The setxattr() API can be used for exploiting[1][2][3] use-after-free type confusion flaws in the kernel. Avoid having a user-controlled size cache share the global kmalloc allocator by using a separate set of kmalloc buckets. Link: https://duasynt.com/blog/linux-kernel-heap-spray [1] Link: https://etenal.me/archives/1336 [2] Link: https://github.com/a13xp0p0v/kernel-hack-drill/blob/master/drill_exploit_uaf.c [3] Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> --- Cc: Christian Brauner <brauner@xxxxxxxxxx> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Jan Kara <jack@xxxxxxx> Cc: linux-fsdevel@xxxxxxxxxxxxxxx --- fs/xattr.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/fs/xattr.c b/fs/xattr.c index 09d927603433..2b06316f1d1f 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -821,6 +821,16 @@ SYSCALL_DEFINE4(fgetxattr, int, fd, const char __user *, name, return error; } +static struct kmem_buckets *xattr_buckets; +static int __init init_xattr_buckets(void) +{ + xattr_buckets = kmem_buckets_create("xattr", 0, 0, 0, + XATTR_LIST_MAX, NULL); + + return 0; +} +subsys_initcall(init_xattr_buckets); + /* * Extended attribute LIST operations */ @@ -833,7 +843,7 @@ listxattr(struct dentry *d, char __user *list, size_t size) if (size) { if (size > XATTR_LIST_MAX) size = XATTR_LIST_MAX; - klist = kvmalloc(size, GFP_KERNEL); + klist = kmem_buckets_alloc(xattr_buckets, size, GFP_KERNEL); if (!klist) return -ENOMEM; } -- 2.34.1
