• David Windsor's avatar
    net: Define usercopy region in struct proto slab cache · 30c2c9f1
    David Windsor authored
    In support of usercopy hardening, this patch defines a region in the
    struct proto slab cache in which userspace copy operations are allowed.
    Some protocols need to copy objects to/from userspace, and they can
    declare the region via their proto structure with the new usersize and
    useroffset fields. Initially, if no region is specified (usersize ==
    0), the entire field is marked as whitelisted. This allows protocols
    to be whitelisted in subsequent patches. Once all protocols have been
    annotated, the full-whitelist default can be removed.
    
    This region is known as the slab cache's usercopy region. Slab caches
    can now check that each dynamically sized copy operation involving
    cache-managed memory falls entirely within the slab's usercopy region.
    
    This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
    whitelisting code in the last public patch of grsecurity/PaX based on my
    understanding of the code. Changes or omissions from the original code are
    mine and don't reflect the original grsecurity/PaX code.
    Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
    [kees: adjust commit log, split off per-proto patches]
    [kees: add logic for by-default full-whitelist]
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Paolo Abeni <pabeni@redhat.com>
    Cc: David Howells <dhowells@redhat.com>
    Cc: netdev@vger.kernel.org
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    30c2c9f1
sock.c 82.6 KB