tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mm: security: Allow default HARDENED_USERCOPY to be set at compile time

HARDENED_USERCOPY defaults to on if enabled at compile time. Allow
hardened_usercopy= default to be set at compile time similar to
init_on_alloc= and init_on_free=. The intent is that hardening
options that can be disabled at runtime can set their default at
build time.

Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Link: https://lore.kernel.org/r/20250123221115.19722-3-mgorman@techsingularity.net
Signed-off-by: Kees Cook <kees@kernel.org>

authored by

Mel Gorman and committed by
Kees Cook d2132f45 f4d4e8b9

+13 -2
+3 -1
Documentation/admin-guide/kernel-parameters.txt
··· 1785 1785 allocation boundaries as a proactive defense 1786 1786 against bounds-checking flaws in the kernel's 1787 1787 copy_to_user()/copy_from_user() interface. 1788 - on Perform hardened usercopy checks (default). 1788 + The default is determined by 1789 + CONFIG_HARDENED_USERCOPY_DEFAULT_ON. 1790 + on Perform hardened usercopy checks. 1789 1791 off Disable hardened usercopy checks. 1790 1792 1791 1793 hardlockup_all_cpu_backtrace=
+2 -1
mm/usercopy.c
··· 255 255 } 256 256 EXPORT_SYMBOL(__check_object_size); 257 257 258 - static bool enable_checks __initdata = true; 258 + static bool enable_checks __initdata = 259 + IS_ENABLED(CONFIG_HARDENED_USERCOPY_DEFAULT_ON); 259 260 260 261 static int __init parse_hardened_usercopy(char *str) 261 262 {
+8
security/Kconfig.hardening
··· 294 294 or are part of the kernel text. This prevents entire classes 295 295 of heap overflow exploits and similar kernel memory exposures. 296 296 297 + config HARDENED_USERCOPY_DEFAULT_ON 298 + bool "Harden memory copies by default" 299 + depends on HARDENED_USERCOPY 300 + default HARDENED_USERCOPY 301 + help 302 + This has the effect of setting "hardened_usercopy=on" on the kernel 303 + command line. This can be disabled with "hardened_usercopy=off". 304 + 297 305 endmenu 298 306 299 307 menu "Hardening of kernel data structures"