mm: SLAB hardened usercopy support

Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the SLAB allocator to catch any copies that may span objects. Based on code from PaX and grsecurity. Signed-off-by: Kees Cook <keescook@chromium.org> Tested-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
author: Kees Cook <keescook@chromium.org> 2016-06-23 18:20:59 -0400
committer: Kees Cook <keescook@chromium.org> 2016-07-26 17:41:53 -0400
commit: 04385fc5e8fffed84425d909a783c0f0c587d847 (patch)
tree: 07f94a9ec860dc0bcb6efd2f44632d0a5da29237 /mm
parent: 97433ea4fda62349bfa42089455593cbcb57e06c (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/mm/slab.c b/mm/slab.c
index cc8bbc1e6bc9..5e2d5f349aca 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -4477,6 +4477,36 @@ static int __init slab_proc_init(void)
 module_init(slab_proc_init);
 #endif
+#ifdef CONFIG_HARDENED_USERCOPY
+/*
+ * Rejects objects that are incorrectly sized.
+ *
+ * Returns NULL if check passes, otherwise const char * to name of cache
+ * to indicate an error.
+ */
+const char *__check_heap_object(const void *ptr, unsigned long n,
+                                struct page *page)
+{
+        struct kmem_cache *cachep;
+        unsigned int objnr;
+        unsigned long offset;
+        /* Find and validate object. */
+        cachep = page->slab_cache;
+        objnr = obj_to_index(cachep, page, (void *)ptr);
+        BUG_ON(objnr >= cachep->num);
+        /* Find offset within object. */
+        offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
+        /* Allow address range falling entirely within object size. */
+        if (offset <= cachep->object_size && n <= cachep->object_size - offset)
+                return NULL;
+        return cachep->name;
+}
+#endif /* CONFIG_HARDENED_USERCOPY */
 /**
 * ksize - get the actual amount of memory allocated for a given object
 * @objp: Pointer to the object
author	Kees Cook <keescook@chromium.org>	2016-06-23 18:20:59 -0400
committer	Kees Cook <keescook@chromium.org>	2016-07-26 17:41:53 -0400
commit	04385fc5e8fffed84425d909a783c0f0c587d847 (patch)
tree	07f94a9ec860dc0bcb6efd2f44632d0a5da29237 /mm
parent	97433ea4fda62349bfa42089455593cbcb57e06c (diff)

diff --git a/mm/slab.c b/mm/slab.c index cc8bbc1e6bc9..5e2d5f349aca 100644 --- a/mm/slab.c +++ b/mm/slab.c
@@ -4477,6 +4477,36 @@ static int __init slab_proc_init(void)
4477	module_init(slab_proc_init);	4477	module_init(slab_proc_init);
4478	#endif	4478	#endif
4479		4479
		4480	#ifdef CONFIG_HARDENED_USERCOPY
		4481	/*
		4482	* Rejects objects that are incorrectly sized.
		4483	*
		4484	* Returns NULL if check passes, otherwise const char * to name of cache
		4485	* to indicate an error.
		4486	*/
		4487	const char __check_heap_object(const void ptr, unsigned long n,
		4488	struct page *page)
		4489	{
		4490	struct kmem_cache *cachep;
		4491	unsigned int objnr;
		4492	unsigned long offset;
		4493
		4494	/* Find and validate object. */
		4495	cachep = page->slab_cache;
		4496	objnr = obj_to_index(cachep, page, (void *)ptr);
		4497	BUG_ON(objnr >= cachep->num);
		4498
		4499	/* Find offset within object. */
		4500	offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
		4501
		4502	/* Allow address range falling entirely within object size. */
		4503	if (offset <= cachep->object_size && n <= cachep->object_size - offset)
		4504	return NULL;
		4505
		4506	return cachep->name;
		4507	}
		4508	#endif /* CONFIG_HARDENED_USERCOPY */
		4509
4480	/**	4510	/**
4481	* ksize - get the actual amount of memory allocated for a given object	4511	* ksize - get the actual amount of memory allocated for a given object
4482	* @objp: Pointer to the object	4512	* @objp: Pointer to the object