|
Message-Id: <1515531365-37423-19-git-send-email-keescook@chromium.org> Date: Tue, 9 Jan 2018 12:55:47 -0800 From: Kees Cook <keescook@...omium.org> To: linux-kernel@...r.kernel.org Cc: Kees Cook <keescook@...omium.org>, David Windsor <dave@...lcore.net>, Steve French <sfrench@...ba.org>, linux-cifs@...r.kernel.org, Linus Torvalds <torvalds@...ux-foundation.org>, Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...nel.org>, Christoph Hellwig <hch@...radead.org>, Christoph Lameter <cl@...ux.com>, "David S. Miller" <davem@...emloft.net>, Laura Abbott <labbott@...hat.com>, Mark Rutland <mark.rutland@....com>, "Martin K. Petersen" <martin.petersen@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>, Christian Borntraeger <borntraeger@...ibm.com>, Christoffer Dall <christoffer.dall@...aro.org>, Dave Kleikamp <dave.kleikamp@...cle.com>, Jan Kara <jack@...e.cz>, Luis de Bethencourt <luisbg@...nel.org>, Marc Zyngier <marc.zyngier@....com>, Rik van Riel <riel@...hat.com>, Matthew Garrett <mjg59@...gle.com>, linux-fsdevel@...r.kernel.org, linux-arch@...r.kernel.org, netdev@...r.kernel.org, linux-mm@...ck.org, kernel-hardening@...ts.openwall.com Subject: [PATCH 18/36] cifs: Define usercopy region in cifs_request slab cache From: David Windsor <dave@...lcore.net> CIFS request buffers, stored in the cifs_request slab cache, need to be copied to/from userspace. cache object allocation: fs/cifs/cifsfs.c: cifs_init_request_bufs(): ... cifs_req_poolp = mempool_create_slab_pool(cifs_min_rcv, cifs_req_cachep); fs/cifs/misc.c: cifs_buf_get(): ... ret_buf = mempool_alloc(cifs_req_poolp, GFP_NOFS); ... return ret_buf; In support of usercopy hardening, this patch defines a region in the cifs_request slab cache in which userspace copy operations are allowed. This region is known as the slab cache's usercopy region. Slab caches can now check that each dynamically sized copy operation involving cache-managed memory falls entirely within the slab's usercopy region. This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY whitelisting code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Signed-off-by: David Windsor <dave@...lcore.net> [kees: adjust commit log, provide usage trace] Cc: Steve French <sfrench@...ba.org> Cc: linux-cifs@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> --- fs/cifs/cifsfs.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 31b7565b1617..29f4b0290fbd 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -1231,9 +1231,11 @@ cifs_init_request_bufs(void) cifs_dbg(VFS, "CIFSMaxBufSize %d 0x%x\n", CIFSMaxBufSize, CIFSMaxBufSize); */ - cifs_req_cachep = kmem_cache_create("cifs_request", + cifs_req_cachep = kmem_cache_create_usercopy("cifs_request", CIFSMaxBufSize + max_hdr_size, 0, - SLAB_HWCACHE_ALIGN, NULL); + SLAB_HWCACHE_ALIGN, 0, + CIFSMaxBufSize + max_hdr_size, + NULL); if (cifs_req_cachep == NULL) return -ENOMEM; @@ -1259,9 +1261,9 @@ cifs_init_request_bufs(void) more SMBs to use small buffer alloc and is still much more efficient to alloc 1 per page off the slab compared to 17K (5page) alloc of large cifs buffers even when page debugging is on */ - cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq", + cifs_sm_req_cachep = kmem_cache_create_usercopy("cifs_small_rq", MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN, - NULL); + 0, MAX_CIFS_SMALL_BUFFER_SIZE, NULL); if (cifs_sm_req_cachep == NULL) { mempool_destroy(cifs_req_poolp); kmem_cache_destroy(cifs_req_cachep); -- 2.7.4
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.