Hardened Usercopy Appears Ready To Be Merged For Linux 4.8
Yet another Linux kernel security feature coming to the mainline kernel that appears readied for the Linux 4.8 merge window is hardened usercopy.
Hardened usercopy was originally based upon GrSecurity's PAX_USERCOPY feature but reworked into a whole new form, according to developer Kees Cook at Google. This hardened usercopy is to be exposed as the CONFIG_HARDENED_USERCOPY option within the kernel.
Kees and others have been working on this functionality for a while but it appears that it's ready for merging and will go into Linux 4.8, he mentioned, "This is now in my kspp -next tree, though I'd really love to add some additional explicit Tested-bys, Reviewed-bys, or Acked-bys." Linux 4.7 is expected to be released today and the Linux 4.8 merge window will then be open for the next two weeks, so his -next tree should be mainlined then.
In the hardened usercopy v4 patches mailed out this week he explained what CONFIG_HARDENED_USERCOPY will check for when copying to/from user-space:
The good news is that he's already checked for any performance regressions when using HARDENED_USERCOPY and hasn't been able to find any measurable performance change from this memory security feature. Hopefully we'll see distribution kernels enable this Kconfig option when they begin shipping Linux 4.8+ kernels.
Hardened usercopy was originally based upon GrSecurity's PAX_USERCOPY feature but reworked into a whole new form, according to developer Kees Cook at Google. This hardened usercopy is to be exposed as the CONFIG_HARDENED_USERCOPY option within the kernel.
Kees and others have been working on this functionality for a while but it appears that it's ready for merging and will go into Linux 4.8, he mentioned, "This is now in my kspp -next tree, though I'd really love to add some additional explicit Tested-bys, Reviewed-bys, or Acked-bys." Linux 4.7 is expected to be released today and the Linux 4.8 merge window will then be open for the next two weeks, so his -next tree should be mainlined then.
In the hardened usercopy v4 patches mailed out this week he explained what CONFIG_HARDENED_USERCOPY will check for when copying to/from user-space:
This series, which adds CONFIG_HARDENED_USERCOPY, checks that objects being copied to/from userspace meet certain criteria:
- if address is a heap object, the size must not exceed the object's allocated size. (This will catch all kinds of heap overflow flaws.)
- if address range is in the current process stack, it must be within the a valid stack frame (if such checking is possible) or at least entirely within the current process's stack. (This could catch large lengths that would have extended beyond the current process stack, or overflows if their length extends back into the original stack.)
- if the address range is part of kernel data, rodata, or bss, allow it.
- if address range is page-allocated, that it doesn't span multiple allocations (excepting Reserved and CMA pages).
- if address is within the kernel text, reject it.
- everything else is accepted
The good news is that he's already checked for any performance regressions when using HARDENED_USERCOPY and hasn't been able to find any measurable performance change from this memory security feature. Hopefully we'll see distribution kernels enable this Kconfig option when they begin shipping Linux 4.8+ kernels.
9 Comments