[PATCH] usercopy: remove page-spanning test for now
From: Kees Cook
Date: Wed Sep 07 2016 - 13:06:18 EST
A custom allocator without __GFP_COMP that copies to userspace has been
found in vmw_execbuf_process[1], so this disables the page-span checker
by placing it behind a CONFIG for future work where such things can be
tracked down later.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326
Reported-by: Vinson Lee <vlee@xxxxxxxxxxxxxxx>
Fixes: f5509cc18daa ("mm: Hardened usercopy")
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
mm/usercopy.c | 8 ++++++++
security/Kconfig | 11 +++++++++++
2 files changed, 19 insertions(+)
diff --git a/mm/usercopy.c b/mm/usercopy.c
index a3cc3052f830..b3f0c3355dc8 100644
--- a/mm/usercopy.c
+++ b/mm/usercopy.c
@@ -172,6 +172,14 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n,
return NULL;
}
+#ifndef CONFIG_HARDENED_USERCOPY_PAGESPAN
+ /*
+ * The page-spanning checks are hitting false positives, so
+ * do not check them for now.
+ */
+ return NULL;
+#endif
+
/* Allow kernel data region (if not marked as Reserved). */
if (ptr >= (const void *)_sdata && end <= (const void *)_edata)
return NULL;
diff --git a/security/Kconfig b/security/Kconfig
index da10d9b573a4..2dfc0ce4083e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -147,6 +147,17 @@ config HARDENED_USERCOPY
or are part of the kernel text. This kills entire classes
of heap overflow exploits and similar kernel memory exposures.
+config HARDENED_USERCOPY_PAGESPAN
+ bool "Refuse to copy allocations that span multiple pages"
+ depends on HARDENED_USERCOPY
+ depends on !COMPILE_TEST
+ help
+ When a multi-page allocation is done without __GFP_COMP,
+ hardened usercopy will reject attempts to copy it. There are,
+ however, several cases of this in the kernel that have not all
+ been removed. This config is intended to be used only while
+ trying to find such users.
+
source security/selinux/Kconfig
source security/smack/Kconfig
source security/tomoyo/Kconfig
--
2.7.4
--
Kees Cook
Nexus Security