Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 04385fc5 authored by Kees Cook's avatar Kees Cook
Browse files

mm: SLAB hardened usercopy support 



Under CONFIG_HARDENED_USERCOPY, this adds object size checking to the
SLAB allocator to catch any copies that may span objects.

Based on code from PaX and grsecurity.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Tested-by: default avatarValdis Kletnieks <valdis.kletnieks@vt.edu>
parent 97433ea4

init/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -1758,6 +1758,7 @@ choice 


config SLAB

	bool "SLAB"

	select HAVE_HARDENED_USERCOPY_ALLOCATOR

	help

	  The regular slab allocator that is established and known to work

	  well in all environments. It organizes cache hot objects in

mm/slab.c

+30 −0
Original line number Diff line number Diff line
@@ -4477,6 +4477,36 @@ static int __init slab_proc_init(void) 
module_init(slab_proc_init);

#endif



#ifdef CONFIG_HARDENED_USERCOPY

/*

 * Rejects objects that are incorrectly sized.

 *

 * Returns NULL if check passes, otherwise const char * to name of cache

 * to indicate an error.

 */

const char *__check_heap_object(const void *ptr, unsigned long n,

				struct page *page)

{

	struct kmem_cache *cachep;

	unsigned int objnr;

	unsigned long offset;



	/* Find and validate object. */

	cachep = page->slab_cache;

	objnr = obj_to_index(cachep, page, (void *)ptr);

	BUG_ON(objnr >= cachep->num);



	/* Find offset within object. */

	offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);



	/* Allow address range falling entirely within object size. */

	if (offset <= cachep->object_size && n <= cachep->object_size - offset)

		return NULL;



	return cachep->name;

}

#endif /* CONFIG_HARDENED_USERCOPY */



/**

 * ksize - get the actual amount of memory allocated for a given object

 * @objp: Pointer to the object