned long)_etext;
> +
> + if (overlaps(ptr, n, textlow, texthigh))
> + return "<kernel text>";
> +
> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + /* Check against linear mapping as well. */
> + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),
> + (unsigned long)__va(__pa(texthigh))))
> + return "<linear kernel text>";
> +#endif
> +
> + return NULL;
> +}
> +
> +static inline const char *check_bogus_address(const void *ptr,
> unsigned long n)
> +{
> + /* Reject if object wraps past end of memory. */
> + if (ptr + n < ptr)
> + return "<wrapped address>";
> +
> + /* Reject if NULL or ZERO-allocation. */
> + if (ZERO_OR_NULL_PTR(ptr))
> + return "<null>";
> +
> + return NULL;
> +}
> +
> +static inline const char *check_heap_object(const void *ptr,
> unsigned long n)
> +{
> + struct page *page, *endpage;
> + const void *end = ptr + n - 1;
> +
> + if (!virt_addr_valid(ptr))
> + return NULL;
> +
> + page = virt_to_head_page(ptr);
> +
> + /* Check slab allocator for flags and size. */
> + if (PageSlab(page))
> + return __check_heap_object(ptr, n, page);
> +
> + /* Is the object wholly within one base page? */
> + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)
> ==
> + ((unsigned long)end & (unsigned long)PAGE_MASK)))
> + return NULL;
> +
> + /* Allow if start and end are inside the same compound page.
> */
> + endpage = virt_to_head_page(end);
> + if (likely(endpage == page))
> + return NULL;
> +
> + /* Allow special areas, device memory, and sometimes kernel
> data. */
> + if (PageReserved(page) && PageReserved(endpage))
> + return NULL;
> +
> + /*
> + * Sometimes the kernel data regions are not marked
> Reserved. And
> + * sometimes [_sdata,_edata) does not cover rodata and/or
> bss,
> + * so check each range explicitly.
> + */
> +
> + /* Allow kernel data region (if not marked as Reserved). */
> + if (ptr >= (const void *)_sdata && end <= (const void
> *)_edata)
> + return NULL;
> +
> + /* Allow kernel rodata region (if not marked as Reserved).
> */
> + if (ptr >= (const void *)__start_rodata &&
> + end <= (const void *)__end_rodata)
> + return NULL;
> +
> + /* Allow kernel bss region (if not marked as Reserved). */
> + if (ptr >= (const void *)__bss_start &&
> + end <= (const void *)__bss_stop)
> + return NULL;
> +
> + /* Uh oh. The "object" spans several independently allocated
> pages. */
> + return "<spans multiple pages>";
> +}
> +
> +/*
> + * Validates that the given object is one of:
> + * - known safe heap object
> + * - known safe stack object
> + * - not in kernel text
> + */
> +void __check_object_size(const void *ptr, unsigned long n, bool
> to_user)
> +{
> + const char *err;
> +
> + /* Skip all tests if size is zero. */
> + if (!n)
> + return;
> +
> + /* Check for invalid addresses. */
> + err = check_bogus_address(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad heap object. */
> + err = check_heap_object(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad stack object. */
> + switch (check_stack_object(ptr, n)) {
> + case 0:
> + /* Object is not touching the current process stack.
> */
> + break;
> + case 1:
> + case 2:
> + /*
> + * Object is either in the correct frame (when it
> + * is possible to check) or just generally on the
> + * process stack (when frame checking not
> available).
> + */
> + return;
> + default:
> + err = "<process stack>";
> + goto report;
> + }
> +
> + /* Check for object in kernel to avoid text exposure. */
> + err = check_kernel_text_object(ptr, n);
> + if (!err)
> + return;
> +
> +report:
> + report_usercopy(ptr, n, to_user, err);
> +}
> +EXPORT_SYMBOL(__check_object_size);
> diff --git a/security/Kconfig b/security/Kconfig
> index 176758cdfa57..63340ad0b9f9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific
> to the
> systems running LSM.
>
> +config HAVE_HARDENED_USERCOPY_ALLOCATOR
> + bool
> + help
> + The heap allocator implements __check_heap_object() for
> + validating memory ranges against heap object sizes in
> + support of CONFIG_HARDENED_USERCOPY.
> +
> +config HAVE_ARCH_HARDENED_USERCOPY
> + bool
> + help
> + The architecture supports CONFIG_HARDENED_USERCOPY by
> + calling check_object_size() just before performing the
> + userspace copies in the low level implementation of
> + copy_to_user() and copy_from_user().
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + depends on HAVE_ARCH_HARDENED_USERCOPY
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges
> that
> + are larger than the specified heap object, span multiple
> + separately allocates pages, are not on the process stack,
> + or are part of the kernel text. This kills entire classes
> + of heap overflow exploits and similar kernel memory
> exposures.
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
--
All Rights Reversed.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Rik van Riel <riel@redhat.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/9] mm: Hardened usercopy
Date: Thu, 07 Jul 2016 16:19:36 +0000 [thread overview]
Message-ID: <1467908376.13253.15.camel@redhat.com> (raw)
In-Reply-To: <1467843928-29351-2-git-send-email-keescook@chromium.org>
[-- Attachment #1: Type: text/plain, Size: 14639 bytes --]
On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
> This is the start of porting PAX_USERCOPY into the mainline kernel.
> This
> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY.
> The
> work is based on code by PaX Team and Brad Spengler, and an earlier
> port
> from Casey Schaufler. Additional non-slab page tests are from Rik van
> Riel.
Feel free to add my S-O-B for the code I wrote. The rest
looks good, too.
There may be some room for optimization later on, by putting
the most likely branches first, annotating with likely/unlikely,
etc, but I suspect the less likely checks are already towards
the ends of the functions.
Signed-off-by: Rik van Riel <riel@redhat.com>
> This patch contains the logic for validating several conditions when
> performing copy_to_user() and copy_from_user() on the kernel object
> being copied to/from:
> - address range doesn't wrap around
> - address range isn't NULL or zero-allocated (with a non-zero copy
> size)
> - if on the slab allocator:
> - object size must be less than or equal to copy size (when check
> is
> implemented in the allocator, which appear in subsequent patches)
> - otherwise, object must not span page allocations
> - if on the stack
> - object must not extend before/after the current process task
> - object must be contained by the current stack frame (when there
> is
> arch/build support for identifying stack frames)
> - object must not overlap with kernel text
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/Kconfig | 7 ++
> include/linux/slab.h | 12 +++
> include/linux/thread_info.h | 15 +++
> mm/Makefile | 4 +
> mm/usercopy.c | 239
> ++++++++++++++++++++++++++++++++++++++++++++
> security/Kconfig | 27 +++++
> 6 files changed, 304 insertions(+)
> create mode 100644 mm/usercopy.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d794384a0404..3ea04d8dcf62 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG
>
> endchoice
>
> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + bool
> + help
> + An architecture should select this if it has a secondary
> linear
> + mapping of the kernel text. This is used to verify that
> kernel
> + text exposures are not visible under
> CONFIG_HARDENED_USERCOPY.
> +
> config HAVE_CONTEXT_TRACKING
> bool
> help
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index aeb3e6d00a66..96a16a3fb7cb 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -155,6 +155,18 @@ void kfree(const void *);
> void kzfree(const void *);
> size_t ksize(const void *);
>
> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
> +const char *__check_heap_object(const void *ptr, unsigned long n,
> + struct page *page);
> +#else
> +static inline const char *__check_heap_object(const void *ptr,
> + unsigned long n,
> + struct page *page)
> +{
> + return NULL;
> +}
> +#endif
> +
> /*
> * Some archs want to perform DMA into kmalloc caches and need a
> guaranteed
> * alignment larger than the alignment of a 64-bit integer.
> diff --git a/include/linux/thread_info.h
> b/include/linux/thread_info.h
> index b4c2a485b28a..a02200db9c33 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -146,6 +146,21 @@ static inline bool
> test_and_clear_restore_sigmask(void)
> #error "no set_restore_sigmask() provided and default one won't
> work"
> #endif
>
> +#ifdef CONFIG_HARDENED_USERCOPY
> +extern void __check_object_size(const void *ptr, unsigned long n,
> + bool to_user);
> +
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{
> + __check_object_size(ptr, n, to_user);
> +}
> +#else
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + bool to_user)
> +{ }
> +#endif /* CONFIG_HARDENED_USERCOPY */
> +
> #endif /* __KERNEL__ */
>
> #endif /* _LINUX_THREAD_INFO_H */
> diff --git a/mm/Makefile b/mm/Makefile
> index 78c6f7dedb83..32d37247c7e5 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
> KCOV_INSTRUMENT_mmzone.o := n
> KCOV_INSTRUMENT_vmstat.o := n
>
> +# Since __builtin_frame_address does work as used, disable the
> warning.
> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
> +
> mmu-y := nommu.o
> mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
> mlock.o mmap.o mprotect.o mremap.o
> msync.o rmap.o \
> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
> obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
> obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
> obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> new file mode 100644
> index 000000000000..ad2765dd6dc4
> --- /dev/null
> +++ b/mm/usercopy.c
> @@ -0,0 +1,239 @@
> +/*
> + * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
> + * which are designed to protect kernel memory from needless
> exposure
> + * and overwrite under many unintended conditions. This code is
> based
> + * on PAX_USERCOPY, which is:
> + *
> + * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
> + * Security Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/mm.h>
> +#include <linux/slab.h>
> +#include <asm/sections.h>
> +
> +/*
> + * Checks if a given pointer and length is contained by the current
> + * stack frame (if possible).
> + *
> + * 0: not at all on the stack
> + * 1: fully on the stack (when can't do frame-checking)
> + * 2: fully inside the current stack frame
> + * -1: error condition (invalid stack position or bad stack
> frame)
> + */
> +static noinline int check_stack_object(const void *obj, unsigned
> long len)
> +{
> + const void * const stack = task_stack_page(current);
> + const void * const stackend = stack + THREAD_SIZE;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + const void *frame = NULL;
> + const void *oldframe;
> +#endif
> +
> + /* Object is not on the stack at all. */
> + if (obj + len <= stack || stackend <= obj)
> + return 0;
> +
> + /*
> + * Reject: object partially overlaps the stack (passing the
> + * the check above means at least one end is within the
> stack,
> + * so if this check fails, the other end is outside the
> stack).
> + */
> + if (obj < stack || stackend < obj + len)
> + return -1;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + oldframe = __builtin_frame_address(1);
> + if (oldframe)
> + frame = __builtin_frame_address(2);
> + /*
> + * low ----------------------------------------------> high
> + * [saved bp][saved ip][args][local vars][saved bp][saved
> ip]
> + * ^----------------^
> + * allow copies only within here
> + */
> + while (stack <= frame && frame < stackend) {
> + /*
> + * If obj + len extends past the last frame, this
> + * check won't pass and the next frame will be 0,
> + * causing us to bail out and correctly report
> + * the copy as invalid.
> + */
> + if (obj + len <= frame)
> + return obj >= oldframe + 2 * sizeof(void *)
> ? 2 : -1;
> + oldframe = frame;
> + frame = *(const void * const *)frame;
> + }
> + return -1;
> +#else
> + return 1;
> +#endif
> +}
> +
> +static void report_usercopy(const void *ptr, unsigned long len,
> + bool to_user, const char *type)
> +{
> + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu
> bytes)\n",
> + to_user ? "exposure" : "overwrite",
> + to_user ? "from" : "to", ptr, type ? : "unknown",
> len);
> + dump_stack();
> + do_group_exit(SIGKILL);
> +}
> +
> +/* Returns true if any portion of [ptr,ptr+n) over laps with
> [low,high). */
> +static bool overlaps(const void *ptr, unsigned long n, unsigned long
> low,
> + unsigned long high)
> +{
> + unsigned long check_low = (uintptr_t)ptr;
> + unsigned long check_high = check_low + n;
> +
> + /* Does not overlap if entirely above or entirely below. */
> + if (check_low >= high || check_high < low)
> + return false;
> +
> + return true;
> +}
> +
> +/* Is this address range in the kernel text area? */
> +static inline const char *check_kernel_text_object(const void *ptr,
> + unsigned long n)
> +{
> + unsigned long textlow = (unsigned long)_stext;
> + unsigned long texthigh = (unsigned long)_etext;
> +
> + if (overlaps(ptr, n, textlow, texthigh))
> + return "<kernel text>";
> +
> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + /* Check against linear mapping as well. */
> + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),
> + (unsigned long)__va(__pa(texthigh))))
> + return "<linear kernel text>";
> +#endif
> +
> + return NULL;
> +}
> +
> +static inline const char *check_bogus_address(const void *ptr,
> unsigned long n)
> +{
> + /* Reject if object wraps past end of memory. */
> + if (ptr + n < ptr)
> + return "<wrapped address>";
> +
> + /* Reject if NULL or ZERO-allocation. */
> + if (ZERO_OR_NULL_PTR(ptr))
> + return "<null>";
> +
> + return NULL;
> +}
> +
> +static inline const char *check_heap_object(const void *ptr,
> unsigned long n)
> +{
> + struct page *page, *endpage;
> + const void *end = ptr + n - 1;
> +
> + if (!virt_addr_valid(ptr))
> + return NULL;
> +
> + page = virt_to_head_page(ptr);
> +
> + /* Check slab allocator for flags and size. */
> + if (PageSlab(page))
> + return __check_heap_object(ptr, n, page);
> +
> + /* Is the object wholly within one base page? */
> + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)
> ==
> + ((unsigned long)end & (unsigned long)PAGE_MASK)))
> + return NULL;
> +
> + /* Allow if start and end are inside the same compound page.
> */
> + endpage = virt_to_head_page(end);
> + if (likely(endpage == page))
> + return NULL;
> +
> + /* Allow special areas, device memory, and sometimes kernel
> data. */
> + if (PageReserved(page) && PageReserved(endpage))
> + return NULL;
> +
> + /*
> + * Sometimes the kernel data regions are not marked
> Reserved. And
> + * sometimes [_sdata,_edata) does not cover rodata and/or
> bss,
> + * so check each range explicitly.
> + */
> +
> + /* Allow kernel data region (if not marked as Reserved). */
> + if (ptr >= (const void *)_sdata && end <= (const void
> *)_edata)
> + return NULL;
> +
> + /* Allow kernel rodata region (if not marked as Reserved).
> */
> + if (ptr >= (const void *)__start_rodata &&
> + end <= (const void *)__end_rodata)
> + return NULL;
> +
> + /* Allow kernel bss region (if not marked as Reserved). */
> + if (ptr >= (const void *)__bss_start &&
> + end <= (const void *)__bss_stop)
> + return NULL;
> +
> + /* Uh oh. The "object" spans several independently allocated
> pages. */
> + return "<spans multiple pages>";
> +}
> +
> +/*
> + * Validates that the given object is one of:
> + * - known safe heap object
> + * - known safe stack object
> + * - not in kernel text
> + */
> +void __check_object_size(const void *ptr, unsigned long n, bool
> to_user)
> +{
> + const char *err;
> +
> + /* Skip all tests if size is zero. */
> + if (!n)
> + return;
> +
> + /* Check for invalid addresses. */
> + err = check_bogus_address(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad heap object. */
> + err = check_heap_object(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad stack object. */
> + switch (check_stack_object(ptr, n)) {
> + case 0:
> + /* Object is not touching the current process stack.
> */
> + break;
> + case 1:
> + case 2:
> + /*
> + * Object is either in the correct frame (when it
> + * is possible to check) or just generally on the
> + * process stack (when frame checking not
> available).
> + */
> + return;
> + default:
> + err = "<process stack>";
> + goto report;
> + }
> +
> + /* Check for object in kernel to avoid text exposure. */
> + err = check_kernel_text_object(ptr, n);
> + if (!err)
> + return;
> +
> +report:
> + report_usercopy(ptr, n, to_user, err);
> +}
> +EXPORT_SYMBOL(__check_object_size);
> diff --git a/security/Kconfig b/security/Kconfig
> index 176758cdfa57..63340ad0b9f9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific
> to the
> systems running LSM.
>
> +config HAVE_HARDENED_USERCOPY_ALLOCATOR
> + bool
> + help
> + The heap allocator implements __check_heap_object() for
> + validating memory ranges against heap object sizes in
> + support of CONFIG_HARDENED_USERCOPY.
> +
> +config HAVE_ARCH_HARDENED_USERCOPY
> + bool
> + help
> + The architecture supports CONFIG_HARDENED_USERCOPY by
> + calling check_object_size() just before performing the
> + userspace copies in the low level implementation of
> + copy_to_user() and copy_from_user().
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + depends on HAVE_ARCH_HARDENED_USERCOPY
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges
> that
> + are larger than the specified heap object, span multiple
> + separately allocates pages, are not on the process stack,
> + or are part of the kernel text. This kills entire classes
> + of heap overflow exploits and similar kernel memory
> exposures.
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
--
All Rights Reversed.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: riel@redhat.com (Rik van Riel)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 1/9] mm: Hardened usercopy
Date: Thu, 07 Jul 2016 12:19:36 -0400 [thread overview]
Message-ID: <1467908376.13253.15.camel@redhat.com> (raw)
In-Reply-To: <1467843928-29351-2-git-send-email-keescook@chromium.org>
On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:
> This is the start of porting PAX_USERCOPY into the mainline kernel.
> This
> is the first set of features, controlled by CONFIG_HARDENED_USERCOPY.
> The
> work is based on code by PaX Team and Brad Spengler, and an earlier
> port
> from Casey Schaufler. Additional non-slab page tests are from Rik van
> Riel.
Feel free to add my S-O-B for the code I wrote. The rest
looks good, too.
There may be some room for optimization later on, by putting
the most likely branches first, annotating with likely/unlikely,
etc, but I suspect the less likely checks are already towards
the ends of the functions.
Signed-off-by: Rik van Riel <riel@redhat.com>
> This patch contains the logic for validating several conditions when
> performing copy_to_user() and copy_from_user() on the kernel object
> being copied to/from:
> - address range doesn't wrap around
> - address range isn't NULL or zero-allocated (with a non-zero copy
> size)
> - if on the slab allocator:
> ? - object size must be less than or equal to copy size (when check
> is
> ????implemented in the allocator, which appear in subsequent patches)
> - otherwise, object must not span page allocations
> - if on the stack
> ? - object must not extend before/after the current process task
> ? - object must be contained by the current stack frame (when there
> is
> ????arch/build support for identifying stack frames)
> - object must not overlap with kernel text
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> ?arch/Kconfig????????????????|???7 ++
> ?include/linux/slab.h????????|??12 +++
> ?include/linux/thread_info.h |??15 +++
> ?mm/Makefile?????????????????|???4 +
> ?mm/usercopy.c???????????????| 239
> ++++++++++++++++++++++++++++++++++++++++++++
> ?security/Kconfig????????????|??27 +++++
> ?6 files changed, 304 insertions(+)
> ?create mode 100644 mm/usercopy.c
>
> diff --git a/arch/Kconfig b/arch/Kconfig
> index d794384a0404..3ea04d8dcf62 100644
> --- a/arch/Kconfig
> +++ b/arch/Kconfig
> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG
> ?
> ?endchoice
> ?
> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + bool
> + help
> + ??An architecture should select this if it has a secondary
> linear
> + ??mapping of the kernel text. This is used to verify that
> kernel
> + ??text exposures are not visible under
> CONFIG_HARDENED_USERCOPY.
> +
> ?config HAVE_CONTEXT_TRACKING
> ? bool
> ? help
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index aeb3e6d00a66..96a16a3fb7cb 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -155,6 +155,18 @@ void kfree(const void *);
> ?void kzfree(const void *);
> ?size_t ksize(const void *);
> ?
> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR
> +const char *__check_heap_object(const void *ptr, unsigned long n,
> + struct page *page);
> +#else
> +static inline const char *__check_heap_object(const void *ptr,
> + ??????unsigned long n,
> + ??????struct page *page)
> +{
> + return NULL;
> +}
> +#endif
> +
> ?/*
> ? * Some archs want to perform DMA into kmalloc caches and need a
> guaranteed
> ? * alignment larger than the alignment of a 64-bit integer.
> diff --git a/include/linux/thread_info.h
> b/include/linux/thread_info.h
> index b4c2a485b28a..a02200db9c33 100644
> --- a/include/linux/thread_info.h
> +++ b/include/linux/thread_info.h
> @@ -146,6 +146,21 @@ static inline bool
> test_and_clear_restore_sigmask(void)
> ?#error "no set_restore_sigmask() provided and default one won't
> work"
> ?#endif
> ?
> +#ifdef CONFIG_HARDENED_USERCOPY
> +extern void __check_object_size(const void *ptr, unsigned long n,
> + bool to_user);
> +
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + ?????bool to_user)
> +{
> + __check_object_size(ptr, n, to_user);
> +}
> +#else
> +static inline void check_object_size(const void *ptr, unsigned long
> n,
> + ?????bool to_user)
> +{ }
> +#endif /* CONFIG_HARDENED_USERCOPY */
> +
> ?#endif /* __KERNEL__ */
> ?
> ?#endif /* _LINUX_THREAD_INFO_H */
> diff --git a/mm/Makefile b/mm/Makefile
> index 78c6f7dedb83..32d37247c7e5 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n
> ?KCOV_INSTRUMENT_mmzone.o := n
> ?KCOV_INSTRUMENT_vmstat.o := n
> ?
> +# Since __builtin_frame_address does work as used, disable the
> warning.
> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)
> +
> ?mmu-y := nommu.o
> ?mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \
> ? ???mlock.o mmap.o mprotect.o mremap.o
> msync.o rmap.o \
> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o
> ?obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o
> ?obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o
> ?obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o
> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> new file mode 100644
> index 000000000000..ad2765dd6dc4
> --- /dev/null
> +++ b/mm/usercopy.c
> @@ -0,0 +1,239 @@
> +/*
> + * This implements the various checks for CONFIG_HARDENED_USERCOPY*,
> + * which are designed to protect kernel memory from needless
> exposure
> + * and overwrite under many unintended conditions. This code is
> based
> + * on PAX_USERCOPY, which is:
> + *
> + * Copyright (C) 2001-2016 PaX Team, Bradley Spengler, Open Source
> + * Security Inc.
> + *
> + * This program is free software; you can redistribute it and/or
> modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
> +
> +#include <linux/mm.h>
> +#include <linux/slab.h>
> +#include <asm/sections.h>
> +
> +/*
> + * Checks if a given pointer and length is contained by the current
> + * stack frame (if possible).
> + *
> + * 0: not at all on the stack
> + * 1: fully on the stack (when can't do frame-checking)
> + * 2: fully inside the current stack frame
> + * -1: error condition (invalid stack position or bad stack
> frame)
> + */
> +static noinline int check_stack_object(const void *obj, unsigned
> long len)
> +{
> + const void * const stack = task_stack_page(current);
> + const void * const stackend = stack + THREAD_SIZE;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + const void *frame = NULL;
> + const void *oldframe;
> +#endif
> +
> + /* Object is not on the stack at all. */
> + if (obj + len <= stack || stackend <= obj)
> + return 0;
> +
> + /*
> + ?* Reject: object partially overlaps the stack (passing the
> + ?* the check above means at least one end is within the
> stack,
> + ?* so if this check fails, the other end is outside the
> stack).
> + ?*/
> + if (obj < stack || stackend < obj + len)
> + return -1;
> +
> +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
> + oldframe = __builtin_frame_address(1);
> + if (oldframe)
> + frame = __builtin_frame_address(2);
> + /*
> + ?* low ----------------------------------------------> high
> + ?* [saved bp][saved ip][args][local vars][saved bp][saved
> ip]
> + ?* ?????^----------------^
> + ?*?????????????allow copies only within here
> + ?*/
> + while (stack <= frame && frame < stackend) {
> + /*
> + ?* If obj + len extends past the last frame, this
> + ?* check won't pass and the next frame will be 0,
> + ?* causing us to bail out and correctly report
> + ?* the copy as invalid.
> + ?*/
> + if (obj + len <= frame)
> + return obj >= oldframe + 2 * sizeof(void *)
> ? 2 : -1;
> + oldframe = frame;
> + frame = *(const void * const *)frame;
> + }
> + return -1;
> +#else
> + return 1;
> +#endif
> +}
> +
> +static void report_usercopy(const void *ptr, unsigned long len,
> + ????bool to_user, const char *type)
> +{
> + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu
> bytes)\n",
> + to_user ? "exposure" : "overwrite",
> + to_user ? "from" : "to", ptr, type ? : "unknown",
> len);
> + dump_stack();
> + do_group_exit(SIGKILL);
> +}
> +
> +/* Returns true if any portion of [ptr,ptr+n) over laps with
> [low,high). */
> +static bool overlaps(const void *ptr, unsigned long n, unsigned long
> low,
> + ?????unsigned long high)
> +{
> + unsigned long check_low = (uintptr_t)ptr;
> + unsigned long check_high = check_low + n;
> +
> + /* Does not overlap if entirely above or entirely below. */
> + if (check_low >= high || check_high < low)
> + return false;
> +
> + return true;
> +}
> +
> +/* Is this address range in the kernel text area? */
> +static inline const char *check_kernel_text_object(const void *ptr,
> + ???unsigned long n)
> +{
> + unsigned long textlow = (unsigned long)_stext;
> + unsigned long texthigh = (unsigned long)_etext;
> +
> + if (overlaps(ptr, n, textlow, texthigh))
> + return "<kernel text>";
> +
> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING
> + /* Check against linear mapping as well. */
> + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),
> + ?????(unsigned long)__va(__pa(texthigh))))
> + return "<linear kernel text>";
> +#endif
> +
> + return NULL;
> +}
> +
> +static inline const char *check_bogus_address(const void *ptr,
> unsigned long n)
> +{
> + /* Reject if object wraps past end of memory. */
> + if (ptr + n < ptr)
> + return "<wrapped address>";
> +
> + /* Reject if NULL or ZERO-allocation. */
> + if (ZERO_OR_NULL_PTR(ptr))
> + return "<null>";
> +
> + return NULL;
> +}
> +
> +static inline const char *check_heap_object(const void *ptr,
> unsigned long n)
> +{
> + struct page *page, *endpage;
> + const void *end = ptr + n - 1;
> +
> + if (!virt_addr_valid(ptr))
> + return NULL;
> +
> + page = virt_to_head_page(ptr);
> +
> + /* Check slab allocator for flags and size. */
> + if (PageSlab(page))
> + return __check_heap_object(ptr, n, page);
> +
> + /* Is the object wholly within one base page? */
> + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)
> ==
> + ???((unsigned long)end & (unsigned long)PAGE_MASK)))
> + return NULL;
> +
> + /* Allow if start and end are inside the same compound page.
> */
> + endpage = virt_to_head_page(end);
> + if (likely(endpage == page))
> + return NULL;
> +
> + /* Allow special areas, device memory, and sometimes kernel
> data. */
> + if (PageReserved(page) && PageReserved(endpage))
> + return NULL;
> +
> + /*
> + ?* Sometimes the kernel data regions are not marked
> Reserved. And
> + ?* sometimes [_sdata,_edata) does not cover rodata and/or
> bss,
> + ?* so check each range explicitly.
> + ?*/
> +
> + /* Allow kernel data region (if not marked as Reserved). */
> + if (ptr >= (const void *)_sdata && end <= (const void
> *)_edata)
> + return NULL;
> +
> + /* Allow kernel rodata region (if not marked as Reserved).
> */
> + if (ptr >= (const void *)__start_rodata &&
> + ????end <= (const void *)__end_rodata)
> + return NULL;
> +
> + /* Allow kernel bss region (if not marked as Reserved). */
> + if (ptr >= (const void *)__bss_start &&
> + ????end <= (const void *)__bss_stop)
> + return NULL;
> +
> + /* Uh oh. The "object" spans several independently allocated
> pages. */
> + return "<spans multiple pages>";
> +}
> +
> +/*
> + * Validates that the given object is one of:
> + * - known safe heap object
> + * - known safe stack object
> + * - not in kernel text
> + */
> +void __check_object_size(const void *ptr, unsigned long n, bool
> to_user)
> +{
> + const char *err;
> +
> + /* Skip all tests if size is zero. */
> + if (!n)
> + return;
> +
> + /* Check for invalid addresses. */
> + err = check_bogus_address(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad heap object. */
> + err = check_heap_object(ptr, n);
> + if (err)
> + goto report;
> +
> + /* Check for bad stack object. */
> + switch (check_stack_object(ptr, n)) {
> + case 0:
> + /* Object is not touching the current process stack.
> */
> + break;
> + case 1:
> + case 2:
> + /*
> + ?* Object is either in the correct frame (when it
> + ?* is possible to check) or just generally on the
> + ?* process stack (when frame checking not
> available).
> + ?*/
> + return;
> + default:
> + err = "<process stack>";
> + goto report;
> + }
> +
> + /* Check for object in kernel to avoid text exposure. */
> + err = check_kernel_text_object(ptr, n);
> + if (!err)
> + return;
> +
> +report:
> + report_usercopy(ptr, n, to_user, err);
> +}
> +EXPORT_SYMBOL(__check_object_size);
> diff --git a/security/Kconfig b/security/Kconfig
> index 176758cdfa57..63340ad0b9f9 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR
> ? ??this low address space will need the permission specific
> to the
> ? ??systems running LSM.
> ?
> +config HAVE_HARDENED_USERCOPY_ALLOCATOR
> + bool
> + help
> + ??The heap allocator implements __check_heap_object() for
> + ??validating memory ranges against heap object sizes in
> + ??support of CONFIG_HARDENED_USERCOPY.
> +
> +config HAVE_ARCH_HARDENED_USERCOPY
> + bool
> + help
> + ??The architecture supports CONFIG_HARDENED_USERCOPY by
> + ??calling check_object_size() just before performing the
> + ??userspace copies in the low level implementation of
> + ??copy_to_user() and copy_from_user().
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + depends on HAVE_ARCH_HARDENED_USERCOPY
> + help
> + ??This option checks for obviously wrong memory regions when
> + ??copying memory to/from the kernel (via copy_to_user() and
> + ??copy_from_user() functions) by rejecting memory ranges
> that
> + ??are larger than the specified heap object, span multiple
> + ??separately allocates pages, are not on the process stack,
> + ??or are part of the kernel text. This kills entire classes
> + ??of heap overflow exploits and similar kernel memory
> exposures.
> +
> ?source security/selinux/Kconfig
> ?source security/smack/Kconfig
> ?source security/tomoyo/Kconfig
--
All Rights Reversed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20160707/29b69556/attachment-0001.sig>
next prev parent reply other threads:[~2016-07-07 16:19 UTC|newest]
Thread overview: 336+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 22:25 [kernel-hardening] [PATCH 0/9] mm: Hardened usercopy Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 1/9] " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-07 5:37 ` [kernel-hardening] " Baruch Siach
2016-07-07 5:37 ` Baruch Siach
2016-07-07 5:37 ` Baruch Siach
2016-07-07 5:37 ` Baruch Siach
2016-07-07 5:37 ` Baruch Siach
2016-07-07 5:37 ` Baruch Siach
2016-07-07 17:25 ` [kernel-hardening] " Kees Cook
2016-07-07 17:25 ` Kees Cook
2016-07-07 17:25 ` Kees Cook
2016-07-07 17:25 ` Kees Cook
2016-07-07 17:25 ` Kees Cook
2016-07-07 17:25 ` Kees Cook
2016-07-07 18:35 ` [kernel-hardening] " Baruch Siach
2016-07-07 18:35 ` Baruch Siach
2016-07-07 18:35 ` Baruch Siach
2016-07-07 18:35 ` Baruch Siach
2016-07-07 18:35 ` Baruch Siach
2016-07-07 18:35 ` Baruch Siach
2016-07-07 7:42 ` [kernel-hardening] " Thomas Gleixner
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 7:42 ` Thomas Gleixner
2016-07-07 17:29 ` [kernel-hardening] " Kees Cook
2016-07-07 17:29 ` Kees Cook
2016-07-07 17:29 ` Kees Cook
2016-07-07 17:29 ` Kees Cook
2016-07-07 17:29 ` Kees Cook
2016-07-07 17:29 ` Kees Cook
2016-07-07 19:34 ` [kernel-hardening] " Thomas Gleixner
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 19:34 ` Thomas Gleixner
2016-07-07 8:01 ` [kernel-hardening] " Arnd Bergmann
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 8:01 ` Arnd Bergmann
2016-07-07 17:37 ` [kernel-hardening] " Kees Cook
2016-07-07 17:37 ` Kees Cook
2016-07-07 17:37 ` Kees Cook
2016-07-07 17:37 ` Kees Cook
2016-07-07 17:37 ` Kees Cook
2016-07-07 17:37 ` Kees Cook
2016-07-08 5:34 ` [kernel-hardening] " Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 5:34 ` Michael Ellerman
2016-07-08 9:22 ` [kernel-hardening] " Arnd Bergmann
2016-07-08 9:22 ` Arnd Bergmann
2016-07-08 9:22 ` Arnd Bergmann
2016-07-08 9:22 ` Arnd Bergmann
2016-07-08 9:22 ` Arnd Bergmann
2016-07-08 9:22 ` Arnd Bergmann
2016-07-07 16:19 ` Rik van Riel [this message]
2016-07-07 16:19 ` Rik van Riel
2016-07-07 16:19 ` Rik van Riel
2016-07-07 16:19 ` Rik van Riel
2016-07-07 16:19 ` Rik van Riel
2016-07-07 16:35 ` [kernel-hardening] " Rik van Riel
2016-07-07 16:35 ` Rik van Riel
2016-07-07 16:35 ` Rik van Riel
2016-07-07 16:35 ` Rik van Riel
2016-07-07 16:35 ` Rik van Riel
2016-07-07 17:41 ` [kernel-hardening] " Kees Cook
2016-07-07 17:41 ` Kees Cook
2016-07-07 17:41 ` Kees Cook
2016-07-07 17:41 ` Kees Cook
2016-07-07 17:41 ` Kees Cook
2016-07-07 17:41 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 2/9] x86/uaccess: Enable hardened usercopy Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 3/9] ARM: uaccess: " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 4/9] arm64/uaccess: " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-07 10:07 ` [kernel-hardening] " Mark Rutland
2016-07-07 10:07 ` Mark Rutland
2016-07-07 10:07 ` Mark Rutland
2016-07-07 10:07 ` Mark Rutland
2016-07-07 10:07 ` Mark Rutland
2016-07-07 10:07 ` Mark Rutland
2016-07-07 17:19 ` [kernel-hardening] " Kees Cook
2016-07-07 17:19 ` Kees Cook
2016-07-07 17:19 ` Kees Cook
2016-07-07 17:19 ` Kees Cook
2016-07-07 17:19 ` Kees Cook
2016-07-07 17:19 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 5/9] ia64/uaccess: " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 6/9] powerpc/uaccess: " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 7/9] sparc/uaccess: " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 8/9] mm: SLAB hardened usercopy support Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` [kernel-hardening] [PATCH 9/9] mm: SLUB " Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-06 22:25 ` Kees Cook
2016-07-07 4:35 ` Michael Ellerman
2016-07-07 4:35 ` Michael Ellerman
2016-07-07 4:35 ` Michael Ellerman
2016-07-07 4:35 ` [kernel-hardening] " Michael Ellerman
2016-07-07 4:35 ` Michael Ellerman
2016-07-07 4:35 ` Michael Ellerman
2016-07-07 4:35 ` Michael Ellerman
[not found] ` <577ddc18.d351190a.1fa54.ffffbe79SMTPIN_ADDED_BROKEN@mx.google.com>
2016-07-07 18:56 ` [kernel-hardening] " Kees Cook
2016-07-07 18:56 ` Kees Cook
2016-07-07 18:56 ` Kees Cook
2016-07-07 18:56 ` Kees Cook
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 13:45 ` Christoph Lameter
2016-07-08 13:45 ` Christoph Lameter
2016-07-08 13:45 ` Christoph Lameter
2016-07-08 13:45 ` Christoph Lameter
2016-07-08 16:07 ` Kees Cook
2016-07-08 16:07 ` Kees Cook
2016-07-08 16:07 ` Kees Cook
2016-07-08 16:07 ` Kees Cook
2016-07-08 16:20 ` Christoph Lameter
2016-07-08 16:20 ` Christoph Lameter
2016-07-08 16:20 ` Christoph Lameter
2016-07-08 16:20 ` Christoph Lameter
2016-07-08 17:41 ` [kernel-hardening] " Kees Cook
2016-07-08 17:41 ` Kees Cook
2016-07-08 17:41 ` Kees Cook
2016-07-08 17:41 ` Kees Cook
2016-07-08 17:41 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-08 20:48 ` Kees Cook
2016-07-09 5:58 ` [kernel-hardening] " Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 6:07 ` [kernel-hardening] " Michael Ellerman
2016-07-09 6:07 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
2016-07-09 5:58 ` Michael Ellerman
[not found] ` <57809299.84b3370a.5390c.ffff9e58SMTPIN_ADDED_BROKEN@mx.google.com>
2016-07-09 6:17 ` [kernel-hardening] " Valdis.Kletnieks
2016-07-09 6:17 ` Valdis.Kletnieks at vt.edu
2016-07-09 6:17 ` Valdis.Kletnieks
2016-07-09 6:17 ` Valdis.Kletnieks
2016-07-09 6:17 ` Valdis.Kletnieks
2016-07-09 17:07 ` Kees Cook
2016-07-09 17:07 ` Kees Cook
2016-07-09 17:07 ` Kees Cook
2016-07-09 17:07 ` Kees Cook
2016-07-09 17:07 ` Kees Cook
2016-07-11 6:08 ` Joonsoo Kim
2016-07-11 6:08 ` Joonsoo Kim
2016-07-11 6:08 ` Joonsoo Kim
2016-07-11 6:08 ` Joonsoo Kim
2016-07-11 6:08 ` Joonsoo Kim
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 10:19 ` [kernel-hardening] " Michael Ellerman
2016-07-08 10:19 ` Michael Ellerman
2016-07-08 10:19 ` Michael Ellerman
2016-07-07 7:30 ` [kernel-hardening] Re: [PATCH 0/9] mm: Hardened usercopy Christian Borntraeger
2016-07-07 7:30 ` Christian Borntraeger
2016-07-07 7:30 ` Christian Borntraeger
2016-07-07 7:30 ` Christian Borntraeger
2016-07-07 7:30 ` Christian Borntraeger
2016-07-07 7:30 ` Christian Borntraeger
2016-07-07 17:27 ` [kernel-hardening] " Kees Cook
2016-07-07 17:27 ` Kees Cook
2016-07-07 17:27 ` Kees Cook
2016-07-07 17:27 ` Kees Cook
2016-07-07 17:27 ` Kees Cook
2016-07-07 17:27 ` Kees Cook
2016-07-08 8:46 ` [kernel-hardening] " Ingo Molnar
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 8:46 ` Ingo Molnar
2016-07-08 16:19 ` [kernel-hardening] " Linus Torvalds
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 16:19 ` Linus Torvalds
2016-07-08 18:23 ` [kernel-hardening] " Ingo Molnar
2016-07-08 18:23 ` Ingo Molnar
2016-07-08 18:23 ` Ingo Molnar
2016-07-08 18:23 ` Ingo Molnar
2016-07-08 18:23 ` Ingo Molnar
2016-07-08 18:23 ` Ingo Molnar
2016-07-09 2:22 ` [kernel-hardening] " Laura Abbott
2016-07-09 2:22 ` Laura Abbott
2016-07-09 2:22 ` Laura Abbott
2016-07-09 2:22 ` Laura Abbott
2016-07-09 2:44 ` [kernel-hardening] " Rik van Riel
2016-07-09 2:44 ` Rik van Riel
2016-07-09 2:44 ` Rik van Riel
2016-07-09 2:44 ` Rik van Riel
2016-07-09 2:44 ` Rik van Riel
2016-07-09 7:55 ` [kernel-hardening] " Ingo Molnar
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 7:55 ` Ingo Molnar
2016-07-09 8:25 ` [kernel-hardening] " Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 8:25 ` Ard Biesheuvel
2016-07-09 12:58 ` [kernel-hardening] " Laura Abbott
2016-07-09 12:58 ` Laura Abbott
2016-07-09 12:58 ` Laura Abbott
2016-07-09 17:03 ` [kernel-hardening] " Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:03 ` Kees Cook
2016-07-09 17:01 ` [kernel-hardening] " Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 17:01 ` Kees Cook
2016-07-09 21:27 ` [kernel-hardening] " Andy Lutomirski
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 21:27 ` Andy Lutomirski
2016-07-09 23:16 ` [kernel-hardening] " PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-09 23:16 ` PaX Team
2016-07-10 9:16 ` [kernel-hardening] " Ingo Molnar
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 9:16 ` Ingo Molnar
2016-07-10 12:03 ` [kernel-hardening] " PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:03 ` PaX Team
2016-07-10 12:38 ` [kernel-hardening] " Andy Lutomirski
2016-07-10 12:38 ` Andy Lutomirski
2016-07-10 12:38 ` Andy Lutomirski
2016-07-10 12:38 ` Andy Lutomirski
2016-07-10 12:38 ` Andy Lutomirski
2016-07-10 12:38 ` Andy Lutomirski
2016-07-11 18:40 ` [kernel-hardening] " Kees Cook
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:40 ` Kees Cook
2016-07-11 18:34 ` [kernel-hardening] " Kees Cook
2016-07-11 18:34 ` Kees Cook
2016-07-11 18:34 ` Kees Cook
2016-07-11 18:34 ` Kees Cook
2016-07-11 18:34 ` Kees Cook
2016-07-11 18:34 ` Kees Cook
2016-07-12 18:26 ` [kernel-hardening] " Valdis.Kletnieks
2016-07-12 18:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1467908376.13253.15.camel@redhat.com \
--to=riel@redhat.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=bp@suse.de \
--cc=casey@schaufler-ca.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=fenghua.yu@intel.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jack@suse.cz \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@fedoraproject.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=sparclinux@vger.kernel.org \
--cc=spender@grsecurity.net \
--cc=tony.luck@intel.com \
--cc=vitalywool@gmail.com \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.