diff for duplicates of <1467908376.13253.15.camel@redhat.com> diff --git a/a/content_digest b/N1/content_digest index 9ddd55e..25076b4 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,7 +1,7 @@ "ref\01467843928-29351-1-git-send-email-keescook@chromium.org\0" "ref\01467843928-29351-2-git-send-email-keescook@chromium.org\0" "From\0Rik van Riel <riel@redhat.com>\0" - "Subject\0[kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy\0" + "Subject\0Re: [PATCH 1/9] mm: Hardened usercopy\0" "Date\0Thu, 07 Jul 2016 12:19:36 -0400\0" "To\0Kees Cook <keescook@chromium.org>" " linux-kernel@vger.kernel.org\0" @@ -28,16 +28,7 @@ Mathias Krause <minipli@googlemail.com> Jan Kara <jack@suse.cz> Vitaly Wool <vitalywool@gmail.com> - Andrea Arcangeli <aarcange@redhat.com> - Dmitry Vyukov <dvyukov@google.com> - Laura Abbott <labbott@fedoraproject.org> - linux-arm-kernel@lists.infradead.org - linux-ia64@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - sparclinux@vger.kernel.org - linux-arch@vger.kernel.org - linux-mm@kvack.org - " kernel-hardening@lists.openwall.com\0" + " Andrea Arcangeli <aarcange@red>\0" "\01:1\0" "b\0" "On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:\n" @@ -518,4 +509,4 @@ "=HFgp\n" "-----END PGP SIGNATURE-----\n" -33c366769ffd971f285a8e8bdbb3ff51f3efe77a84fa856286c2b4ee6d49f7a2 +9083eec5c49628bec15c1be52fb8b2f7697424672ce483a2ea2c0f96d25ef468
diff --git a/a/content_digest b/N2/content_digest index 9ddd55e..0776fc8 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -1,7 +1,7 @@ "ref\01467843928-29351-1-git-send-email-keescook@chromium.org\0" "ref\01467843928-29351-2-git-send-email-keescook@chromium.org\0" "From\0Rik van Riel <riel@redhat.com>\0" - "Subject\0[kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy\0" + "Subject\0Re: [PATCH 1/9] mm: Hardened usercopy\0" "Date\0Thu, 07 Jul 2016 12:19:36 -0400\0" "To\0Kees Cook <keescook@chromium.org>" " linux-kernel@vger.kernel.org\0" @@ -518,4 +518,4 @@ "=HFgp\n" "-----END PGP SIGNATURE-----\n" -33c366769ffd971f285a8e8bdbb3ff51f3efe77a84fa856286c2b4ee6d49f7a2 +0c1d8c12c7d383c186fc54fc3a70a4a683ff0ed725425b444780f381b2eb9503
diff --git a/a/content_digest b/N3/content_digest index 9ddd55e..5de6bd4 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -1,8 +1,8 @@ "ref\01467843928-29351-1-git-send-email-keescook@chromium.org\0" "ref\01467843928-29351-2-git-send-email-keescook@chromium.org\0" "From\0Rik van Riel <riel@redhat.com>\0" - "Subject\0[kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy\0" - "Date\0Thu, 07 Jul 2016 12:19:36 -0400\0" + "Subject\0Re: [PATCH 1/9] mm: Hardened usercopy\0" + "Date\0Thu, 07 Jul 2016 16:19:36 +0000\0" "To\0Kees Cook <keescook@chromium.org>" " linux-kernel@vger.kernel.org\0" "Cc\0Casey Schaufler <casey@schaufler-ca.com>" @@ -518,4 +518,4 @@ "=HFgp\n" "-----END PGP SIGNATURE-----\n" -33c366769ffd971f285a8e8bdbb3ff51f3efe77a84fa856286c2b4ee6d49f7a2 +eff3c12477d23560be7d305b96a04f91182718f5ccd79fa19fb1e896112b328b
diff --git a/a/1.txt b/N4/1.txt index 59141b7..a3caa37 100644 --- a/a/1.txt +++ b/N4/1.txt @@ -25,74 +25,74 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > - address range isn't NULL or zero-allocated (with a non-zero copy > size) > - if on the slab allocator: -> - object size must be less than or equal to copy size (when check +> ? - object size must be less than or equal to copy size (when check > is -> implemented in the allocator, which appear in subsequent patches) +> ????implemented in the allocator, which appear in subsequent patches) > - otherwise, object must not span page allocations > - if on the stack -> - object must not extend before/after the current process task -> - object must be contained by the current stack frame (when there +> ? - object must not extend before/after the current process task +> ? - object must be contained by the current stack frame (when there > is -> arch/build support for identifying stack frames) +> ????arch/build support for identifying stack frames) > - object must not overlap with kernel text > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- -> arch/Kconfig | 7 ++ -> include/linux/slab.h | 12 +++ -> include/linux/thread_info.h | 15 +++ -> mm/Makefile | 4 + -> mm/usercopy.c | 239 +> ?arch/Kconfig????????????????|???7 ++ +> ?include/linux/slab.h????????|??12 +++ +> ?include/linux/thread_info.h |??15 +++ +> ?mm/Makefile?????????????????|???4 + +> ?mm/usercopy.c???????????????| 239 > ++++++++++++++++++++++++++++++++++++++++++++ -> security/Kconfig | 27 +++++ -> 6 files changed, 304 insertions(+) -> create mode 100644 mm/usercopy.c +> ?security/Kconfig????????????|??27 +++++ +> ?6 files changed, 304 insertions(+) +> ?create mode 100644 mm/usercopy.c > > diff --git a/arch/Kconfig b/arch/Kconfig > index d794384a0404..3ea04d8dcf62 100644 > --- a/arch/Kconfig > +++ b/arch/Kconfig > @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG -> -> endchoice -> +> ? +> ?endchoice +> ? > +config HAVE_ARCH_LINEAR_KERNEL_MAPPING > + bool > + help -> + An architecture should select this if it has a secondary +> + ??An architecture should select this if it has a secondary > linear -> + mapping of the kernel text. This is used to verify that +> + ??mapping of the kernel text. This is used to verify that > kernel -> + text exposures are not visible under +> + ??text exposures are not visible under > CONFIG_HARDENED_USERCOPY. > + -> config HAVE_CONTEXT_TRACKING -> bool -> help +> ?config HAVE_CONTEXT_TRACKING +> ? bool +> ? help > diff --git a/include/linux/slab.h b/include/linux/slab.h > index aeb3e6d00a66..96a16a3fb7cb 100644 > --- a/include/linux/slab.h > +++ b/include/linux/slab.h > @@ -155,6 +155,18 @@ void kfree(const void *); -> void kzfree(const void *); -> size_t ksize(const void *); -> +> ?void kzfree(const void *); +> ?size_t ksize(const void *); +> ? > +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR > +const char *__check_heap_object(const void *ptr, unsigned long n, > + struct page *page); > +#else > +static inline const char *__check_heap_object(const void *ptr, -> + unsigned long n, -> + struct page *page) +> + ??????unsigned long n, +> + ??????struct page *page) > +{ > + return NULL; > +} > +#endif > + -> /* -> * Some archs want to perform DMA into kmalloc caches and need a +> ?/* +> ? * Some archs want to perform DMA into kmalloc caches and need a > guaranteed -> * alignment larger than the alignment of a 64-bit integer. +> ? * alignment larger than the alignment of a 64-bit integer. > diff --git a/include/linux/thread_info.h > b/include/linux/thread_info.h > index b4c2a485b28a..a02200db9c33 100644 @@ -100,50 +100,50 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > +++ b/include/linux/thread_info.h > @@ -146,6 +146,21 @@ static inline bool > test_and_clear_restore_sigmask(void) -> #error "no set_restore_sigmask() provided and default one won't +> ?#error "no set_restore_sigmask() provided and default one won't > work" -> #endif -> +> ?#endif +> ? > +#ifdef CONFIG_HARDENED_USERCOPY > +extern void __check_object_size(const void *ptr, unsigned long n, > + bool to_user); > + > +static inline void check_object_size(const void *ptr, unsigned long > n, -> + bool to_user) +> + ?????bool to_user) > +{ > + __check_object_size(ptr, n, to_user); > +} > +#else > +static inline void check_object_size(const void *ptr, unsigned long > n, -> + bool to_user) +> + ?????bool to_user) > +{ } > +#endif /* CONFIG_HARDENED_USERCOPY */ > + -> #endif /* __KERNEL__ */ -> -> #endif /* _LINUX_THREAD_INFO_H */ +> ?#endif /* __KERNEL__ */ +> ? +> ?#endif /* _LINUX_THREAD_INFO_H */ > diff --git a/mm/Makefile b/mm/Makefile > index 78c6f7dedb83..32d37247c7e5 100644 > --- a/mm/Makefile > +++ b/mm/Makefile > @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n -> KCOV_INSTRUMENT_mmzone.o := n -> KCOV_INSTRUMENT_vmstat.o := n -> +> ?KCOV_INSTRUMENT_mmzone.o := n +> ?KCOV_INSTRUMENT_vmstat.o := n +> ? > +# Since __builtin_frame_address does work as used, disable the > warning. > +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address) > + -> mmu-y := nommu.o -> mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \ -> mlock.o mmap.o mprotect.o mremap.o +> ?mmu-y := nommu.o +> ?mmu-$(CONFIG_MMU) := gup.o highmem.o memory.o mincore.o \ +> ? ???mlock.o mmap.o mprotect.o mremap.o > msync.o rmap.o \ > @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o -> obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o -> obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o -> obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o +> ?obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o +> ?obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o +> ?obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o > +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o > diff --git a/mm/usercopy.c b/mm/usercopy.c > new file mode 100644 @@ -200,12 +200,12 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + return 0; > + > + /* -> + * Reject: object partially overlaps the stack (passing the -> + * the check above means at least one end is within the +> + ?* Reject: object partially overlaps the stack (passing the +> + ?* the check above means at least one end is within the > stack, -> + * so if this check fails, the other end is outside the +> + ?* so if this check fails, the other end is outside the > stack). -> + */ +> + ?*/ > + if (obj < stack || stackend < obj + len) > + return -1; > + @@ -214,19 +214,19 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + if (oldframe) > + frame = __builtin_frame_address(2); > + /* -> + * low ----------------------------------------------> high -> + * [saved bp][saved ip][args][local vars][saved bp][saved +> + ?* low ----------------------------------------------> high +> + ?* [saved bp][saved ip][args][local vars][saved bp][saved > ip] -> + * ^----------------^ -> + * allow copies only within here -> + */ +> + ?* ?????^----------------^ +> + ?*?????????????allow copies only within here +> + ?*/ > + while (stack <= frame && frame < stackend) { > + /* -> + * If obj + len extends past the last frame, this -> + * check won't pass and the next frame will be 0, -> + * causing us to bail out and correctly report -> + * the copy as invalid. -> + */ +> + ?* If obj + len extends past the last frame, this +> + ?* check won't pass and the next frame will be 0, +> + ?* causing us to bail out and correctly report +> + ?* the copy as invalid. +> + ?*/ > + if (obj + len <= frame) > + return obj >= oldframe + 2 * sizeof(void *) > ? 2 : -1; @@ -240,7 +240,7 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > +} > + > +static void report_usercopy(const void *ptr, unsigned long len, -> + bool to_user, const char *type) +> + ????bool to_user, const char *type) > +{ > + pr_emerg("kernel memory %s attempt detected %s %p (%s) (%lu > bytes)\n", @@ -255,7 +255,7 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > [low,high). */ > +static bool overlaps(const void *ptr, unsigned long n, unsigned long > low, -> + unsigned long high) +> + ?????unsigned long high) > +{ > + unsigned long check_low = (uintptr_t)ptr; > + unsigned long check_high = check_low + n; @@ -269,7 +269,7 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + > +/* Is this address range in the kernel text area? */ > +static inline const char *check_kernel_text_object(const void *ptr, -> + unsigned long n) +> + ???unsigned long n) > +{ > + unsigned long textlow = (unsigned long)_stext; > + unsigned long texthigh = (unsigned long)_etext; @@ -280,7 +280,7 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING > + /* Check against linear mapping as well. */ > + if (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)), -> + (unsigned long)__va(__pa(texthigh)))) +> + ?????(unsigned long)__va(__pa(texthigh)))) > + return "<linear kernel text>"; > +#endif > + @@ -319,7 +319,7 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + /* Is the object wholly within one base page? */ > + if (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK) > == -> + ((unsigned long)end & (unsigned long)PAGE_MASK))) +> + ???((unsigned long)end & (unsigned long)PAGE_MASK))) > + return NULL; > + > + /* Allow if start and end are inside the same compound page. @@ -334,12 +334,12 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + return NULL; > + > + /* -> + * Sometimes the kernel data regions are not marked +> + ?* Sometimes the kernel data regions are not marked > Reserved. And -> + * sometimes [_sdata,_edata) does not cover rodata and/or +> + ?* sometimes [_sdata,_edata) does not cover rodata and/or > bss, -> + * so check each range explicitly. -> + */ +> + ?* so check each range explicitly. +> + ?*/ > + > + /* Allow kernel data region (if not marked as Reserved). */ > + if (ptr >= (const void *)_sdata && end <= (const void @@ -349,12 +349,12 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + /* Allow kernel rodata region (if not marked as Reserved). > */ > + if (ptr >= (const void *)__start_rodata && -> + end <= (const void *)__end_rodata) +> + ????end <= (const void *)__end_rodata) > + return NULL; > + > + /* Allow kernel bss region (if not marked as Reserved). */ > + if (ptr >= (const void *)__bss_start && -> + end <= (const void *)__bss_stop) +> + ????end <= (const void *)__bss_stop) > + return NULL; > + > + /* Uh oh. The "object" spans several independently allocated @@ -396,11 +396,11 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > + case 1: > + case 2: > + /* -> + * Object is either in the correct frame (when it -> + * is possible to check) or just generally on the -> + * process stack (when frame checking not +> + ?* Object is either in the correct frame (when it +> + ?* is possible to check) or just generally on the +> + ?* process stack (when frame checking not > available). -> + */ +> + ?*/ > + return; > + default: > + err = "<process stack>"; @@ -421,42 +421,49 @@ Signed-off-by: Rik van Riel <riel@redhat.com> > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR -> this low address space will need the permission specific +> ? ??this low address space will need the permission specific > to the -> systems running LSM. -> +> ? ??systems running LSM. +> ? > +config HAVE_HARDENED_USERCOPY_ALLOCATOR > + bool > + help -> + The heap allocator implements __check_heap_object() for -> + validating memory ranges against heap object sizes in -> + support of CONFIG_HARDENED_USERCOPY. +> + ??The heap allocator implements __check_heap_object() for +> + ??validating memory ranges against heap object sizes in +> + ??support of CONFIG_HARDENED_USERCOPY. > + > +config HAVE_ARCH_HARDENED_USERCOPY > + bool > + help -> + The architecture supports CONFIG_HARDENED_USERCOPY by -> + calling check_object_size() just before performing the -> + userspace copies in the low level implementation of -> + copy_to_user() and copy_from_user(). +> + ??The architecture supports CONFIG_HARDENED_USERCOPY by +> + ??calling check_object_size() just before performing the +> + ??userspace copies in the low level implementation of +> + ??copy_to_user() and copy_from_user(). > + > +config HARDENED_USERCOPY > + bool "Harden memory copies between kernel and userspace" > + depends on HAVE_ARCH_HARDENED_USERCOPY > + help -> + This option checks for obviously wrong memory regions when -> + copying memory to/from the kernel (via copy_to_user() and -> + copy_from_user() functions) by rejecting memory ranges +> + ??This option checks for obviously wrong memory regions when +> + ??copying memory to/from the kernel (via copy_to_user() and +> + ??copy_from_user() functions) by rejecting memory ranges > that -> + are larger than the specified heap object, span multiple -> + separately allocates pages, are not on the process stack, -> + or are part of the kernel text. This kills entire classes -> + of heap overflow exploits and similar kernel memory +> + ??are larger than the specified heap object, span multiple +> + ??separately allocates pages, are not on the process stack, +> + ??or are part of the kernel text. This kills entire classes +> + ??of heap overflow exploits and similar kernel memory > exposures. > + -> source security/selinux/Kconfig -> source security/smack/Kconfig -> source security/tomoyo/Kconfig +> ?source security/selinux/Kconfig +> ?source security/smack/Kconfig +> ?source security/tomoyo/Kconfig -- All Rights Reversed. +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: signature.asc +Type: application/pgp-signature +Size: 473 bytes +Desc: This is a digitally signed message part +URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20160707/29b69556/attachment-0001.sig> diff --git a/a/2.bin b/a/2.bin deleted file mode 100644 index 24c85c0..0000000 --- a/a/2.bin +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQEcBAABCAAGBQJXfoEZAAoJEM553pKExN6Dr+EIALflTongRlhnq+Uq2vLqU4qM -8KmROQTqriS0tuXYv4qZQJlTe0GpHf2Yn5YOjWU4KvgHUYiUdJlxHourizapawEV -spS1wh3QwgtQYeISeMAMxvMivQde1jXpHMjRw2gmGdTbFHHWEMpJKcwmeugpQd/V -/92wjmFSUbHy7FRZtlbj2td9sY8xaKc4xyzGxw2/0r476lJsWy68rv8dlLRbSa6A -1ChoWD/n1mGuYfUPL0bUztM2NZ0HTyHHsc8oKYveUMd13Pabh/KX8nkcJyUooKCa -2qWHY4I28aTng5pAZzhKIGxXCnWmcCcmZDM3S0UOUHIF6m7sh/EGy9slCAZOZFI= -=HFgp ------END PGP SIGNATURE----- diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index da6d245..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,3 +0,0 @@ -Content-Type: application/pgp-signature; name="signature.asc" -Content-Description: This is a digitally signed message part -Content-Transfer-Encoding: 7bit diff --git a/a/content_digest b/N4/content_digest index 9ddd55e..eac92d9 100644 --- a/a/content_digest +++ b/N4/content_digest @@ -1,44 +1,10 @@ "ref\01467843928-29351-1-git-send-email-keescook@chromium.org\0" "ref\01467843928-29351-2-git-send-email-keescook@chromium.org\0" - "From\0Rik van Riel <riel@redhat.com>\0" - "Subject\0[kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy\0" + "From\0riel@redhat.com (Rik van Riel)\0" + "Subject\0[PATCH 1/9] mm: Hardened usercopy\0" "Date\0Thu, 07 Jul 2016 12:19:36 -0400\0" - "To\0Kees Cook <keescook@chromium.org>" - " linux-kernel@vger.kernel.org\0" - "Cc\0Casey Schaufler <casey@schaufler-ca.com>" - PaX Team <pageexec@freemail.hu> - Brad Spengler <spender@grsecurity.net> - Russell King <linux@armlinux.org.uk> - Catalin Marinas <catalin.marinas@arm.com> - Will Deacon <will.deacon@arm.com> - Ard Biesheuvel <ard.biesheuvel@linaro.org> - Benjamin Herrenschmidt <benh@kernel.crashing.org> - Michael Ellerman <mpe@ellerman.id.au> - Tony Luck <tony.luck@intel.com> - Fenghua Yu <fenghua.yu@intel.com> - David S. Miller <davem@davemloft.net> - x86@kernel.org - Christoph Lameter <cl@linux.com> - Pekka Enberg <penberg@kernel.org> - David Rientjes <rientjes@google.com> - Joonsoo Kim <iamjoonsoo.kim@lge.com> - Andrew Morton <akpm@linux-foundation.org> - Andy Lutomirski <luto@kernel.org> - Borislav Petkov <bp@suse.de> - Mathias Krause <minipli@googlemail.com> - Jan Kara <jack@suse.cz> - Vitaly Wool <vitalywool@gmail.com> - Andrea Arcangeli <aarcange@redhat.com> - Dmitry Vyukov <dvyukov@google.com> - Laura Abbott <labbott@fedoraproject.org> - linux-arm-kernel@lists.infradead.org - linux-ia64@vger.kernel.org - linuxppc-dev@lists.ozlabs.org - sparclinux@vger.kernel.org - linux-arch@vger.kernel.org - linux-mm@kvack.org - " kernel-hardening@lists.openwall.com\0" - "\01:1\0" + "To\0linux-arm-kernel@lists.infradead.org\0" + "\00:1\0" "b\0" "On Wed, 2016-07-06 at 15:25 -0700, Kees Cook wrote:\n" "> This is the start of porting PAX_USERCOPY into the mainline kernel.\n" @@ -67,74 +33,74 @@ "> - address range isn't NULL or zero-allocated (with a non-zero copy\n" "> size)\n" "> - if on the slab allocator:\n" - "> \302\240 - object size must be less than or equal to copy size (when check\n" + "> ? - object size must be less than or equal to copy size (when check\n" "> is\n" - "> \302\240\302\240\302\240\302\240implemented in the allocator, which appear in subsequent patches)\n" + "> ????implemented in the allocator, which appear in subsequent patches)\n" "> - otherwise, object must not span page allocations\n" "> - if on the stack\n" - "> \302\240 - object must not extend before/after the current process task\n" - "> \302\240 - object must be contained by the current stack frame (when there\n" + "> ? - object must not extend before/after the current process task\n" + "> ? - object must be contained by the current stack frame (when there\n" "> is\n" - "> \302\240\302\240\302\240\302\240arch/build support for identifying stack frames)\n" + "> ????arch/build support for identifying stack frames)\n" "> - object must not overlap with kernel text\n" "> \n" "> Signed-off-by: Kees Cook <keescook@chromium.org>\n" "> ---\n" - "> \302\240arch/Kconfig\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240|\302\240\302\240\302\2407 ++\n" - "> \302\240include/linux/slab.h\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240|\302\240\302\24012 +++\n" - "> \302\240include/linux/thread_info.h |\302\240\302\24015 +++\n" - "> \302\240mm/Makefile\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240|\302\240\302\240\302\2404 +\n" - "> \302\240mm/usercopy.c\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240| 239\n" + "> ?arch/Kconfig????????????????|???7 ++\n" + "> ?include/linux/slab.h????????|??12 +++\n" + "> ?include/linux/thread_info.h |??15 +++\n" + "> ?mm/Makefile?????????????????|???4 +\n" + "> ?mm/usercopy.c???????????????| 239\n" "> ++++++++++++++++++++++++++++++++++++++++++++\n" - "> \302\240security/Kconfig\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240|\302\240\302\24027 +++++\n" - "> \302\2406 files changed, 304 insertions(+)\n" - "> \302\240create mode 100644 mm/usercopy.c\n" + "> ?security/Kconfig????????????|??27 +++++\n" + "> ?6 files changed, 304 insertions(+)\n" + "> ?create mode 100644 mm/usercopy.c\n" "> \n" "> diff --git a/arch/Kconfig b/arch/Kconfig\n" "> index d794384a0404..3ea04d8dcf62 100644\n" "> --- a/arch/Kconfig\n" "> +++ b/arch/Kconfig\n" "> @@ -424,6 +424,13 @@ config CC_STACKPROTECTOR_STRONG\n" - "> \302\240\n" - "> \302\240endchoice\n" - "> \302\240\n" + "> ?\n" + "> ?endchoice\n" + "> ?\n" "> +config HAVE_ARCH_LINEAR_KERNEL_MAPPING\n" "> +\tbool\n" "> +\thelp\n" - "> +\t\302\240\302\240An architecture should select this if it has a secondary\n" + "> +\t??An architecture should select this if it has a secondary\n" "> linear\n" - "> +\t\302\240\302\240mapping of the kernel text. This is used to verify that\n" + "> +\t??mapping of the kernel text. This is used to verify that\n" "> kernel\n" - "> +\t\302\240\302\240text exposures are not visible under\n" + "> +\t??text exposures are not visible under\n" "> CONFIG_HARDENED_USERCOPY.\n" "> +\n" - "> \302\240config HAVE_CONTEXT_TRACKING\n" - "> \302\240\tbool\n" - "> \302\240\thelp\n" + "> ?config HAVE_CONTEXT_TRACKING\n" + "> ?\tbool\n" + "> ?\thelp\n" "> diff --git a/include/linux/slab.h b/include/linux/slab.h\n" "> index aeb3e6d00a66..96a16a3fb7cb 100644\n" "> --- a/include/linux/slab.h\n" "> +++ b/include/linux/slab.h\n" "> @@ -155,6 +155,18 @@ void kfree(const void *);\n" - "> \302\240void kzfree(const void *);\n" - "> \302\240size_t ksize(const void *);\n" - "> \302\240\n" + "> ?void kzfree(const void *);\n" + "> ?size_t ksize(const void *);\n" + "> ?\n" "> +#ifdef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR\n" "> +const char *__check_heap_object(const void *ptr, unsigned long n,\n" "> +\t\t\t\tstruct page *page);\n" "> +#else\n" "> +static inline const char *__check_heap_object(const void *ptr,\n" - "> +\t\t\t\t\t\302\240\302\240\302\240\302\240\302\240\302\240unsigned long n,\n" - "> +\t\t\t\t\t\302\240\302\240\302\240\302\240\302\240\302\240struct page *page)\n" + "> +\t\t\t\t\t??????unsigned long n,\n" + "> +\t\t\t\t\t??????struct page *page)\n" "> +{\n" "> +\treturn NULL;\n" "> +}\n" "> +#endif\n" "> +\n" - "> \302\240/*\n" - "> \302\240 * Some archs want to perform DMA into kmalloc caches and need a\n" + "> ?/*\n" + "> ? * Some archs want to perform DMA into kmalloc caches and need a\n" "> guaranteed\n" - "> \302\240 * alignment larger than the alignment of a 64-bit integer.\n" + "> ? * alignment larger than the alignment of a 64-bit integer.\n" "> diff --git a/include/linux/thread_info.h\n" "> b/include/linux/thread_info.h\n" "> index b4c2a485b28a..a02200db9c33 100644\n" @@ -142,50 +108,50 @@ "> +++ b/include/linux/thread_info.h\n" "> @@ -146,6 +146,21 @@ static inline bool\n" "> test_and_clear_restore_sigmask(void)\n" - "> \302\240#error \"no set_restore_sigmask() provided and default one won't\n" + "> ?#error \"no set_restore_sigmask() provided and default one won't\n" "> work\"\n" - "> \302\240#endif\n" - "> \302\240\n" + "> ?#endif\n" + "> ?\n" "> +#ifdef CONFIG_HARDENED_USERCOPY\n" "> +extern void __check_object_size(const void *ptr, unsigned long n,\n" "> +\t\t\t\t\tbool to_user);\n" "> +\n" "> +static inline void check_object_size(const void *ptr, unsigned long\n" "> n,\n" - "> +\t\t\t\t\302\240\302\240\302\240\302\240\302\240bool to_user)\n" + "> +\t\t\t\t?????bool to_user)\n" "> +{\n" "> +\t__check_object_size(ptr, n, to_user);\n" "> +}\n" "> +#else\n" "> +static inline void check_object_size(const void *ptr, unsigned long\n" "> n,\n" - "> +\t\t\t\t\302\240\302\240\302\240\302\240\302\240bool to_user)\n" + "> +\t\t\t\t?????bool to_user)\n" "> +{ }\n" "> +#endif /* CONFIG_HARDENED_USERCOPY */\n" "> +\n" - "> \302\240#endif\t/* __KERNEL__ */\n" - "> \302\240\n" - "> \302\240#endif /* _LINUX_THREAD_INFO_H */\n" + "> ?#endif\t/* __KERNEL__ */\n" + "> ?\n" + "> ?#endif /* _LINUX_THREAD_INFO_H */\n" "> diff --git a/mm/Makefile b/mm/Makefile\n" "> index 78c6f7dedb83..32d37247c7e5 100644\n" "> --- a/mm/Makefile\n" "> +++ b/mm/Makefile\n" "> @@ -21,6 +21,9 @@ KCOV_INSTRUMENT_memcontrol.o := n\n" - "> \302\240KCOV_INSTRUMENT_mmzone.o := n\n" - "> \302\240KCOV_INSTRUMENT_vmstat.o := n\n" - "> \302\240\n" + "> ?KCOV_INSTRUMENT_mmzone.o := n\n" + "> ?KCOV_INSTRUMENT_vmstat.o := n\n" + "> ?\n" "> +# Since __builtin_frame_address does work as used, disable the\n" "> warning.\n" "> +CFLAGS_usercopy.o += $(call cc-disable-warning, frame-address)\n" "> +\n" - "> \302\240mmu-y\t\t\t:= nommu.o\n" - "> \302\240mmu-$(CONFIG_MMU)\t:= gup.o highmem.o memory.o mincore.o \\\n" - "> \302\240\t\t\t\302\240\302\240\302\240mlock.o mmap.o mprotect.o mremap.o\n" + "> ?mmu-y\t\t\t:= nommu.o\n" + "> ?mmu-$(CONFIG_MMU)\t:= gup.o highmem.o memory.o mincore.o \\\n" + "> ?\t\t\t???mlock.o mmap.o mprotect.o mremap.o\n" "> msync.o rmap.o \\\n" "> @@ -99,3 +102,4 @@ obj-$(CONFIG_USERFAULTFD) += userfaultfd.o\n" - "> \302\240obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o\n" - "> \302\240obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o\n" - "> \302\240obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o\n" + "> ?obj-$(CONFIG_IDLE_PAGE_TRACKING) += page_idle.o\n" + "> ?obj-$(CONFIG_FRAME_VECTOR) += frame_vector.o\n" + "> ?obj-$(CONFIG_DEBUG_PAGE_REF) += debug_page_ref.o\n" "> +obj-$(CONFIG_HARDENED_USERCOPY) += usercopy.o\n" "> diff --git a/mm/usercopy.c b/mm/usercopy.c\n" "> new file mode 100644\n" @@ -242,12 +208,12 @@ "> +\t\treturn 0;\n" "> +\n" "> +\t/*\n" - "> +\t\302\240* Reject: object partially overlaps the stack (passing the\n" - "> +\t\302\240* the check above means at least one end is within the\n" + "> +\t?* Reject: object partially overlaps the stack (passing the\n" + "> +\t?* the check above means at least one end is within the\n" "> stack,\n" - "> +\t\302\240* so if this check fails, the other end is outside the\n" + "> +\t?* so if this check fails, the other end is outside the\n" "> stack).\n" - "> +\t\302\240*/\n" + "> +\t?*/\n" "> +\tif (obj < stack || stackend < obj + len)\n" "> +\t\treturn -1;\n" "> +\n" @@ -256,19 +222,19 @@ "> +\tif (oldframe)\n" "> +\t\tframe = __builtin_frame_address(2);\n" "> +\t/*\n" - "> +\t\302\240* low ----------------------------------------------> high\n" - "> +\t\302\240* [saved bp][saved ip][args][local vars][saved bp][saved\n" + "> +\t?* low ----------------------------------------------> high\n" + "> +\t?* [saved bp][saved ip][args][local vars][saved bp][saved\n" "> ip]\n" - "> +\t\302\240*\t\t\302\240\302\240\302\240\302\240\302\240^----------------^\n" - "> +\t\302\240*\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240\302\240allow copies only within here\n" - "> +\t\302\240*/\n" + "> +\t?*\t\t?????^----------------^\n" + "> +\t?*?????????????allow copies only within here\n" + "> +\t?*/\n" "> +\twhile (stack <= frame && frame < stackend) {\n" "> +\t\t/*\n" - "> +\t\t\302\240* If obj + len extends past the last frame, this\n" - "> +\t\t\302\240* check won't pass and the next frame will be 0,\n" - "> +\t\t\302\240* causing us to bail out and correctly report\n" - "> +\t\t\302\240* the copy as invalid.\n" - "> +\t\t\302\240*/\n" + "> +\t\t?* If obj + len extends past the last frame, this\n" + "> +\t\t?* check won't pass and the next frame will be 0,\n" + "> +\t\t?* causing us to bail out and correctly report\n" + "> +\t\t?* the copy as invalid.\n" + "> +\t\t?*/\n" "> +\t\tif (obj + len <= frame)\n" "> +\t\t\treturn obj >= oldframe + 2 * sizeof(void *)\n" "> ? 2 : -1;\n" @@ -282,7 +248,7 @@ "> +}\n" "> +\n" "> +static void report_usercopy(const void *ptr, unsigned long len,\n" - "> +\t\t\t\302\240\302\240\302\240\302\240bool to_user, const char *type)\n" + "> +\t\t\t????bool to_user, const char *type)\n" "> +{\n" "> +\tpr_emerg(\"kernel memory %s attempt detected %s %p (%s) (%lu\n" "> bytes)\\n\",\n" @@ -297,7 +263,7 @@ "> [low,high). */\n" "> +static bool overlaps(const void *ptr, unsigned long n, unsigned long\n" "> low,\n" - "> +\t\t\302\240\302\240\302\240\302\240\302\240unsigned long high)\n" + "> +\t\t?????unsigned long high)\n" "> +{\n" "> +\tunsigned long check_low = (uintptr_t)ptr;\n" "> +\tunsigned long check_high = check_low + n;\n" @@ -311,7 +277,7 @@ "> +\n" "> +/* Is this address range in the kernel text area? */\n" "> +static inline const char *check_kernel_text_object(const void *ptr,\n" - "> +\t\t\t\t\t\t\302\240\302\240\302\240unsigned long n)\n" + "> +\t\t\t\t\t\t???unsigned long n)\n" "> +{\n" "> +\tunsigned long textlow = (unsigned long)_stext;\n" "> +\tunsigned long texthigh = (unsigned long)_etext;\n" @@ -322,7 +288,7 @@ "> +#ifdef HAVE_ARCH_LINEAR_KERNEL_MAPPING\n" "> +\t/* Check against linear mapping as well. */\n" "> +\tif (overlaps(ptr, n, (unsigned long)__va(__pa(textlow)),\n" - "> +\t\t\302\240\302\240\302\240\302\240\302\240(unsigned long)__va(__pa(texthigh))))\n" + "> +\t\t?????(unsigned long)__va(__pa(texthigh))))\n" "> +\t\treturn \"<linear kernel text>\";\n" "> +#endif\n" "> +\n" @@ -361,7 +327,7 @@ "> +\t/* Is the object wholly within one base page? */\n" "> +\tif (likely(((unsigned long)ptr & (unsigned long)PAGE_MASK)\n" "> ==\n" - "> +\t\t\302\240\302\240\302\240((unsigned long)end & (unsigned long)PAGE_MASK)))\n" + "> +\t\t???((unsigned long)end & (unsigned long)PAGE_MASK)))\n" "> +\t\treturn NULL;\n" "> +\n" "> +\t/* Allow if start and end are inside the same compound page.\n" @@ -376,12 +342,12 @@ "> +\t\treturn NULL;\n" "> +\n" "> +\t/*\n" - "> +\t\302\240* Sometimes the kernel data regions are not marked\n" + "> +\t?* Sometimes the kernel data regions are not marked\n" "> Reserved. And\n" - "> +\t\302\240* sometimes [_sdata,_edata) does not cover rodata and/or\n" + "> +\t?* sometimes [_sdata,_edata) does not cover rodata and/or\n" "> bss,\n" - "> +\t\302\240* so check each range explicitly.\n" - "> +\t\302\240*/\n" + "> +\t?* so check each range explicitly.\n" + "> +\t?*/\n" "> +\n" "> +\t/* Allow kernel data region (if not marked as Reserved). */\n" "> +\tif (ptr >= (const void *)_sdata && end <= (const void\n" @@ -391,12 +357,12 @@ "> +\t/* Allow kernel rodata region (if not marked as Reserved).\n" "> */\n" "> +\tif (ptr >= (const void *)__start_rodata &&\n" - "> +\t\302\240\302\240\302\240\302\240end <= (const void *)__end_rodata)\n" + "> +\t????end <= (const void *)__end_rodata)\n" "> +\t\treturn NULL;\n" "> +\n" "> +\t/* Allow kernel bss region (if not marked as Reserved). */\n" "> +\tif (ptr >= (const void *)__bss_start &&\n" - "> +\t\302\240\302\240\302\240\302\240end <= (const void *)__bss_stop)\n" + "> +\t????end <= (const void *)__bss_stop)\n" "> +\t\treturn NULL;\n" "> +\n" "> +\t/* Uh oh. The \"object\" spans several independently allocated\n" @@ -438,11 +404,11 @@ "> +\tcase 1:\n" "> +\tcase 2:\n" "> +\t\t/*\n" - "> +\t\t\302\240* Object is either in the correct frame (when it\n" - "> +\t\t\302\240* is possible to check) or just generally on the\n" - "> +\t\t\302\240* process stack (when frame checking not\n" + "> +\t\t?* Object is either in the correct frame (when it\n" + "> +\t\t?* is possible to check) or just generally on the\n" + "> +\t\t?* process stack (when frame checking not\n" "> available).\n" - "> +\t\t\302\240*/\n" + "> +\t\t?*/\n" "> +\t\treturn;\n" "> +\tdefault:\n" "> +\t\terr = \"<process stack>\";\n" @@ -463,59 +429,51 @@ "> --- a/security/Kconfig\n" "> +++ b/security/Kconfig\n" "> @@ -118,6 +118,33 @@ config LSM_MMAP_MIN_ADDR\n" - "> \302\240\t\302\240\302\240this low address space will need the permission specific\n" + "> ?\t??this low address space will need the permission specific\n" "> to the\n" - "> \302\240\t\302\240\302\240systems running LSM.\n" - "> \302\240\n" + "> ?\t??systems running LSM.\n" + "> ?\n" "> +config HAVE_HARDENED_USERCOPY_ALLOCATOR\n" "> +\tbool\n" "> +\thelp\n" - "> +\t\302\240\302\240The heap allocator implements __check_heap_object() for\n" - "> +\t\302\240\302\240validating memory ranges against heap object sizes in\n" - "> +\t\302\240\302\240support of CONFIG_HARDENED_USERCOPY.\n" + "> +\t??The heap allocator implements __check_heap_object() for\n" + "> +\t??validating memory ranges against heap object sizes in\n" + "> +\t??support of CONFIG_HARDENED_USERCOPY.\n" "> +\n" "> +config HAVE_ARCH_HARDENED_USERCOPY\n" "> +\tbool\n" "> +\thelp\n" - "> +\t\302\240\302\240The architecture supports CONFIG_HARDENED_USERCOPY by\n" - "> +\t\302\240\302\240calling check_object_size() just before performing the\n" - "> +\t\302\240\302\240userspace copies in the low level implementation of\n" - "> +\t\302\240\302\240copy_to_user() and copy_from_user().\n" + "> +\t??The architecture supports CONFIG_HARDENED_USERCOPY by\n" + "> +\t??calling check_object_size() just before performing the\n" + "> +\t??userspace copies in the low level implementation of\n" + "> +\t??copy_to_user() and copy_from_user().\n" "> +\n" "> +config HARDENED_USERCOPY\n" "> +\tbool \"Harden memory copies between kernel and userspace\"\n" "> +\tdepends on HAVE_ARCH_HARDENED_USERCOPY\n" "> +\thelp\n" - "> +\t\302\240\302\240This option checks for obviously wrong memory regions when\n" - "> +\t\302\240\302\240copying memory to/from the kernel (via copy_to_user() and\n" - "> +\t\302\240\302\240copy_from_user() functions) by rejecting memory ranges\n" + "> +\t??This option checks for obviously wrong memory regions when\n" + "> +\t??copying memory to/from the kernel (via copy_to_user() and\n" + "> +\t??copy_from_user() functions) by rejecting memory ranges\n" "> that\n" - "> +\t\302\240\302\240are larger than the specified heap object, span multiple\n" - "> +\t\302\240\302\240separately allocates pages, are not on the process stack,\n" - "> +\t\302\240\302\240or are part of the kernel text. This kills entire classes\n" - "> +\t\302\240\302\240of heap overflow exploits and similar kernel memory\n" + "> +\t??are larger than the specified heap object, span multiple\n" + "> +\t??separately allocates pages, are not on the process stack,\n" + "> +\t??or are part of the kernel text. This kills entire classes\n" + "> +\t??of heap overflow exploits and similar kernel memory\n" "> exposures.\n" "> +\n" - "> \302\240source security/selinux/Kconfig\n" - "> \302\240source security/smack/Kconfig\n" - "> \302\240source security/tomoyo/Kconfig\n" + "> ?source security/selinux/Kconfig\n" + "> ?source security/smack/Kconfig\n" + "> ?source security/tomoyo/Kconfig\n" "-- \n" "\n" - All Rights Reversed. - "\01:2\0" - "fn\0signature.asc\0" - "d\0This is a digitally signed message part\0" - "b\0" - "-----BEGIN PGP SIGNATURE-----\n" - "Version: GnuPG v2\n" - "\n" - "iQEcBAABCAAGBQJXfoEZAAoJEM553pKExN6Dr+EIALflTongRlhnq+Uq2vLqU4qM\n" - "8KmROQTqriS0tuXYv4qZQJlTe0GpHf2Yn5YOjWU4KvgHUYiUdJlxHourizapawEV\n" - "spS1wh3QwgtQYeISeMAMxvMivQde1jXpHMjRw2gmGdTbFHHWEMpJKcwmeugpQd/V\n" - "/92wjmFSUbHy7FRZtlbj2td9sY8xaKc4xyzGxw2/0r476lJsWy68rv8dlLRbSa6A\n" - "1ChoWD/n1mGuYfUPL0bUztM2NZ0HTyHHsc8oKYveUMd13Pabh/KX8nkcJyUooKCa\n" - "2qWHY4I28aTng5pAZzhKIGxXCnWmcCcmZDM3S0UOUHIF6m7sh/EGy9slCAZOZFI=\n" - "=HFgp\n" - "-----END PGP SIGNATURE-----\n" + "All Rights Reversed.\n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: signature.asc\n" + "Type: application/pgp-signature\n" + "Size: 473 bytes\n" + "Desc: This is a digitally signed message part\n" + URL: <http://lists.infradead.org/pipermail/linux-arm-kernel/attachments/20160707/29b69556/attachment-0001.sig> -33c366769ffd971f285a8e8bdbb3ff51f3efe77a84fa856286c2b4ee6d49f7a2 +b1e468141b366271f29a7c7552ef706e363c9abda2abfd5a53e5fd69add9f5a4
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.