When an allocator does not mark all allocations as PageSlab, or does not mark multipage allocations with __GFP_COMP, hardened usercopy cannot correctly validate the allocation. SLOB lacks this, so short-circuit the checking for the allocators that aren't marked with CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR. This also updates the config help and corrects a typo in the usercopy comments. Reported-by: xiaolong.ye@xxxxxxxxx Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- mm/usercopy.c | 11 ++++++++++- security/Kconfig | 5 +++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/mm/usercopy.c b/mm/usercopy.c index 8ebae91a6b55..855944b05cc7 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -172,6 +172,15 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n, return NULL; } +#ifndef CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR + /* + * If the allocator isn't marking multi-page allocations as + * either __GFP_COMP or PageSlab, we cannot correctly perform + * bounds checking of multi-page allocations, so we stop here. + */ + return NULL; +#endif + /* Allow kernel data region (if not marked as Reserved). */ if (ptr >= (const void *)_sdata && end <= (const void *)_edata) return NULL; @@ -192,7 +201,7 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n, return NULL; /* - * Reject if range is entirely either Reserved (i.e. special or + * Allow if range is entirely either Reserved (i.e. special or * device memory), or CMA. Otherwise, reject since the object spans * several independently allocated pages. */ diff --git a/security/Kconfig b/security/Kconfig index df28f2b6f3e1..08dce0327d5b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -122,8 +122,9 @@ config HAVE_HARDENED_USERCOPY_ALLOCATOR bool help The heap allocator implements __check_heap_object() for - validating memory ranges against heap object sizes in - support of CONFIG_HARDENED_USERCOPY. + validating memory ranges against heap object sizes in support + of CONFIG_HARDENED_USERCOPY. It must mark all managed pages as + PageSlab(), or set __GFP_COMP for multi-page allocations. config HAVE_ARCH_HARDENED_USERCOPY bool -- 2.7.4 -- Kees Cook Nexus Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>