Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  9 Jan 2018 12:55:45 -0800
From: Kees Cook <>
Cc: Kees Cook <>,
	David Windsor <>,
	Evgeniy Dushistov <>,
	Linus Torvalds <>,
	Alexander Viro <>,
	Andrew Morton <>,
	Andy Lutomirski <>,
	Christoph Hellwig <>,
	Christoph Lameter <>,
	"David S. Miller" <>,
	Laura Abbott <>,
	Mark Rutland <>,
	"Martin K. Petersen" <>,
	Paolo Bonzini <>,
	Christian Borntraeger <>,
	Christoffer Dall <>,
	Dave Kleikamp <>,
	Jan Kara <>,
	Luis de Bethencourt <>,
	Marc Zyngier <>,
	Rik van Riel <>,
	Matthew Garrett <>,,,,,
Subject: [PATCH 16/36] ufs: Define usercopy region in ufs_inode_cache slab cache

From: David Windsor <>

The ufs symlink pathnames, stored in struct ufs_inode_info.i_u1.i_symlink
and therefore contained in the ufs_inode_cache slab cache, need to be
copied to/from userspace.

cache object allocation:
            ei = kmem_cache_alloc(ufs_inode_cachep, GFP_NOFS);
            return &ei->vfs_inode;

        UFS_I(struct inode *inode):
            return container_of(inode, struct ufs_inode_info, vfs_inode);

            inode->i_link = (char *)UFS_I(inode)->i_u1.i_symlink;

example usage trace:

        readlink_copy(..., link):
            copy_to_user(..., link, len);

        (inlined in vfs_readlink)
        generic_readlink(dentry, ...):
            struct inode *inode = d_inode(dentry);
            const char *link = inode->i_link;
            readlink_copy(..., link);

In support of usercopy hardening, this patch defines a region in the
ufs_inode_cache slab cache in which userspace copy operations are allowed.

This region is known as the slab cache's usercopy region. Slab caches
can now check that each dynamically sized copy operation involving
cache-managed memory falls entirely within the slab's usercopy region.

This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
whitelisting code in the last public patch of grsecurity/PaX based on my
understanding of the code. Changes or omissions from the original code are
mine and don't reflect the original grsecurity/PaX code.

Signed-off-by: David Windsor <>
[kees: adjust commit log, provide usage trace]
Cc: Evgeniy Dushistov <>
Signed-off-by: Kees Cook <>
 fs/ufs/super.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/fs/ufs/super.c b/fs/ufs/super.c
index 4d497e9c6883..652a77702aec 100644
--- a/fs/ufs/super.c
+++ b/fs/ufs/super.c
@@ -1466,11 +1466,14 @@ static void init_once(void *foo)
 static int __init init_inodecache(void)
-	ufs_inode_cachep = kmem_cache_create("ufs_inode_cache",
-					     sizeof(struct ufs_inode_info),
-					     0, (SLAB_RECLAIM_ACCOUNT|
-					     init_once);
+	ufs_inode_cachep = kmem_cache_create_usercopy("ufs_inode_cache",
+				sizeof(struct ufs_inode_info), 0,
+				offsetof(struct ufs_inode_info, i_u1.i_symlink),
+				sizeof_field(struct ufs_inode_info,
+					i_u1.i_symlink),
+				init_once);
 	if (ufs_inode_cachep == NULL)
 		return -ENOMEM;
 	return 0;

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.