POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
to shift poison values so that they don't alias userspace.
We should add it to ZERO_SIZE_PTR so that attackers can't use
ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.
Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
That no longer really works once we add the poison delta, so split it
into two checks. Assign x to a temporary to avoid evaluating it
twice (suggested by Kees Cook).
Signed-off-by: Michael Ellerman <[email protected]>
---
include/linux/slab.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 084b12bad198..404419d9860f 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -12,6 +12,7 @@
#define _LINUX_SLAB_H
#include <linux/gfp.h>
+#include <linux/poison.h>
#include <linux/types.h>
#include <linux/workqueue.h>
@@ -109,10 +110,13 @@
* ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
* Both make kfree a no-op.
*/
-#define ZERO_SIZE_PTR ((void *)16)
+#define ZERO_SIZE_PTR ((void *)(16 + POISON_POINTER_DELTA))
-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
- (unsigned long)ZERO_SIZE_PTR)
+#define ZERO_OR_NULL_PTR(x) \
+ ({ \
+ void *p = (void *)(x); \
+ (p == NULL || p == ZERO_SIZE_PTR); \
+ })
#include <linux/kmemleak.h>
#include <linux/kasan.h>
--
2.7.4
On Thu, Nov 17, 2016 at 1:51 AM, Michael Ellerman <[email protected]> wrote:
> POISON_POINTER_DELTA is defined in poison.h, and is intended to be used
> to shift poison values so that they don't alias userspace.
>
> We should add it to ZERO_SIZE_PTR so that attackers can't use
> ZERO_SIZE_PTR as a way to get a non-NULL pointer to userspace.
>
> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
> That no longer really works once we add the poison delta, so split it
> into two checks. Assign x to a temporary to avoid evaluating it
> twice (suggested by Kees Cook).
>
> Signed-off-by: Michael Ellerman <[email protected]>
I continue to like this idea. If we want to avoid the loss of the 1-15
check, we could just explicitly retain it, see craziness below...
> ---
> include/linux/slab.h | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> v2: Rework ZERO_OR_NULL_PTR() to do the two checks separately.
>
> diff --git a/include/linux/slab.h b/include/linux/slab.h
> index 084b12bad198..404419d9860f 100644
> --- a/include/linux/slab.h
> +++ b/include/linux/slab.h
> @@ -12,6 +12,7 @@
> #define _LINUX_SLAB_H
>
> #include <linux/gfp.h>
> +#include <linux/poison.h>
> #include <linux/types.h>
> #include <linux/workqueue.h>
>
> @@ -109,10 +110,13 @@
> * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
> * Both make kfree a no-op.
> */
> -#define ZERO_SIZE_PTR ((void *)16)
#define __ZERO_SIZE_PTR((void *)16)
#define ZERO_SIZE_PTR ((void *)(__ZERO_SIZE_PTR + POISON_POINTER_DELTA))
>
> -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
> - (unsigned long)ZERO_SIZE_PTR)
> +#define ZERO_OR_NULL_PTR(x) \
> + ({ \
> + void *p = (void *)(x); \
(p < __ZERO_SIZE_PTR || p == ZERO_SIZE_PTR); \
> + })
#undef __ZERO_SIZE_PTR
?
Anyone else have thoughts on this?
-Kees
--
Kees Cook
Nexus Security
On Thu, 17 Nov 2016, Michael Ellerman wrote:
> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
Well yes that was done so we do not add too many branches all over the
kernel.....
> That no longer really works once we add the poison delta, so split it
> into two checks. Assign x to a temporary to avoid evaluating it
> twice (suggested by Kees Cook).
And now you are doing just that.
On Fri, Nov 18, 2016 at 9:47 AM, Christoph Lameter <[email protected]> wrote:
> On Thu, 17 Nov 2016, Michael Ellerman wrote:
>
>> Currently ZERO_OR_NULL_PTR() uses a trick of doing a single check that
>> x <= ZERO_SIZE_PTR, and ignoring the fact that it also matches 1-15.
>
> Well yes that was done so we do not add too many branches all over the
> kernel.....
There are actually very few callers of this macro. (Though it's
possible they're executed frequently.)
>> That no longer really works once we add the poison delta, so split it
>> into two checks. Assign x to a temporary to avoid evaluating it
>> twice (suggested by Kees Cook).
>
> And now you are doing just that.
In this case, what about the original < ZERO_SIZE_PTR check Michael
suggested? At least the one use in usercopy.c needs to be fixed, but
otherwise, it should be fine?
-Kees
--
Kees Cook
Nexus Security
On Fri, 18 Nov 2016, Kees Cook wrote:
> In this case, what about the original < ZERO_SIZE_PTR check Michael
> suggested? At least the one use in usercopy.c needs to be fixed, but
> otherwise, it should be fine?
Looks like it.