diff options
author | Avi Kivity <avi@qumranet.com> | 2010-01-10 09:28:09 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-01-11 12:45:37 -0500 |
commit | a29815a333c6c6e677294bbe5958e771d0aad3fd (patch) | |
tree | 589a782f1992a7da55469379688deaa9f355b779 /include | |
parent | c0f607c608ba889db5250235ba620f818aa44a4d (diff) |
core, x86: make LIST_POISON less deadly
The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable
pointers in order to trap erronous use of freed list_heads. Unfortunately
userspace can arrange for those pointers to actually be dereferencable,
potentially turning an oops to an expolit.
To avoid this allow architectures (currently x86_64 only) to override
the default values for these pointers with truly-undereferencable values.
This is easy on x86_64 as the virtual address space is large and contains
areas that cannot be mapped.
Other 64-bit architectures will likely find similar unmapped ranges.
[ingo: switch to 0xdead000000000000 as the unmapped area]
[ingo: add comments, cleanup]
[jaswinder: eliminate sparse warnings]
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/poison.h | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/include/linux/poison.h b/include/linux/poison.h index 7fc194aef8c2..2110a81c5e2a 100644 --- a/include/linux/poison.h +++ b/include/linux/poison.h | |||
@@ -2,13 +2,25 @@ | |||
2 | #define _LINUX_POISON_H | 2 | #define _LINUX_POISON_H |
3 | 3 | ||
4 | /********** include/linux/list.h **********/ | 4 | /********** include/linux/list.h **********/ |
5 | |||
6 | /* | ||
7 | * Architectures might want to move the poison pointer offset | ||
8 | * into some well-recognized area such as 0xdead000000000000, | ||
9 | * that is also not mappable by user-space exploits: | ||
10 | */ | ||
11 | #ifdef CONFIG_ILLEGAL_POINTER_VALUE | ||
12 | # define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL) | ||
13 | #else | ||
14 | # define POISON_POINTER_DELTA 0 | ||
15 | #endif | ||
16 | |||
5 | /* | 17 | /* |
6 | * These are non-NULL pointers that will result in page faults | 18 | * These are non-NULL pointers that will result in page faults |
7 | * under normal circumstances, used to verify that nobody uses | 19 | * under normal circumstances, used to verify that nobody uses |
8 | * non-initialized list entries. | 20 | * non-initialized list entries. |
9 | */ | 21 | */ |
10 | #define LIST_POISON1 ((void *) 0x00100100) | 22 | #define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA) |
11 | #define LIST_POISON2 ((void *) 0x00200200) | 23 | #define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA) |
12 | 24 | ||
13 | /********** include/linux/timer.h **********/ | 25 | /********** include/linux/timer.h **********/ |
14 | /* | 26 | /* |