diff options
author | Avi Kivity <avi@qumranet.com> | 2010-01-10 16:28:09 +0200 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-01-11 09:45:37 -0800 |
commit | a29815a333c6c6e677294bbe5958e771d0aad3fd (patch) | |
tree | 589a782f1992a7da55469379688deaa9f355b779 /include/linux/poison.h | |
parent | c0f607c608ba889db5250235ba620f818aa44a4d (diff) | |
download | kernel_samsung_aries-a29815a333c6c6e677294bbe5958e771d0aad3fd.zip kernel_samsung_aries-a29815a333c6c6e677294bbe5958e771d0aad3fd.tar.gz kernel_samsung_aries-a29815a333c6c6e677294bbe5958e771d0aad3fd.tar.bz2 |
core, x86: make LIST_POISON less deadly
The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable
pointers in order to trap erronous use of freed list_heads. Unfortunately
userspace can arrange for those pointers to actually be dereferencable,
potentially turning an oops to an expolit.
To avoid this allow architectures (currently x86_64 only) to override
the default values for these pointers with truly-undereferencable values.
This is easy on x86_64 as the virtual address space is large and contains
areas that cannot be mapped.
Other 64-bit architectures will likely find similar unmapped ranges.
[ingo: switch to 0xdead000000000000 as the unmapped area]
[ingo: add comments, cleanup]
[jaswinder: eliminate sparse warnings]
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux/poison.h')
-rw-r--r-- | include/linux/poison.h | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/include/linux/poison.h b/include/linux/poison.h index 7fc194a..2110a81 100644 --- a/include/linux/poison.h +++ b/include/linux/poison.h @@ -2,13 +2,25 @@ #define _LINUX_POISON_H /********** include/linux/list.h **********/ + +/* + * Architectures might want to move the poison pointer offset + * into some well-recognized area such as 0xdead000000000000, + * that is also not mappable by user-space exploits: + */ +#ifdef CONFIG_ILLEGAL_POINTER_VALUE +# define POISON_POINTER_DELTA _AC(CONFIG_ILLEGAL_POINTER_VALUE, UL) +#else +# define POISON_POINTER_DELTA 0 +#endif + /* * These are non-NULL pointers that will result in page faults * under normal circumstances, used to verify that nobody uses * non-initialized list entries. */ -#define LIST_POISON1 ((void *) 0x00100100) -#define LIST_POISON2 ((void *) 0x00200200) +#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA) +#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA) /********** include/linux/timer.h **********/ /* |