[PATCH 3/4] xattr: Use dedicated slab buckets for setxattr()
From: Kees Cook
Date: Mon Mar 04 2024 - 13:50:57 EST
The setxattr() API can be used for exploiting[1][2][3] use-after-free
type confusion flaws in the kernel. Avoid having a user-controlled size
cache share the global kmalloc allocator by using a separate set of
kmalloc buckets.
Link: https://duasynt.com/blog/linux-kernel-heap-spray [1]
Link: https://etenal.me/archives/1336 [2]
Link: https://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c [3]
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
Cc: Christian Brauner <brauner@xxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Jan Kara <jack@xxxxxxx>
Cc: linux-fsdevel@xxxxxxxxxxxxxxx
---
fs/xattr.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index 09d927603433..2b06316f1d1f 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -821,6 +821,16 @@ SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name,
return error;
}
+static struct kmem_buckets *xattr_buckets;
+static int __init init_xattr_buckets(void)
+{
+ xattr_buckets = kmem_buckets_create("xattr", 0, 0, 0,
+ XATTR_LIST_MAX, NULL);
+
+ return 0;
+}
+subsys_initcall(init_xattr_buckets);
+
/*
* Extended attribute LIST operations
*/
@@ -833,7 +843,7 @@ listxattr(struct dentry *d, char __user *list, size_t size)
if (size) {
if (size > XATTR_LIST_MAX)
size = XATTR_LIST_MAX;
- klist = kvmalloc(size, GFP_KERNEL);
+ klist = kmem_buckets_alloc(xattr_buckets, size, GFP_KERNEL);
if (!klist)
return -ENOMEM;
}
--
2.34.1