tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

mm: security: Move hardened usercopy under 'Kernel hardening options'

There is a submenu for 'Kernel hardening options' under "Security".
Move HARDENED_USERCOPY under the hardening options as it is clearly
related.

Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://lore.kernel.org/r/20250123221115.19722-2-mgorman@techsingularity.net
Signed-off-by: Kees Cook <kees@kernel.org>

authored by

Mel Gorman and committed by
Kees Cook f4d4e8b9 808aac63

+16 -12
-12
security/Kconfig
··· 164 164 this low address space will need the permission specific to the 165 165 systems running LSM. 166 166 167 - config HARDENED_USERCOPY 168 - bool "Harden memory copies between kernel and userspace" 169 - imply STRICT_DEVMEM 170 - help 171 - This option checks for obviously wrong memory regions when 172 - copying memory to/from the kernel (via copy_to_user() and 173 - copy_from_user() functions) by rejecting memory ranges that 174 - are larger than the specified heap object, span multiple 175 - separately allocated pages, are not on the process stack, 176 - or are part of the kernel text. This prevents entire classes 177 - of heap overflow exploits and similar kernel memory exposures. 178 - 179 167 config FORTIFY_SOURCE 180 168 bool "Harden common str/mem functions against buffer overflows" 181 169 depends on ARCH_HAS_FORTIFY_SOURCE
+16
security/Kconfig.hardening
··· 280 280 281 281 endmenu 282 282 283 + menu "Bounds checking" 284 + 285 + config HARDENED_USERCOPY 286 + bool "Harden memory copies between kernel and userspace" 287 + imply STRICT_DEVMEM 288 + help 289 + This option checks for obviously wrong memory regions when 290 + copying memory to/from the kernel (via copy_to_user() and 291 + copy_from_user() functions) by rejecting memory ranges that 292 + are larger than the specified heap object, span multiple 293 + separately allocated pages, are not on the process stack, 294 + or are part of the kernel text. This prevents entire classes 295 + of heap overflow exploits and similar kernel memory exposures. 296 + 297 + endmenu 298 + 283 299 menu "Hardening of kernel data structures" 284 300 285 301 config LIST_HARDENED