A custom allocator without __GFP_COMP that copies to userspace has been found in vmw_execbuf_process[1], so this disables the page-span checker by placing it behind a CONFIG for future work where such things can be tracked down later.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326 Reported-by: Vinson Lee <v...@freedesktop.org> Fixes: f5509cc18daa ("mm: Hardened usercopy") Signed-off-by: Kees Cook <keesc...@chromium.org> --- mm/usercopy.c | 8 ++++++++ security/Kconfig | 11 +++++++++++ 2 files changed, 19 insertions(+) diff --git a/mm/usercopy.c b/mm/usercopy.c index a3cc3052f830..b3f0c3355dc8 100644 --- a/mm/usercopy.c +++ b/mm/usercopy.c @@ -172,6 +172,14 @@ static inline const char *check_heap_object(const void *ptr, unsigned long n, return NULL; } +#ifndef CONFIG_HARDENED_USERCOPY_PAGESPAN + /* + * The page-spanning checks are hitting false positives, so + * do not check them for now. + */ + return NULL; +#endif + /* Allow kernel data region (if not marked as Reserved). */ if (ptr >= (const void *)_sdata && end <= (const void *)_edata) return NULL; diff --git a/security/Kconfig b/security/Kconfig index da10d9b573a4..2dfc0ce4083e 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -147,6 +147,17 @@ config HARDENED_USERCOPY or are part of the kernel text. This kills entire classes of heap overflow exploits and similar kernel memory exposures. +config HARDENED_USERCOPY_PAGESPAN + bool "Refuse to copy allocations that span multiple pages" + depends on HARDENED_USERCOPY + depends on !COMPILE_TEST + help + When a multi-page allocation is done without __GFP_COMP, + hardened usercopy will reject attempts to copy it. There are, + however, several cases of this in the kernel that have not all + been removed. This config is intended to be used only while + trying to find such users. + source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig -- 2.7.4 -- Kees Cook Nexus Security
