Re: [kernel-hardening] [PATCH 22/23] usercopy: split user-controlled slabs to separate caches

From: Eric Biggers
Date: Tue Jun 20 2017 - 00:47:35 EST


On Mon, Jun 19, 2017 at 04:36:36PM -0700, Kees Cook wrote:
> From: David Windsor <dave@xxxxxxxxxxxx>
>
> Some userspace APIs (e.g. ipc, seq_file) provide precise control over
> the size of kernel kmallocs, which provides a trivial way to perform
> heap overflow attacks where the attacker must control neighboring
> allocations of a specific size. Instead, move these APIs into their own
> cache so they cannot interfere with standard kmallocs. This is enabled
> with CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC.
>
> This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY_SLABS
> code in the last public patch of grsecurity/PaX based on my understanding
> of the code. Changes or omissions from the original code are mine and
> don't reflect the original grsecurity/PaX code.
>
> Signed-off-by: David Windsor <dave@xxxxxxxxxxxx>
> [kees: added SLAB_NO_MERGE flag to allow split of future no-merge Kconfig]
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> fs/seq_file.c | 2 +-
> include/linux/gfp.h | 9 ++++++++-
> include/linux/slab.h | 12 ++++++++++++
> ipc/msgutil.c | 5 +++--
> mm/slab.h | 3 ++-
> mm/slab_common.c | 29 ++++++++++++++++++++++++++++-
> security/Kconfig | 12 ++++++++++++
> 7 files changed, 66 insertions(+), 6 deletions(-)
>
> diff --git a/fs/seq_file.c b/fs/seq_file.c
> index dc7c2be963ed..5caa58a19bdc 100644
> --- a/fs/seq_file.c
> +++ b/fs/seq_file.c
> @@ -25,7 +25,7 @@ static void seq_set_overflow(struct seq_file *m)
>
> static void *seq_buf_alloc(unsigned long size)
> {
> - return kvmalloc(size, GFP_KERNEL);
> + return kvmalloc(size, GFP_KERNEL | GFP_USERCOPY);
> }
>

Also forgot to mention the obvious: there are way more places where GFP_USERCOPY
would need to be (or should be) used. Helper functions like memdup_user() and
memdup_user_nul() would be the obvious ones. And just a random example, some of
the keyrings syscalls (callable with no privileges) do a kmalloc() with
user-controlled contents and size.

So I think this by itself needs its own patch series.

Eric