Hardened Usercopy Appears Ready To Be Merged For Linux 4.8

Written by Michael Larabel in Linux Kernel on 24 July 2016 at 10:28 AM EDT. 9 Comments
LINUX KERNEL
Yet another Linux kernel security feature coming to the mainline kernel that appears readied for the Linux 4.8 merge window is hardened usercopy.

Hardened usercopy was originally based upon GrSecurity's PAX_USERCOPY feature but reworked into a whole new form, according to developer Kees Cook at Google. This hardened usercopy is to be exposed as the CONFIG_HARDENED_USERCOPY option within the kernel.

Kees and others have been working on this functionality for a while but it appears that it's ready for merging and will go into Linux 4.8, he mentioned, "This is now in my kspp -next tree, though I'd really love to add some additional explicit Tested-bys, Reviewed-bys, or Acked-bys." Linux 4.7 is expected to be released today and the Linux 4.8 merge window will then be open for the next two weeks, so his -next tree should be mainlined then.

In the hardened usercopy v4 patches mailed out this week he explained what CONFIG_HARDENED_USERCOPY will check for when copying to/from user-space:
This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects being copied to/from userspace meet certain criteria:

- if address is a heap object, the size must not exceed the object's allocated size. (This will catch all kinds of heap overflow flaws.)
- if address range is in the current process stack, it must be within the a valid stack frame (if such checking is possible) or at least entirely within the current process's stack. (This could catch large lengths that would have extended beyond the current process stack, or overflows if their length extends back into the original stack.)
- if the address range is part of kernel data, rodata, or bss, allow it.
- if address range is page-allocated, that it doesn't span multiple allocations (excepting Reserved and CMA pages).
- if address is within the kernel text, reject it.
- everything else is accepted

The good news is that he's already checked for any performance regressions when using HARDENED_USERCOPY and hasn't been able to find any measurable performance change from this memory security feature. Hopefully we'll see distribution kernels enable this Kconfig option when they begin shipping Linux 4.8+ kernels.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week