From: Kees Cook <keescook@chromium.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Thomas Garnier <thgarnie@google.com>,
Thomas Gleixner <tglx@linutronix.de>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>, Al Viro <viro@zeniv.linux.org.uk>,
Dave Martin <Dave.Martin@arm.com>,
Pratyush Anand <panand@redhat.com>,
Dave Hansen <dave.hansen@intel.com>,
Arnd Bergmann <arnd@arndb.de>,
David Howells <dhowells@redhat.com>, Yonghong Song <yhs@fb.com>,
linux-arm-kernel@lists.infradead.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
Date: Thu, 7 Sep 2017 08:30:44 -0700 [thread overview]
Message-ID: <1504798247-48833-2-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1504798247-48833-1-git-send-email-keescook@chromium.org>
From: Thomas Garnier <thgarnie@google.com>
Use CHECK_DATA_CORRUPTION instead of BUG_ON to provide more flexibility
on address limit failures. By default, send a SIGKILL signal to kill the
current process preventing exploitation of a bad address limit.
Make the TIF_FSCHECK flag optional so ARM can use this function.
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/syscalls.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 88951b795ee3..65e273aadada 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -219,21 +219,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
} \
static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
-#ifdef TIF_FSCHECK
/*
* Called before coming back to user-mode. Returning to user-mode with an
* address limit different than USER_DS can allow to overwrite kernel memory.
*/
static inline void addr_limit_user_check(void)
{
-
+#ifdef TIF_FSCHECK
if (!test_thread_flag(TIF_FSCHECK))
return;
+#endif
- BUG_ON(!segment_eq(get_fs(), USER_DS));
+ if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+ "Invalid address limit on user-mode return"))
+ force_sig(SIGKILL, current);
+
+#ifdef TIF_FSCHECK
clear_thread_flag(TIF_FSCHECK);
-}
#endif
+}
asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
qid_t id, void __user *addr);
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: keescook@chromium.org (Kees Cook)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
Date: Thu, 7 Sep 2017 08:30:44 -0700 [thread overview]
Message-ID: <1504798247-48833-2-git-send-email-keescook@chromium.org> (raw)
In-Reply-To: <1504798247-48833-1-git-send-email-keescook@chromium.org>
From: Thomas Garnier <thgarnie@google.com>
Use CHECK_DATA_CORRUPTION instead of BUG_ON to provide more flexibility
on address limit failures. By default, send a SIGKILL signal to kill the
current process preventing exploitation of a bad address limit.
Make the TIF_FSCHECK flag optional so ARM can use this function.
Signed-off-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
include/linux/syscalls.h | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 88951b795ee3..65e273aadada 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -219,21 +219,25 @@ static inline int is_syscall_trace_event(struct trace_event_call *tp_event)
} \
static inline long SYSC##name(__MAP(x,__SC_DECL,__VA_ARGS__))
-#ifdef TIF_FSCHECK
/*
* Called before coming back to user-mode. Returning to user-mode with an
* address limit different than USER_DS can allow to overwrite kernel memory.
*/
static inline void addr_limit_user_check(void)
{
-
+#ifdef TIF_FSCHECK
if (!test_thread_flag(TIF_FSCHECK))
return;
+#endif
- BUG_ON(!segment_eq(get_fs(), USER_DS));
+ if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
+ "Invalid address limit on user-mode return"))
+ force_sig(SIGKILL, current);
+
+#ifdef TIF_FSCHECK
clear_thread_flag(TIF_FSCHECK);
-}
#endif
+}
asmlinkage long sys32_quotactl(unsigned int cmd, const char __user *special,
qid_t id, void __user *addr);
--
2.7.4
next prev parent reply other threads:[~2017-09-07 15:31 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-07 15:30 [PATCH 0/4] Fix check address limit on user-mode Kees Cook
2017-09-07 15:30 ` Kees Cook
2017-09-07 15:30 ` Kees Cook [this message]
2017-09-07 15:30 ` [PATCH 1/4] syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check Kees Cook
2017-09-17 17:53 ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 2/4] Revert "arm/syscalls: Check address limit on user-mode return" Kees Cook
2017-09-07 15:30 ` Kees Cook
2017-09-17 17:54 ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 3/4] arm/syscalls: Optimize address limit check Kees Cook
2017-09-07 15:30 ` Kees Cook
2017-09-17 17:54 ` [tip:core/urgent] " tip-bot for Thomas Garnier
2017-09-07 15:30 ` [PATCH 4/4] arm64/syscalls: Move address limit check in loop Kees Cook
2017-09-07 15:30 ` Kees Cook
2017-09-12 18:27 ` Will Deacon
2017-09-12 18:27 ` Will Deacon
2017-09-12 18:28 ` Kees Cook
2017-09-12 18:28 ` Kees Cook
2017-09-12 18:28 ` Kees Cook
2017-09-13 8:00 ` Ingo Molnar
2017-09-13 8:00 ` Ingo Molnar
2017-09-13 8:00 ` Ingo Molnar
2017-09-17 17:54 ` [tip:core/urgent] " tip-bot for Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1504798247-48833-2-git-send-email-keescook@chromium.org \
--to=keescook@chromium.org \
--cc=Dave.Martin@arm.com \
--cc=arnd@arndb.de \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@intel.com \
--cc=dhowells@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=panand@redhat.com \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
--cc=will.deacon@arm.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.