• David Windsor's avatar
    ext2: Define usercopy region in ext2_inode_cache slab cache · 85212d4e
    David Windsor authored
    The ext2 symlink pathnames, stored in struct ext2_inode_info.i_data and
    therefore contained in the ext2_inode_cache slab cache, need to be copied
    to/from userspace.
    
    cache object allocation:
        fs/ext2/super.c:
            ext2_alloc_inode(...):
                struct ext2_inode_info *ei;
                ...
                ei = kmem_cache_alloc(ext2_inode_cachep, GFP_NOFS);
                ...
                return &ei->vfs_inode;
    
        fs/ext2/ext2.h:
            EXT2_I(struct inode *inode):
                return container_of(inode, struct ext2_inode_info, vfs_inode);
    
        fs/ext2/namei.c:
            ext2_symlink(...):
                ...
                inode->i_link = (char *)&EXT2_I(inode)->i_data;
    
    example usage trace:
        readlink_copy+0x43/0x70
        vfs_readlink+0x62/0x110
        SyS_readlinkat+0x100/0x130
    
        fs/namei.c:
            readlink_copy(..., link):
                ...
                copy_to_user(..., link, len);
    
            (inlined into vfs_readlink)
            generic_readlink(dentry, ...):
                struct inode *inode = d_inode(dentry);
                const char *link = inode->i_link;
                ...
                readlink_copy(..., link);
    
    In support of usercopy hardening, this patch defines a region in the
    ext2_inode_cache slab cache in which userspace copy operations are
    allowed.
    
    This region is known as the slab cache's usercopy region. Slab caches
    can now check that each dynamically sized copy operation involving
    cache-managed memory falls entirely within the slab's usercopy region.
    
    This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
    whitelisting code in the last public patch of grsecurity/PaX based on my
    understanding of the code. Changes or omissions from the original code are
    mine and don't reflect the original grsecurity/PaX code.
    Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
    [kees: adjust commit log, provide usage trace]
    Cc: Jan Kara <jack@suse.com>
    Cc: linux-ext4@vger.kernel.org
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Acked-by: default avatarJan Kara <jack@suse.cz>
    85212d4e
super.c 44.2 KB