Commit de046449 authored by David Windsor's avatar David Windsor Committed by Kees Cook
Browse files

cifs: Define usercopy region in cifs_request slab cache 



CIFS request buffers, stored in the cifs_request slab cache, need to be
copied to/from userspace.

cache object allocation:
    fs/cifs/cifsfs.c:
        cifs_init_request_bufs():
            ...
            cifs_req_poolp = mempool_create_slab_pool(cifs_min_rcv,
                                                      cifs_req_cachep);

    fs/cifs/misc.c:
        cifs_buf_get():
            ...
            ret_buf = mempool_alloc(cifs_req_poolp, GFP_NOFS);
            ...
            return ret_buf;

In support of usercopy hardening, this patch defines a region in the
cifs_request slab cache in which userspace copy operations are allowed.

This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.

This patch is verbatim from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.

Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
[kees: adjust commit log, provide usage trace]
Cc: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent e9a0561b

fs/cifs/cifsfs.c

+6 −4
Original line number Diff line number Diff line
@@ -1231,9 +1231,11 @@ cifs_init_request_bufs(void) 
	cifs_dbg(VFS, "CIFSMaxBufSize %d 0x%x\n",

		 CIFSMaxBufSize, CIFSMaxBufSize);

*/

	cifs_req_cachep = kmem_cache_create("cifs_request",

	cifs_req_cachep = kmem_cache_create_usercopy("cifs_request",

					    CIFSMaxBufSize + max_hdr_size, 0,

					    SLAB_HWCACHE_ALIGN, NULL);

					    SLAB_HWCACHE_ALIGN, 0,

					    CIFSMaxBufSize + max_hdr_size,

					    NULL);

	if (cifs_req_cachep == NULL)

		return -ENOMEM;
@@ -1259,9 +1261,9 @@ cifs_init_request_bufs(void) 
	more SMBs to use small buffer alloc and is still much more

	efficient to alloc 1 per page off the slab compared to 17K (5page)

	alloc of large cifs buffers even when page debugging is on */

	cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",

	cifs_sm_req_cachep = kmem_cache_create_usercopy("cifs_small_rq",

			MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,

			NULL);

			0, MAX_CIFS_SMALL_BUFFER_SIZE, NULL);

	if (cifs_sm_req_cachep == NULL) {

		mempool_destroy(cifs_req_poolp);

		kmem_cache_destroy(cifs_req_cachep);

CRA Git | Maintained and supported by SUSTech CRA and CCSE