diff options
author | Kees Cook <keescook@chromium.org> | 2016-06-24 00:20:59 +0200 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-07-26 23:41:53 +0200 |
commit | 04385fc5e8fffed84425d909a783c0f0c587d847 (patch) | |
tree | 07f94a9ec860dc0bcb6efd2f44632d0a5da29237 /mm | |
parent | s390/uaccess: Enable hardened usercopy (diff) | |
download | linux-04385fc5e8fffed84425d909a783c0f0c587d847.tar.xz linux-04385fc5e8fffed84425d909a783c0f0c587d847.zip |
mm: SLAB hardened usercopy support
Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.
Based on code from PaX and grsecurity.
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Diffstat (limited to 'mm')
-rw-r--r-- | mm/slab.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/mm/slab.c b/mm/slab.c index cc8bbc1e6bc9..5e2d5f349aca 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -4477,6 +4477,36 @@ static int __init slab_proc_init(void) module_init(slab_proc_init); #endif +#ifdef CONFIG_HARDENED_USERCOPY +/* + * Rejects objects that are incorrectly sized. + * + * Returns NULL if check passes, otherwise const char * to name of cache + * to indicate an error. + */ +const char *__check_heap_object(const void *ptr, unsigned long n, + struct page *page) +{ + struct kmem_cache *cachep; + unsigned int objnr; + unsigned long offset; + + /* Find and validate object. */ + cachep = page->slab_cache; + objnr = obj_to_index(cachep, page, (void *)ptr); + BUG_ON(objnr >= cachep->num); + + /* Find offset within object. */ + offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep); + + /* Allow address range falling entirely within object size. */ + if (offset <= cachep->object_size && n <= cachep->object_size - offset) + return NULL; + + return cachep->name; +} +#endif /* CONFIG_HARDENED_USERCOPY */ + /** * ksize - get the actual amount of memory allocated for a given object * @objp: Pointer to the object |