diff options
| author | David Windsor <dave@nullcore.net> | 2017-08-24 19:49:14 -0400 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2018-01-15 15:07:59 -0500 |
| commit | 8c2bc895a9347846b33c47124a75db624aa83677 (patch) | |
| tree | 1bad27c8f27e0212c8fec2c66954d177d28455d9 | |
| parent | 30c2c9f158f6c9cef41e916d1c7c11097df4befb (diff) | |
ip: Define usercopy region in IP proto slab cache
The ICMP filters for IPv4 and IPv6 raw sockets need to be copied to/from
userspace. In support of usercopy hardening, this patch defines a region
in the struct proto slab cache in which userspace copy operations are
allowed.
example usage trace:
net/ipv4/raw.c:
raw_seticmpfilter(...):
...
copy_from_user(&raw_sk(sk)->filter, ..., optlen)
raw_geticmpfilter(...):
...
copy_to_user(..., &raw_sk(sk)->filter, len)
net/ipv6/raw.c:
rawv6_seticmpfilter(...):
...
copy_from_user(&raw6_sk(sk)->filter, ..., optlen)
rawv6_geticmpfilter(...):
...
copy_to_user(..., &raw6_sk(sk)->filter, len)
This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.
This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.
Signed-off-by: David Windsor <dave@nullcore.net>
[kees: split from network patch, provide usage trace]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | net/ipv4/raw.c | 2 | ||||
| -rw-r--r-- | net/ipv6/raw.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 33b70bfd1122..1b6fa4195ac9 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c | |||
| @@ -970,6 +970,8 @@ struct proto raw_prot = { | |||
| 970 | .hash = raw_hash_sk, | 970 | .hash = raw_hash_sk, |
| 971 | .unhash = raw_unhash_sk, | 971 | .unhash = raw_unhash_sk, |
| 972 | .obj_size = sizeof(struct raw_sock), | 972 | .obj_size = sizeof(struct raw_sock), |
| 973 | .useroffset = offsetof(struct raw_sock, filter), | ||
| 974 | .usersize = sizeof_field(struct raw_sock, filter), | ||
| 973 | .h.raw_hash = &raw_v4_hashinfo, | 975 | .h.raw_hash = &raw_v4_hashinfo, |
| 974 | #ifdef CONFIG_COMPAT | 976 | #ifdef CONFIG_COMPAT |
| 975 | .compat_setsockopt = compat_raw_setsockopt, | 977 | .compat_setsockopt = compat_raw_setsockopt, |
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 761a473a07c5..08a85fabdfd1 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c | |||
| @@ -1272,6 +1272,8 @@ struct proto rawv6_prot = { | |||
| 1272 | .hash = raw_hash_sk, | 1272 | .hash = raw_hash_sk, |
| 1273 | .unhash = raw_unhash_sk, | 1273 | .unhash = raw_unhash_sk, |
| 1274 | .obj_size = sizeof(struct raw6_sock), | 1274 | .obj_size = sizeof(struct raw6_sock), |
| 1275 | .useroffset = offsetof(struct raw6_sock, filter), | ||
| 1276 | .usersize = sizeof_field(struct raw6_sock, filter), | ||
| 1275 | .h.raw_hash = &raw_v6_hashinfo, | 1277 | .h.raw_hash = &raw_v6_hashinfo, |
| 1276 | #ifdef CONFIG_COMPAT | 1278 | #ifdef CONFIG_COMPAT |
| 1277 | .compat_setsockopt = compat_rawv6_setsockopt, | 1279 | .compat_setsockopt = compat_rawv6_setsockopt, |