* [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR
@ 2016-11-17 9:51 Michael Ellerman
2016-11-17 20:01 ` Kees Cook
2016-11-18 17:47 ` Christoph Lameter
0 siblings, 2 replies; 5+ messages in thread
From: Michael Ellerman @ 2016-11-17 9:51 UTC (permalink / raw)
To: akpm
Cc: cl, penberg, rientjes, iamjoonsoo.kim, linux-mm, linux-kernel,
kernel-hardening, keescook
POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
to shift poison values so that they don't alias userspace.
We should add it to ZERO_SIZE_PTR so that attackers can't use
ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.
Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
That no longer really works once we add the poison delta, so split it
into two checks. Assign x to a temporary to avoid evaluating it
twice (suggested by Kees Cook).
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
---
include/linux/slab.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 084b12bad198..404419d9860f 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
#define _LINUX_SLAB_H
#include <linux/gfp.h>
+#include <linux/poison.h>
#include <linux/types.h>
#include <linux/workqueue.h>
@@ -109,10 +110,13 @@
* ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
* Both make kfree a no-op.
*/
-#define ZERO_SIZE_PTR ((void *)16)
+#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA))
-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
- (unsigned long)ZERO_SIZE_PTR)
+#define ZERO_OR_NULL_PTR(x) \
+ ({ \
+ void *p = (void *)(x); \
+ (p == NULL || p == ZERO_SIZE_PTR); \
+ })
#include <linux/kmemleak.h>
#include <linux/kasan.h>
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR
2016-11-17 9:51 [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR Michael Ellerman
@ 2016-11-17 20:01 ` Kees Cook
2016-11-18 17:47 ` Christoph Lameter
1 sibling, 0 replies; 5+ messages in thread
From: Kees Cook @ 2016-11-17 20:01 UTC (permalink / raw)
To: Michael Ellerman
Cc: Andrew Morton, Christoph Lameter, Pekka Enberg, David Rientjes,
Joonsoo Kim, Linux-MM, LKML, kernel-hardening
On Thu, Nov 17, 2016 at 1:51 AM, Michael Ellerman <mpe@ellerman.id.au> wrote:
> POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
> to shift poison values so that they don't alias userspace.
>
> We should add it to ZERO_SIZE_PTR so that attackers can't use
> ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.
>
> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
> That no longer really works once we add the poison delta, so split it
> into two checks. Assign x to a temporary to avoid evaluating it
> twice (suggested by Kees Cook).
>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
I continue to like this idea. If we want to avoid the loss of the 1-15
check, we could just explicitly retain it, see craziness below...
> ---
> include/linux/slab.h | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.
>
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index 084b12bad198..404419d9860f 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -12,6 +12,7 @@
> #define _LINUX_SLAB_H
>
> #include <linux/gfp.h>
> +#include <linux/poison.h>
> #include <linux/types.h>
> #include <linux/workqueue.h>
>
> @@ -109,10 +110,13 @@
> * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
> * Both make kfree a no-op.
> */
> -#define ZERO_SIZE_PTR ((void *)16)
#define __ZERO_SIZE_PTR((void *)16)
#define ZERO_SIZE_PTR ((void *)(__ZERO_SIZE_PTR + POISON_POINTER_DELTA))
>
> -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
> - (unsigned long)ZERO_SIZE_PTR)
> +#define ZERO_OR_NULL_PTR(x) \
> + ({ \
> + void *p = (void *)(x); \
(p < __ZERO_SIZE_PTR || p == ZERO_SIZE_PTR); \
> + })
#undef __ZERO_SIZE_PTR
?
Anyone else have thoughts on this?
-Kees
--
Kees Cook
Nexus Security
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR
2016-11-17 9:51 [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR Michael Ellerman
2016-11-17 20:01 ` Kees Cook
@ 2016-11-18 17:47 ` Christoph Lameter
2016-11-18 17:55 ` Kees Cook
1 sibling, 1 reply; 5+ messages in thread
From: Christoph Lameter @ 2016-11-18 17:47 UTC (permalink / raw)
To: Michael Ellerman
Cc: akpm, penberg, rientjes, iamjoonsoo.kim, linux-mm, linux-kernel,
kernel-hardening, keescook
On Thu, 17 Nov 2016, Michael Ellerman wrote:
> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
Well yes that was done so we do not add too many branches all over the
kernel.....
> That no longer really works once we add the poison delta, so split it
> into two checks. Assign x to a temporary to avoid evaluating it
> twice (suggested by Kees Cook).
And now you are doing just that.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR
2016-11-18 17:47 ` Christoph Lameter
@ 2016-11-18 17:55 ` Kees Cook
2016-11-18 18:19 ` Christoph Lameter
0 siblings, 1 reply; 5+ messages in thread
From: Kees Cook @ 2016-11-18 17:55 UTC (permalink / raw)
To: Christoph Lameter
Cc: Michael Ellerman, Andrew Morton, Pekka Enberg, David Rientjes,
Joonsoo Kim, Linux-MM, LKML, kernel-hardening
On Fri, Nov 18, 2016 at 9:47 AM, Christoph Lameter <cl@linux.com> wrote:
> On Thu, 17 Nov 2016, Michael Ellerman wrote:
>
>> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
>> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
>
> Well yes that was done so we do not add too many branches all over the
> kernel.....
There are actually very few callers of this macro. (Though it's
possible they're executed frequently.)
>> That no longer really works once we add the poison delta, so split it
>> into two checks. Assign x to a temporary to avoid evaluating it
>> twice (suggested by Kees Cook).
>
> And now you are doing just that.
In this case, what about the original < ZERO_SIZE_PTR check Michael
suggested? At least the one use in usercopy.c needs to be fixed, but
otherwise, it should be fine?
-Kees
--
Kees Cook
Nexus Security
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR
2016-11-18 17:55 ` Kees Cook
@ 2016-11-18 18:19 ` Christoph Lameter
0 siblings, 0 replies; 5+ messages in thread
From: Christoph Lameter @ 2016-11-18 18:19 UTC (permalink / raw)
To: Kees Cook
Cc: Michael Ellerman, Andrew Morton, Pekka Enberg, David Rientjes,
Joonsoo Kim, Linux-MM, LKML, kernel-hardening
On Fri, 18 Nov 2016, Kees Cook wrote:
> In this case, what about the original < ZERO_SIZE_PTR check Michael
> suggested? At least the one use in usercopy.c needs to be fixed, but
> otherwise, it should be fine?
Looks like it.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-11-18 18:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-17 9:51 [PATCH v2] slab: Add POISON_POINTER_DELTA to ZERO_SIZE_PTR Michael Ellerman
2016-11-17 20:01 ` Kees Cook
2016-11-18 17:47 ` Christoph Lameter
2016-11-18 17:55 ` Kees Cook
2016-11-18 18:19 ` Christoph Lameter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).