From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f72.google.com (mail-wm0-f72.google.com [74.125.82.72]) by kanga.kvack.org (Postfix) with ESMTP id DB2F06B0253 for ; Fri, 8 Jul 2016 16:48:40 -0400 (EDT) Received: by mail-wm0-f72.google.com with SMTP id n127so19490055wme.1 for ; Fri, 08 Jul 2016 13:48:40 -0700 (PDT) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com. [2a00:1450:400c:c09::22a]) by mx.google.com with ESMTPS id gw8si3436246wjb.84.2016.07.08.13.48.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Jul 2016 13:48:39 -0700 (PDT) Received: by mail-wm0-x22a.google.com with SMTP id k123so24440520wme.0 for ; Fri, 08 Jul 2016 13:48:39 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: <577f7e55.4668420a.84f17.5cb9SMTPIN_ADDED_MISSING@mx.google.com> From: Kees Cook Date: Fri, 8 Jul 2016 16:48:38 -0400 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH 9/9] mm: SLUB hardened usercopy support Content-Type: text/plain; charset=UTF-8 Sender: owner-linux-mm@kvack.org List-ID: To: Christoph Lameter Cc: Michael Ellerman , "kernel-hardening@lists.openwall.com" , Jan Kara , Catalin Marinas , Will Deacon , Linux-MM , sparclinux , linux-ia64@vger.kernel.org, Andrea Arcangeli , linux-arch , "x86@kernel.org" , Russell King , PaX Team , Borislav Petkov , Mathias Krause , Fenghua Yu , Rik van Riel , David Rientjes , Tony Luck , Andy Lutomirski , Joonsoo Kim , Dmitry Vyukov , Laura Abbott , Brad Spengler , Ard Biesheuvel , LKML , Pekka Enberg , Case y Schauf ler , Andrew Morton , "linuxppc-dev@lists.ozlabs.org" , "David S. Miller" , "linux-arm-kernel@lists.infradead.org" On Fri, Jul 8, 2016 at 1:41 PM, Kees Cook wrote: > On Fri, Jul 8, 2016 at 12:20 PM, Christoph Lameter wrote: >> On Fri, 8 Jul 2016, Kees Cook wrote: >> >>> Is check_valid_pointer() making sure the pointer is within the usable >>> size? It seemed like it was checking that it was within the slub >>> object (checks against s->size, wants it above base after moving >>> pointer to include redzone, etc). >> >> check_valid_pointer verifies that a pointer is pointing to the start of an >> object. It is used to verify the internal points that SLUB used and >> should not be modified to do anything different. > > Yup, no worries -- I won't touch it. :) I just wanted to verify my > understanding. > > And after playing a bit more, I see that the only thing to the left is > padding and redzone. SLUB layout, from what I saw: > > offset: what's there > ------- > start: padding, redzone > red_left_pad: object itself > inuse: rest of metadata > size: start of next slub object > > (and object_size == inuse - red_left_pad) > > i.e. a pointer must be between red_left_pad and inuse, which is the > same as pointer - ref_left_pad being less than object_size. > > So, as found already, the position in the usercopy check needs to be > bumped down by red_left_pad, which is what Michael's fix does, so I'll > include it in the next version. Actually, after some offline chats, I think this is better, since it makes sure the ptr doesn't end up somewhere weird before we start the calculations. This leaves the pointer as-is, but explicitly handles the redzone on the offset instead, with no wrapping, etc: /* Find offset within object. */ offset = (ptr - page_address(page)) % s->size; + /* Adjust for redzone and reject if within the redzone. */ + if (s->flags & SLAB_RED_ZONE) { + if (offset < s->red_left_pad) + return s->name; + offset -= s->red_left_pad; + } + /* Allow address range falling entirely within object size. */ if (offset <= s->object_size && n <= s->object_size - offset) return NULL; -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org