Investigate impact of CONFIG_HARDENED_USERCOPY

Open shenki opened this issue 7 years ago • 0 comments

When moving to the 4.17 based kernel, we updated the defconfig to have this option:

  │ CONFIG_HARDENED_USERCOPY:                                                                 │  
  │                                                                                           │  
  │ This option checks for obviously wrong memory regions when                                │  
  │ copying memory to/from the kernel (via copy_to_user() and                                 │  
  │ copy_from_user() functions) by rejecting memory ranges that                               │  
  │ are larger than the specified heap object, span multiple                                  │  
  │ separately allocated pages, are not on the process stack,                                 │  
  │ or are part of the kernel text. This kills entire classes                                 │  
  │ of heap overflow exploits and similar kernel memory exposures.

Perform some benchmarks to work out what the trade off is in terms of speed, particularly network traffic.

Jun 18 '18 04:06 shenki