• David Windsor's avatar
    vfs: Define usercopy region in names_cache slab caches · 6a9b8820
    David Windsor authored
    VFS pathnames are stored in the names_cache slab cache, either inline
    or across an entire allocation entry (when approaching PATH_MAX). These
    are copied to/from userspace, so they must be entirely whitelisted.
    
    cache object allocation:
        include/linux/fs.h:
            #define __getname()    kmem_cache_alloc(names_cachep, GFP_KERNEL)
    
    example usage trace:
        strncpy_from_user+0x4d/0x170
        getname_flags+0x6f/0x1f0
        user_path_at_empty+0x23/0x40
        do_mount+0x69/0xda0
        SyS_mount+0x83/0xd0
    
        fs/namei.c:
            getname_flags(...):
                ...
                result = __getname();
                ...
                kname = (char *)result->iname;
                result->name = kname;
                len = strncpy_from_user(kname, filename, EMBEDDED_NAME_MAX);
                ...
                if (unlikely(len == EMBEDDED_NAME_MAX)) {
                    const size_t size = offsetof(struct filename, iname[1]);
                    kname = (char *)result;
    
                    result = kzalloc(size, GFP_KERNEL);
                    ...
                    result->name = kname;
                    len = strncpy_from_user(kname, filename, PATH_MAX);
    
    In support of usercopy hardening, this patch defines the entire cache
    object in the names_cache slab cache as whitelisted, since it may entirely
    hold name strings to be copied to/from userspace.
    
    This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
    whitelisting code in the last public patch of grsecurity/PaX based on my
    understanding of the code. Changes or omissions from the original code are
    mine and don't reflect the original grsecurity/PaX code.
    Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
    [kees: adjust commit log, add usage trace]
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: linux-fsdevel@vger.kernel.org
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    6a9b8820
dcache.c 94.5 KB