From: Balbir Singh <bsingharora@gmail.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Daniel Micay <danielmicay@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rik van Riel <riel@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 18:26:43 +1000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> current stack frame (if such checking is possible) or at least entirely
> within the current process's stack. (This could catch large lengths that
> would have extended beyond the current process stack, or overflows if
> their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> replaced in the future by Josh's more comprehensive unwinder):
> 1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> 2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> 3- x86/uaccess: Enable hardened usercopy
> 4- ARM: uaccess: Enable hardened usercopy
> 5- arm64/uaccess: Enable hardened usercopy
> 6- ia64/uaccess: Enable hardened usercopy
> 7- powerpc/uaccess: Enable hardened usercopy
> 8- sparc/uaccess: Enable hardened usercopy
> 9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> 10- mm: SLAB hardened usercopy support
> 11- mm: SLUB hardened usercopy support
>
> Some notes:
>
> - This is expected to apply on top of -next which contains fixes for the
> position of _etext on both arm and arm64, though it has minor conflicts
> with KASAN that are trivial to fix up. Living in -next are also tests
> for this protection in lkdtm, prefixed with USERCOPY_.
>
> - I couldn't detect a measurable performance change with these features
> enabled. Kernel build times were unchanged, hackbench was unchanged,
> etc. I think we could flip this to "on by default" at some point, but
> for now, I'm leaving it off until I can get some more definitive
> measurements. I would love if someone with greater familiarity with
> perf could give this a spin and report results.
>
> - The SLOB support extracted from grsecurity seems entirely broken. I
> have no idea what's going on there, I spent my time testing SLAB and
> SLUB. Having someone else look at SLOB would be nice, but this series
> doesn't depend on it.
>
> Additional features that would be nice, but aren't blocking this series:
>
> - Needs more architecture support for stack frame checking (only x86 now,
> but it seems Josh will have a good solution for this soon).
>
>
> Thanks!
>
> -Kees
>
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
Balbir
WARNING: multiple messages have this Message-ID (diff)
From: Balbir Singh <bsingharora@gmail.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Daniel Micay <danielmicay@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rik van Riel <riel@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli>
Subject: Re: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 18:26:43 +1000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> current stack frame (if such checking is possible) or at least entirely
> within the current process's stack. (This could catch large lengths that
> would have extended beyond the current process stack, or overflows if
> their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> replaced in the future by Josh's more comprehensive unwinder):
> 1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> 2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> 3- x86/uaccess: Enable hardened usercopy
> 4- ARM: uaccess: Enable hardened usercopy
> 5- arm64/uaccess: Enable hardened usercopy
> 6- ia64/uaccess: Enable hardened usercopy
> 7- powerpc/uaccess: Enable hardened usercopy
> 8- sparc/uaccess: Enable hardened usercopy
> 9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> 10- mm: SLAB hardened usercopy support
> 11- mm: SLUB hardened usercopy support
>
> Some notes:
>
> - This is expected to apply on top of -next which contains fixes for the
> position of _etext on both arm and arm64, though it has minor conflicts
> with KASAN that are trivial to fix up. Living in -next are also tests
> for this protection in lkdtm, prefixed with USERCOPY_.
>
> - I couldn't detect a measurable performance change with these features
> enabled. Kernel build times were unchanged, hackbench was unchanged,
> etc. I think we could flip this to "on by default" at some point, but
> for now, I'm leaving it off until I can get some more definitive
> measurements. I would love if someone with greater familiarity with
> perf could give this a spin and report results.
>
> - The SLOB support extracted from grsecurity seems entirely broken. I
> have no idea what's going on there, I spent my time testing SLAB and
> SLUB. Having someone else look at SLOB would be nice, but this series
> doesn't depend on it.
>
> Additional features that would be nice, but aren't blocking this series:
>
> - Needs more architecture support for stack frame checking (only x86 now,
> but it seems Josh will have a good solution for this soon).
>
>
> Thanks!
>
> -Kees
>
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
Balbir
--
To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Balbir Singh <bsingharora@gmail.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Daniel Micay <danielmicay@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rik van Riel <riel@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 08:26:43 +0000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> current stack frame (if such checking is possible) or at least entirely
> within the current process's stack. (This could catch large lengths that
> would have extended beyond the current process stack, or overflows if
> their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> replaced in the future by Josh's more comprehensive unwinder):
> 1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> 2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> 3- x86/uaccess: Enable hardened usercopy
> 4- ARM: uaccess: Enable hardened usercopy
> 5- arm64/uaccess: Enable hardened usercopy
> 6- ia64/uaccess: Enable hardened usercopy
> 7- powerpc/uaccess: Enable hardened usercopy
> 8- sparc/uaccess: Enable hardened usercopy
> 9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> 10- mm: SLAB hardened usercopy support
> 11- mm: SLUB hardened usercopy support
>
> Some notes:
>
> - This is expected to apply on top of -next which contains fixes for the
> position of _etext on both arm and arm64, though it has minor conflicts
> with KASAN that are trivial to fix up. Living in -next are also tests
> for this protection in lkdtm, prefixed with USERCOPY_.
>
> - I couldn't detect a measurable performance change with these features
> enabled. Kernel build times were unchanged, hackbench was unchanged,
> etc. I think we could flip this to "on by default" at some point, but
> for now, I'm leaving it off until I can get some more definitive
> measurements. I would love if someone with greater familiarity with
> perf could give this a spin and report results.
>
> - The SLOB support extracted from grsecurity seems entirely broken. I
> have no idea what's going on there, I spent my time testing SLAB and
> SLUB. Having someone else look at SLOB would be nice, but this series
> doesn't depend on it.
>
> Additional features that would be nice, but aren't blocking this series:
>
> - Needs more architecture support for stack frame checking (only x86 now,
> but it seems Josh will have a good solution for this soon).
>
>
> Thanks!
>
> -Kees
>
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
Balbir
WARNING: multiple messages have this Message-ID (diff)
From: Balbir Singh <bsingharora@gmail.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Daniel Micay <danielmicay@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rik van Riel <riel@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 18:26:43 +1000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>A
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>A
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>A
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>A
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> A allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> A current stack frame (if such checking is possible) or at least entirely
> A within the current process's stack. (This could catch large lengths that
> A would have extended beyond the current process stack, or overflows if
> A their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> A allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>A
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> A replaced in the future by Josh's more comprehensive unwinder):
> A A A A A A A A 1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> A A A A A A A A 2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> A A A A A A A A 3- x86/uaccess: Enable hardened usercopy
> A A A A A A A A 4- ARM: uaccess: Enable hardened usercopy
> A A A A A A A A 5- arm64/uaccess: Enable hardened usercopy
> A A A A A A A A 6- ia64/uaccess: Enable hardened usercopy
> A A A A A A A A 7- powerpc/uaccess: Enable hardened usercopy
> A A A A A A A A 8- sparc/uaccess: Enable hardened usercopy
> A A A A A A A A 9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> A A A A A A A 10- mm: SLAB hardened usercopy support
> A A A A A A A 11- mm: SLUB hardened usercopy support
>A
> Some notes:
>A
> - This is expected to apply on top of -next which contains fixes for the
> A position of _etext on both arm and arm64, though it has minor conflicts
> A with KASAN that are trivial to fix up. Living in -next are also tests
> A for this protection in lkdtm, prefixed with USERCOPY_.
>A
> - I couldn't detect a measurable performance change with these features
> A enabled. Kernel build times were unchanged, hackbench was unchanged,
> A etc. I think we could flip this to "on by default" at some point, but
> A for now, I'm leaving it off until I can get some more definitive
> A measurements. I would love if someone with greater familiarity with
> A perf could give this a spin and report results.
>A
> - The SLOB support extracted from grsecurity seems entirely broken. I
> A have no idea what's going on there, I spent my time testing SLAB and
> A SLUB. Having someone else look at SLOB would be nice, but this series
> A doesn't depend on it.
>A
> Additional features that would be nice, but aren't blocking this series:
>A
> - Needs more architecture support for stack frame checking (only x86 now,
> A but it seems Josh will have a good solution for this soon).
>A
>A
> Thanks!
>A
> -Kees
>A
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>A
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
BalbirA
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: bsingharora@gmail.com (Balbir Singh)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 18:26:43 +1000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>?
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>?
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>?
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>?
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> ? allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> ? current stack frame (if such checking is possible) or at least entirely
> ? within the current process's stack. (This could catch large lengths that
> ? would have extended beyond the current process stack, or overflows if
> ? their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> ? allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>?
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> ? replaced in the future by Josh's more comprehensive unwinder):
> ????????1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> ????????2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> ????????3- x86/uaccess: Enable hardened usercopy
> ????????4- ARM: uaccess: Enable hardened usercopy
> ????????5- arm64/uaccess: Enable hardened usercopy
> ????????6- ia64/uaccess: Enable hardened usercopy
> ????????7- powerpc/uaccess: Enable hardened usercopy
> ????????8- sparc/uaccess: Enable hardened usercopy
> ????????9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> ???????10- mm: SLAB hardened usercopy support
> ???????11- mm: SLUB hardened usercopy support
>?
> Some notes:
>?
> - This is expected to apply on top of -next which contains fixes for the
> ? position of _etext on both arm and arm64, though it has minor conflicts
> ? with KASAN that are trivial to fix up. Living in -next are also tests
> ? for this protection in lkdtm, prefixed with USERCOPY_.
>?
> - I couldn't detect a measurable performance change with these features
> ? enabled. Kernel build times were unchanged, hackbench was unchanged,
> ? etc. I think we could flip this to "on by default" at some point, but
> ? for now, I'm leaving it off until I can get some more definitive
> ? measurements. I would love if someone with greater familiarity with
> ? perf could give this a spin and report results.
>?
> - The SLOB support extracted from grsecurity seems entirely broken. I
> ? have no idea what's going on there, I spent my time testing SLAB and
> ? SLUB. Having someone else look at SLOB would be nice, but this series
> ? doesn't depend on it.
>?
> Additional features that would be nice, but aren't blocking this series:
>?
> - Needs more architecture support for stack frame checking (only x86 now,
> ? but it seems Josh will have a good solution for this soon).
>?
>?
> Thanks!
>?
> -Kees
>?
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>?
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
Balbir?
WARNING: multiple messages have this Message-ID (diff)
From: Balbir Singh <bsingharora@gmail.com>
To: Kees Cook <keescook@chromium.org>, linux-kernel@vger.kernel.org
Cc: Daniel Micay <danielmicay@gmail.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rik van Riel <riel@redhat.com>,
Casey Schaufler <casey@schaufler-ca.com>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Michael Ellerman <mpe@ellerman.id.au>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
"David S. Miller" <davem@davemloft.net>,
x86@kernel.org, Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Borislav Petkov <bp@suse.de>,
Mathias Krause <minipli@googlemail.com>, Jan Kara <jack@suse.cz>,
Vitaly Wool <vitalywool@gmail.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Dmitry Vyukov <dvyukov@google.com>,
Laura Abbott <labbott@fedoraproject.org>,
linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org,
linuxppc-dev@lists.ozlabs.org, sparclinux@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v3 00/11] mm: Hardened usercopy
Date: Mon, 18 Jul 2016 18:26:43 +1000 [thread overview]
Message-ID: <1468830403.2800.0.camel@gmail.com> (raw)
In-Reply-To: <1468619065-3222-1-git-send-email-keescook@chromium.org>
On Fri, 2016-07-15 at 14:44 -0700, Kees Cook wrote:
> Hi,
>
> [I'm going to carry this series in my kspp -next tree now, though I'd
> really love to have some explicit Acked-bys or Reviewed-bys. If you've
> looked through it or tested it, please consider it. :) (I added Valdis
> and mpe's Tested-bys where they seemed correct, thank you!)]
>
> This is a start of the mainline port of PAX_USERCOPY[1]. After I started
> writing tests (now in lkdtm in -next) for Casey's earlier port[2], I kept
> tweaking things further and further until I ended up with a whole new
> patch series. To that end, I took Rik and other people's feedback along
> with other changes and clean-ups.
>
> Based on my understanding, PAX_USERCOPY was designed to catch a
> few classes of flaws (mainly bad bounds checking) around the use of
> copy_to_user()/copy_from_user(). These changes don't touch get_user() and
> put_user(), since these operate on constant sized lengths, and tend to be
> much less vulnerable. There are effectively three distinct protections in
> the whole series, each of which I've given a separate CONFIG, though this
> patch set is only the first of the three intended protections. (Generally
> speaking, PAX_USERCOPY covers what I'm calling CONFIG_HARDENED_USERCOPY
> (this) and CONFIG_HARDENED_USERCOPY_WHITELIST (future), and
> PAX_USERCOPY_SLABS covers CONFIG_HARDENED_USERCOPY_SPLIT_KMALLOC
> (future).)
>
> This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects
> being copied to/from userspace meet certain criteria:
> - if address is a heap object, the size must not exceed the object's
> allocated size. (This will catch all kinds of heap overflow flaws.)
> - if address range is in the current process stack, it must be within the
> current stack frame (if such checking is possible) or at least entirely
> within the current process's stack. (This could catch large lengths that
> would have extended beyond the current process stack, or overflows if
> their length extends back into the original stack.)
> - if the address range is part of kernel data, rodata, or bss, allow it.
> - if address range is page-allocated, that it doesn't span multiple
> allocations.
> - if address is within the kernel text, reject it.
> - everything else is accepted
>
> The patches in the series are:
> - Support for arch-specific stack frame checking (which will likely be
> replaced in the future by Josh's more comprehensive unwinder):
> 1- mm: Implement stack frame object validation
> - The core copy_to/from_user() checks, without the slab object checks:
> 2- mm: Hardened usercopy
> - Per-arch enablement of the protection:
> 3- x86/uaccess: Enable hardened usercopy
> 4- ARM: uaccess: Enable hardened usercopy
> 5- arm64/uaccess: Enable hardened usercopy
> 6- ia64/uaccess: Enable hardened usercopy
> 7- powerpc/uaccess: Enable hardened usercopy
> 8- sparc/uaccess: Enable hardened usercopy
> 9- s390/uaccess: Enable hardened usercopy
> - The heap allocator implementation of object size checking:
> 10- mm: SLAB hardened usercopy support
> 11- mm: SLUB hardened usercopy support
>
> Some notes:
>
> - This is expected to apply on top of -next which contains fixes for the
> position of _etext on both arm and arm64, though it has minor conflicts
> with KASAN that are trivial to fix up. Living in -next are also tests
> for this protection in lkdtm, prefixed with USERCOPY_.
>
> - I couldn't detect a measurable performance change with these features
> enabled. Kernel build times were unchanged, hackbench was unchanged,
> etc. I think we could flip this to "on by default" at some point, but
> for now, I'm leaving it off until I can get some more definitive
> measurements. I would love if someone with greater familiarity with
> perf could give this a spin and report results.
>
> - The SLOB support extracted from grsecurity seems entirely broken. I
> have no idea what's going on there, I spent my time testing SLAB and
> SLUB. Having someone else look at SLOB would be nice, but this series
> doesn't depend on it.
>
> Additional features that would be nice, but aren't blocking this series:
>
> - Needs more architecture support for stack frame checking (only x86 now,
> but it seems Josh will have a good solution for this soon).
>
>
> Thanks!
>
> -Kees
>
> [1] https://grsecurity.net/download.php "grsecurity - test kernel patch"
> [2] http://www.openwall.com/lists/kernel-hardening/2016/05/19/5
>
> v3:
> - switch to using BUG for better Oops integration
> - when checking page allocations, check each for Reserved
> - use enums for the stack check return for readability
>
Thanks looks good so far! I'll try and test it and report back
Balbir
next prev parent reply other threads:[~2016-07-18 8:26 UTC|newest]
Thread overview: 257+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 21:44 [PATCH v3 00/11] mm: Hardened usercopy Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 01/11] mm: Implement stack frame object validation Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 02/11] mm: Hardened usercopy Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-19 1:06 ` Laura Abbott
2016-07-19 1:06 ` [kernel-hardening] " Laura Abbott
2016-07-19 1:06 ` Laura Abbott
2016-07-19 1:06 ` Laura Abbott
2016-07-19 1:06 ` Laura Abbott
2016-07-19 1:06 ` Laura Abbott
2016-07-19 18:48 ` Kees Cook
2016-07-19 18:48 ` [kernel-hardening] " Kees Cook
2016-07-19 18:48 ` Kees Cook
2016-07-19 18:48 ` Kees Cook
2016-07-19 18:48 ` Kees Cook
2016-07-19 18:48 ` Kees Cook
2016-07-19 18:48 ` Kees Cook
2016-07-19 22:00 ` [PATCH] mm: Add is_migrate_cma_page Laura Abbott
2016-07-19 22:00 ` [kernel-hardening] " Laura Abbott
2016-07-19 22:00 ` Laura Abbott
2016-07-19 22:00 ` Laura Abbott
2016-07-19 22:00 ` Laura Abbott
2016-07-19 22:00 ` Laura Abbott
2016-07-19 22:40 ` Kees Cook
2016-07-19 22:40 ` [kernel-hardening] " Kees Cook
2016-07-19 22:40 ` Kees Cook
2016-07-19 22:40 ` Kees Cook
2016-07-19 22:40 ` Kees Cook
2016-07-19 22:40 ` Kees Cook
2016-07-19 22:40 ` Kees Cook
2016-07-20 10:24 ` [PATCH v3 02/11] mm: Hardened usercopy Balbir Singh
2016-07-20 10:24 ` [kernel-hardening] " Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 10:24 ` Balbir Singh
2016-07-20 15:36 ` Laura Abbott
2016-07-20 15:36 ` [kernel-hardening] " Laura Abbott
2016-07-20 15:36 ` Laura Abbott
2016-07-20 15:36 ` Laura Abbott
2016-07-20 15:36 ` Laura Abbott
2016-07-20 15:36 ` Laura Abbott
2016-07-20 15:36 ` Laura Abbott
2016-07-19 1:52 ` Laura Abbott
2016-07-19 1:52 ` [kernel-hardening] " Laura Abbott
2016-07-19 1:52 ` Laura Abbott
2016-07-19 1:52 ` Laura Abbott
2016-07-19 1:52 ` Laura Abbott
2016-07-19 1:52 ` Laura Abbott
2016-07-19 19:12 ` Kees Cook
2016-07-19 19:12 ` [kernel-hardening] " Kees Cook
2016-07-19 19:12 ` Kees Cook
2016-07-19 19:12 ` Kees Cook
2016-07-19 19:12 ` Kees Cook
2016-07-19 19:12 ` Kees Cook
2016-07-19 19:12 ` Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 22:55 ` [kernel-hardening] " Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 22:55 ` Kees Cook
2016-07-19 9:21 ` Christian Borntraeger
2016-07-19 9:21 ` [kernel-hardening] " Christian Borntraeger
2016-07-19 9:21 ` Christian Borntraeger
2016-07-19 9:21 ` Christian Borntraeger
2016-07-19 9:21 ` Christian Borntraeger
2016-07-19 9:21 ` Christian Borntraeger
2016-07-19 19:31 ` Kees Cook
2016-07-19 19:31 ` [kernel-hardening] " Kees Cook
2016-07-19 19:31 ` Kees Cook
2016-07-19 19:31 ` Kees Cook
2016-07-19 19:31 ` Kees Cook
2016-07-19 19:31 ` Kees Cook
2016-07-19 19:31 ` Kees Cook
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:14 ` [kernel-hardening] " Christian Borntraeger
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:14 ` Christian Borntraeger
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:34 ` [kernel-hardening] " Kees Cook
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:34 ` Kees Cook
2016-07-19 20:44 ` Christian Borntraeger
2016-07-19 20:44 ` [kernel-hardening] " Christian Borntraeger
2016-07-19 20:44 ` Christian Borntraeger
2016-07-19 20:44 ` Christian Borntraeger
2016-07-19 20:44 ` Christian Borntraeger
2016-07-19 20:44 ` Christian Borntraeger
2016-07-19 20:44 ` Christian Borntraeger
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` [kernel-hardening] " Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
2016-07-21 6:52 ` Michael Ellerman
[not found] ` <5790711f.2350420a.b4287.2cc0SMTPIN_ADDED_BROKEN@mx.google.com>
2016-07-21 18:34 ` Kees Cook
2016-07-21 18:34 ` [kernel-hardening] " Kees Cook
2016-07-21 18:34 ` Kees Cook
2016-07-21 18:34 ` Kees Cook
2016-07-21 18:34 ` Kees Cook
2016-07-21 18:34 ` Kees Cook
2016-07-21 18:34 ` Kees Cook
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-22 17:45 ` [kernel-hardening] " Josh Poimboeuf
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-22 17:45 ` Josh Poimboeuf
2016-07-25 9:27 ` David Laight
2016-07-25 9:27 ` [kernel-hardening] " David Laight
2016-07-25 9:27 ` David Laight
2016-07-25 9:27 ` David Laight
2016-07-25 9:27 ` David Laight
2016-07-25 9:27 ` David Laight
2016-07-25 9:27 ` David Laight
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` [kernel-hardening] " Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:09 ` Michael Ellerman
2016-07-26 2:03 ` Michael Ellerman
2016-07-26 2:03 ` [kernel-hardening] " Michael Ellerman
2016-07-26 2:03 ` Michael Ellerman
2016-07-26 2:03 ` Michael Ellerman
2016-07-26 4:46 ` Kees Cook
2016-07-26 4:46 ` [kernel-hardening] " Kees Cook
2016-07-26 4:46 ` Kees Cook
2016-07-26 4:46 ` Kees Cook
2016-07-26 4:46 ` Kees Cook
2016-07-26 4:46 ` Kees Cook
2016-07-26 4:46 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 03/11] x86/uaccess: Enable hardened usercopy Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 04/11] ARM: uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 05/11] arm64/uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 06/11] ia64/uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 07/11] powerpc/uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 08/11] sparc/uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 09/11] s390/uaccess: " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 10/11] mm: SLAB hardened usercopy support Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` [PATCH v3 11/11] mm: SLUB " Kees Cook
2016-07-15 21:44 ` [kernel-hardening] " Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-15 21:44 ` Kees Cook
2016-07-18 8:26 ` Balbir Singh [this message]
2016-07-18 8:26 ` [kernel-hardening] Re: [PATCH v3 00/11] mm: Hardened usercopy Balbir Singh
2016-07-18 8:26 ` Balbir Singh
2016-07-18 8:26 ` Balbir Singh
2016-07-18 8:26 ` Balbir Singh
2016-07-18 8:26 ` Balbir Singh
2016-07-18 8:26 ` Balbir Singh
2016-07-20 9:52 ` David Laight
2016-07-20 9:52 ` [kernel-hardening] " David Laight
2016-07-20 9:52 ` David Laight
2016-07-20 9:52 ` David Laight
2016-07-20 9:52 ` David Laight
2016-07-20 9:52 ` David Laight
2016-07-20 9:52 ` David Laight
2016-07-20 15:31 ` Kees Cook
2016-07-20 15:31 ` [kernel-hardening] " Kees Cook
2016-07-20 15:31 ` Kees Cook
2016-07-20 15:31 ` Kees Cook
2016-07-20 15:31 ` Kees Cook
2016-07-20 15:31 ` Kees Cook
2016-07-20 15:31 ` Kees Cook
2016-07-20 16:02 ` David Laight
2016-07-20 16:02 ` [kernel-hardening] " David Laight
2016-07-20 16:02 ` David Laight
2016-07-20 16:02 ` David Laight
2016-07-20 16:02 ` David Laight
2016-07-20 16:02 ` David Laight
2016-07-20 16:02 ` David Laight
2016-07-20 16:22 ` Rik van Riel
2016-07-20 16:22 ` [kernel-hardening] " Rik van Riel
2016-07-20 16:22 ` Rik van Riel
2016-07-20 16:22 ` Rik van Riel
2016-07-20 16:22 ` Rik van Riel
2016-07-20 16:22 ` Rik van Riel
2016-07-20 17:44 ` Kees Cook
2016-07-20 17:44 ` [kernel-hardening] " Kees Cook
2016-07-20 17:44 ` Kees Cook
2016-07-20 17:44 ` Kees Cook
2016-07-20 17:44 ` Kees Cook
2016-07-20 17:44 ` Kees Cook
2016-07-20 17:44 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1468830403.2800.0.camel@gmail.com \
--to=bsingharora@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=bp@suse.de \
--cc=casey@schaufler-ca.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=danielmicay@gmail.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=fenghua.yu@intel.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=jack@suse.cz \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@fedoraproject.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=minipli@googlemail.com \
--cc=mpe@ellerman.id.au \
--cc=pageexec@freemail.hu \
--cc=penberg@kernel.org \
--cc=riel@redhat.com \
--cc=rientjes@google.com \
--cc=sparclinux@vger.kernel.org \
--cc=spender@grsecurity.net \
--cc=tony.luck@intel.com \
--cc=vitalywool@gmail.com \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.