• David Windsor's avatar
    vxfs: Define usercopy region in vxfs_inode slab cache · e9a0561b
    David Windsor authored
    vxfs symlink pathnames, stored in struct vxfs_inode_info field
    vii_immed.vi_immed and therefore contained in the vxfs_inode slab cache,
    need to be copied to/from userspace.
    cache object allocation:
                vi = kmem_cache_alloc(vxfs_inode_cachep, GFP_KERNEL);
                return &vi->vfs_inode;
                inode->i_link = vip->vii_immed.vi_immed;
    example usage trace:
            readlink_copy(..., link):
                copy_to_user(..., link, len);
            (inlined in vfs_readlink)
            generic_readlink(dentry, ...):
                struct inode *inode = d_inode(dentry);
                const char *link = inode->i_link;
                readlink_copy(..., link);
    In support of usercopy hardening, this patch defines a region in the
    vxfs_inode slab cache in which userspace copy operations are allowed.
    This region is known as the slab cache's usercopy region. Slab caches
    can now check that each dynamically sized copy operation involving
    cache-managed memory falls entirely within the slab's usercopy region.
    This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
    whitelisting code in the last public patch of grsecurity/PaX based on my
    understanding of the code. Changes or omissions from the original code are
    mine and don't reflect the original grsecurity/PaX code.
    Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
    [kees: adjust commit log, provide usage trace]
    Cc: Christoph Hellwig <hch@infradead.org>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>