Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'

From: Kees Cook
Date: Mon Jan 20 2025 - 16:10:54 EST

Next message: syzbot: "[syzbot] [kernel?] WARNING in really_probe"
Previous message: Kees Cook: "Re: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time"
In reply to: Mel Gorman: "[PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Next in thread: Mel Gorman: "Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 17, 2025 at 01:03:35PM +0000, Mel Gorman wrote:
> There is a submenu for 'Kernel hardening options' under "Security".
> Move HARDENED_USERCOPY under the hardening options as it is clearly
> related.
>
> Signed-off-by: Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx>
> ---
> security/Kconfig | 12 ------------
> security/Kconfig.hardening | 16 ++++++++++++++++
> 2 files changed, 16 insertions(+), 12 deletions(-)
>
> diff --git a/security/Kconfig b/security/Kconfig
> index 28e685f53bd1..fe7346dc4bc3 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific to the
> systems running LSM.
>
> -config HARDENED_USERCOPY
> - bool "Harden memory copies between kernel and userspace"
> - imply STRICT_DEVMEM
> - help
> - This option checks for obviously wrong memory regions when
> - copying memory to/from the kernel (via copy_to_user() and
> - copy_from_user() functions) by rejecting memory ranges that
> - are larger than the specified heap object, span multiple
> - separately allocated pages, are not on the process stack,
> - or are part of the kernel text. This prevents entire classes
> - of heap overflow exploits and similar kernel memory exposures.
> -
> config FORTIFY_SOURCE
> bool "Harden common str/mem functions against buffer overflows"
> depends on ARCH_HAS_FORTIFY_SOURCE
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index c9d5ca3d8d08..00e6e2ed0c43 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS
>
> endmenu
>
> +menu "String manipulation"

I think "string" means different things to different people. I'd prefer
"Bounds checking" or "Spatial safety" if it's going to be a separate
menu section.

> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + imply STRICT_DEVMEM
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges that
> + are larger than the specified heap object, span multiple
> + separately allocated pages, are not on the process stack,
> + or are part of the kernel text. This prevents entire classes
> + of heap overflow exploits and similar kernel memory exposures.
> +
> +endmenu
> +
> menu "Hardening of kernel data structures"

Otherwise, looks good.

--
Kees Cook

Next message: syzbot: "[syzbot] [kernel?] WARNING in really_probe"
Previous message: Kees Cook: "Re: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time"
In reply to: Mel Gorman: "[PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Next in thread: Mel Gorman: "Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]