Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'

From: Paul Moore
Date: Mon Jan 20 2025 - 16:43:13 EST

Next message: Kees Cook: "Re: [PATCH 1/4] seccomp/mips: change syscall_trace_enter() to use secure_computing()"
Previous message: Kees Cook: "Re: [GIT PULL] AT_EXECVE_CHECK introduction for v6.14-rc1"
In reply to: Mel Gorman: "Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Next in thread: Kees Cook: "Re: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 17, 2025 at 8:39 AM Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx> wrote:
>
> There is a submenu for 'Kernel hardening options' under "Security".
> Move HARDENED_USERCOPY under the hardening options as it is clearly
> related.
>
> Signed-off-by: Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx>
> ---
> security/Kconfig | 12 ------------
> security/Kconfig.hardening | 16 ++++++++++++++++
> 2 files changed, 16 insertions(+), 12 deletions(-)

Agree with Kees' comment regarding "Bounds checking" instead of
"String manipulation", but beyond that this is fine with me.

Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>

> diff --git a/security/Kconfig b/security/Kconfig
> index 28e685f53bd1..fe7346dc4bc3 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR
> this low address space will need the permission specific to the
> systems running LSM.
>
> -config HARDENED_USERCOPY
> - bool "Harden memory copies between kernel and userspace"
> - imply STRICT_DEVMEM
> - help
> - This option checks for obviously wrong memory regions when
> - copying memory to/from the kernel (via copy_to_user() and
> - copy_from_user() functions) by rejecting memory ranges that
> - are larger than the specified heap object, span multiple
> - separately allocated pages, are not on the process stack,
> - or are part of the kernel text. This prevents entire classes
> - of heap overflow exploits and similar kernel memory exposures.
> -
> config FORTIFY_SOURCE
> bool "Harden common str/mem functions against buffer overflows"
> depends on ARCH_HAS_FORTIFY_SOURCE
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index c9d5ca3d8d08..00e6e2ed0c43 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS
>
> endmenu
>
> +menu "String manipulation"
> +
> +config HARDENED_USERCOPY
> + bool "Harden memory copies between kernel and userspace"
> + imply STRICT_DEVMEM
> + help
> + This option checks for obviously wrong memory regions when
> + copying memory to/from the kernel (via copy_to_user() and
> + copy_from_user() functions) by rejecting memory ranges that
> + are larger than the specified heap object, span multiple
> + separately allocated pages, are not on the process stack,
> + or are part of the kernel text. This prevents entire classes
> + of heap overflow exploits and similar kernel memory exposures.
> +
> +endmenu
> +
> menu "Hardening of kernel data structures"
>
> config LIST_HARDENED
> --
> 2.43.0
>
>

--
paul-moore.com

Next message: Kees Cook: "Re: [PATCH 1/4] seccomp/mips: change syscall_trace_enter() to use secure_computing()"
Previous message: Kees Cook: "Re: [GIT PULL] AT_EXECVE_CHECK introduction for v6.14-rc1"
In reply to: Mel Gorman: "Re: [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options'"
Next in thread: Kees Cook: "Re: [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]