[PATCH 0/9] mm: Hardened usercopy
keescook at chromium.org
Thu Jul 7 08:25:19 AEST 2016
This is a start of the mainline port of PAX_USERCOPY. After I started
writing tests (now in lkdtm in -next) for Casey's earlier port, I
kept tweaking things further and further until I ended up with a whole
new patch series. To that end, I took Rik's feedback and made a number
of other changes and clean-ups as well.
Based on my understanding, PAX_USERCOPY was designed to catch a few
classes of flaws around the use of copy_to_user()/copy_from_user(). These
changes don't touch get_user() and put_user(), since these operate on
constant sized lengths, and tend to be much less vulnerable. There
are effectively three distinct protections in the whole series,
each of which I've given a separate CONFIG, though this patch set is
only the first of the three intended protections. (Generally speaking,
PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY (this) and
CONFIG_HARDENED_USERCOPY_WHITELIST (future), and PAX_USERCOPY_SLABS covers
This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
being copied to/from userspace meet certain criteria:
- if address is a heap object, the size must not exceed the object's
allocated size. (This will catch all kinds of heap overflow flaws.)
- if address range is in the current process stack, it must be within the
current stack frame (if such checking is possible) or at least entirely
within the current process's stack. (This could catch large lengths that
would have extended beyond the current process stack, or overflows if
their length extends back into the original stack.)
- if the address range is part of kernel data, rodata, or bss, allow it.
- if address range is page-allocated, that it doesn't span multiple
- if address is within the kernel text, reject it.
- everything else is accepted
The patches in the series are:
- The core copy_to/from_user() checks, without the slab object checks:
1- mm: Hardened usercopy
- Per-arch enablement of the protection:
2- x86/uaccess: Enable hardened usercopy
3- ARM: uaccess: Enable hardened usercopy
4- arm64/uaccess: Enable hardened usercopy
5- ia64/uaccess: Enable hardened usercopy
6- powerpc/uaccess: Enable hardened usercopy
7- sparc/uaccess: Enable hardened usercopy
- The heap allocator implementation of object size checking:
8- mm: SLAB hardened usercopy support
9- mm: SLUB hardened usercopy support
- This is expected to apply on top of -next which contains fixes for the
position of _etext on both arm and arm64.
- I couldn't detect a measurable performance change with these features
enabled. Kernel build times were unchanged, hackbench was unchanged,
etc. I think we could flip this to "on by default" at some point.
- The SLOB support extracted from grsecurity seems entirely broken. I
have no idea what's going on there, I spent my time testing SLAB and
SLUB. Having someone else look at SLOB would be nice, but this series
doesn't depend on it.
Additional features that would be nice, but aren't blocking this series:
- Needs more architecture support for stack frame checking (only x86 now).
 https://grsecurity.net/download.php "grsecurity - test kernel patch"
More information about the Linuxppc-dev