{"id":652391,"url":"http://patchwork.ozlabs.org/api/1.2/patches/652391/?format=json","web_url":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com/","project":{"id":2,"url":"http://patchwork.ozlabs.org/api/1.2/projects/2/?format=json","name":"Linux PPC development","link_name":"linuxppc-dev","list_id":"linuxppc-dev.lists.ozlabs.org","list_email":"linuxppc-dev@lists.ozlabs.org","web_url":"https://github.com/linuxppc/wiki/wiki","scm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git","webscm_url":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/","list_archive_url":"https://lore.kernel.org/linuxppc-dev/","list_archive_url_format":"https://lore.kernel.org/linuxppc-dev/{}/","commit_url_format":"https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"},"msgid":"<0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com>","list_archive_url":"https://lore.kernel.org/linuxppc-dev/0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com/","date":"2016-07-25T19:16:24","name":"[v4,12/12] mm: SLUB hardened usercopy support","commit_ref":null,"pull_url":null,"state":"not-applicable","archived":false,"hash":"57196cd09c1c25be8173a117bc095ac416aa5728","submitter":{"id":66322,"url":"http://patchwork.ozlabs.org/api/1.2/people/66322/?format=json","name":"Laura Abbott","email":"labbott@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linuxppc-dev/patch/0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com/mbox/","series":[],"comments":"http://patchwork.ozlabs.org/api/patches/652391/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/652391/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["patchwork-incoming@ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Delivered-To":["patchwork-incoming@ozlabs.org","linuxppc-dev@lists.ozlabs.org"],"Received":["from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68])\n\t(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3ryrcX4j8Hz9sdg\n\tfor ;\n\tTue, 26 Jul 2016 05:17:48 +1000 (AEST)","from ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 3ryrcX3tkzzDrL3\n\tfor ;\n\tTue, 26 Jul 2016 05:17:48 +1000 (AEST)","from mail-it0-f48.google.com (mail-it0-f48.google.com\n\t[209.85.214.48])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128\n\tbits)) (No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 3ryrb44FmrzDrJM\n\tfor ;\n\tTue, 26 Jul 2016 05:16:32 +1000 (AEST)","by mail-it0-f48.google.com with SMTP id j124so115277271ith.1\n\tfor ;\n\tMon, 25 Jul 2016 12:16:32 -0700 (PDT)","from ?IPv6:2601:602:9800:177f::337f? ([2601:602:9800:177f::337f])\n\tby smtp.gmail.com with ESMTPSA id\n\tz128sm12136642iof.4.2016.07.25.12.16.25\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tMon, 25 Jul 2016 12:16:28 -0700 (PDT)"],"X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20130820;\n\th=x-gm-message-state:from:subject:to:references:cc:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-transfer-encoding;\n\tbh=1alCQ/YBsVzJqQWPZrNwmdfhELVQ9bxw+LYCj445z2A=;\n\tb=JhrWXL1PseWQxoUF+bNA9qGaP/Le2TQRtonelU5l37jtsmMBzJW9eJd5N+5OgNu26y\n\t0hqfcy6hczOuMY4O7j/sVywSJpCf7sI0m7mkosEEduFDmKDVz94s720Ac4dcJLDxoMBm\n\t3EpbcZLRH13H78BnSwgaiMyNEoG3sCEhmiZMTND79+ZbZa6KygNT3/pluSJmfD24r98j\n\tvCn1SjTn7f31g3r50aFGCP4OV74PdlPE5zeB8ugH7K9YtSWyItQRXadlJmGnyqtRxcqL\n\t+SQvw/Q7PUwoMG8pUOMoaHGaAk/e9vw0QoXUYYc5ekdtaWzXGO5x6kmoe/f8QZS8VpP8\n\t4qsw==","X-Gm-Message-State":"AEkoousOuuBNiG/+qY7q4oqRiiZUWIAcPUstp1lVXcB8gNFA1zNgFLEE77WXGgs9QHTkoRxJ","X-Received":"by 10.36.208.71 with SMTP id m68mr22567397itg.63.1469474190133; \n\tMon, 25 Jul 2016 12:16:30 -0700 (PDT)","From":"Laura Abbott ","Subject":"Re: [PATCH v4 12/12] mm: SLUB hardened usercopy support","To":"Kees Cook , kernel-hardening@lists.openwall.com","References":"<1469046427-12696-1-git-send-email-keescook@chromium.org>\n\t<1469046427-12696-13-git-send-email-keescook@chromium.org>","Message-ID":"<0f980e84-b587-3d9e-3c26-ad57f947c08b@redhat.com>","Date":"Mon, 25 Jul 2016 12:16:24 -0700","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101\n\tThunderbird/45.1.1","MIME-Version":"1.0","In-Reply-To":"<1469046427-12696-13-git-send-email-keescook@chromium.org>","X-BeenThere":"linuxppc-dev@lists.ozlabs.org","X-Mailman-Version":"2.1.22","Precedence":"list","List-Id":"Linux on PowerPC Developers Mail List\n\t","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"Jan Kara , Will Deacon ,\n\tlinux-mm@kvack.org, sparclinux@vger.kernel.org,\n\tlinux-ia64@vger.kernel.org, Christoph Lameter ,\n\tAndrea Arcangeli , \n\tlinux-arch@vger.kernel.org, x86@kernel.org,\n\tRussell King ,\n\tlinux-arm-kernel@lists.infradead.org, \n\tCatalin Marinas ,\n\tPaX Team , \n\tBorislav Petkov , Mathias Krause ,\n\tFenghua Yu , Rik van Riel ,\n\tDavid Rientjes , Tony Luck ,\n\tAndy Lutomirski , Josh Poimboeuf , \n\tAndrew Morton ,\n\tDmitry Vyukov , \n\tLaura Abbott ,\n\tBrad Spengler ,\n\tArd Biesheuvel ,\n\tlinux-kernel@vger.kernel.org, Pekka Enberg ,\n\tDaniel Micay , \n\tCasey Schaufler ,\n\tJoonsoo Kim , \n\tlinuxppc-dev@lists.ozlabs.org, \"David S. Miller\" ","Content-Transfer-Encoding":"base64","Content-Type":"text/plain; charset=\"utf-8\"; Format=\"flowed\"","Errors-To":"linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org","Sender":"\"Linuxppc-dev\"\n\t"},"content":"On 07/20/2016 01:27 PM, Kees Cook wrote:\n> Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the\n> SLUB allocator to catch any copies that may span objects. Includes a\n> redzone handling fix discovered by Michael Ellerman.\n>\n> Based on code from PaX and grsecurity.\n>\n> Signed-off-by: Kees Cook \n> Tested-by: Michael Ellerman \n> ---\n> init/Kconfig | 1 +\n> mm/slub.c | 36 ++++++++++++++++++++++++++++++++++++\n> 2 files changed, 37 insertions(+)\n>\n> diff --git a/init/Kconfig b/init/Kconfig\n> index 798c2020ee7c..1c4711819dfd 100644\n> --- a/init/Kconfig\n> +++ b/init/Kconfig\n> @@ -1765,6 +1765,7 @@ config SLAB\n>\n> config SLUB\n> \tbool \"SLUB (Unqueued Allocator)\"\n> +\tselect HAVE_HARDENED_USERCOPY_ALLOCATOR\n> \thelp\n> \t SLUB is a slab allocator that minimizes cache line usage\n> \t instead of managing queues of cached objects (SLAB approach).\n> diff --git a/mm/slub.c b/mm/slub.c\n> index 825ff4505336..7dee3d9a5843 100644\n> --- a/mm/slub.c\n> +++ b/mm/slub.c\n> @@ -3614,6 +3614,42 @@ void *__kmalloc_node(size_t size, gfp_t flags, int node)\n> EXPORT_SYMBOL(__kmalloc_node);\n> #endif\n>\n> +#ifdef CONFIG_HARDENED_USERCOPY\n> +/*\n> + * Rejects objects that are incorrectly sized.\n> + *\n> + * Returns NULL if check passes, otherwise const char * to name of cache\n> + * to indicate an error.\n> + */\n> +const char *__check_heap_object(const void *ptr, unsigned long n,\n> +\t\t\t\tstruct page *page)\n> +{\n> +\tstruct kmem_cache *s;\n> +\tunsigned long offset;\n> +\tsize_t object_size;\n> +\n> +\t/* Find object and usable object size. */\n> +\ts = page->slab_cache;\n> +\tobject_size = slab_ksize(s);\n> +\n> +\t/* Find offset within object. */\n> +\toffset = (ptr - page_address(page)) % s->size;\n> +\n> +\t/* Adjust for redzone and reject if within the redzone. */\n> +\tif (kmem_cache_debug(s) && s->flags & SLAB_RED_ZONE) {\n> +\t\tif (offset < s->red_left_pad)\n> +\t\t\treturn s->name;\n> +\t\toffset -= s->red_left_pad;\n> +\t}\n> +\n> +\t/* Allow address range falling entirely within object size. */\n> +\tif (offset <= object_size && n <= object_size - offset)\n> +\t\treturn NULL;\n> +\n> +\treturn s->name;\n> +}\n> +#endif /* CONFIG_HARDENED_USERCOPY */\n> +\n\nI compared this against what check_valid_pointer does for SLUB_DEBUG\nchecking. I was hoping we could utilize that function to avoid\nduplication but a) __check_heap_object needs to allow accesses anywhere\nin the object, not just the beginning b) accessing page->objects\nis racy without the addition of locking in SLUB_DEBUG.\n\nStill, the ptr < page_address(page) check from __check_heap_object would\nbe good to add to avoid generating garbage large offsets and trying to\ninfer C math.\n\n\nWith that, you can add\n\nReviwed-by: Laura Abbott \n\n> static size_t __ksize(const void *object)\n> {\n> \tstruct page *page;\n>\n\nThanks,\nLaura","diff":"diff --git a/mm/slub.c b/mm/slub.c\nindex 7dee3d9..5370e4f 100644\n--- a/mm/slub.c\n+++ b/mm/slub.c\n@@ -3632,6 +3632,9 @@ const char *__check_heap_object(const void *ptr, unsigned long n,\n s = page->slab_cache;\n object_size = slab_ksize(s);\n \n+ if (ptr < page_address(page))\n+ return s->name;\n+\n /* Find offset within object. */\n offset = (ptr - page_address(page)) % s->size;\n \n","prefixes":["v4","12/12"]}