From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.codeaurora.org by pdx-caf-mail.web.codeaurora.org (Dovecot) with LMTP id dj9FDPeYGVv7CQAAmS7hNA ; Thu, 07 Jun 2018 20:43:35 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id DD77A6074D; Thu, 7 Jun 2018 20:43:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI autolearn=unavailable autolearn_force=no version=3.4.0 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by smtp.codeaurora.org (Postfix) with ESMTP id AD995608C9; Thu, 7 Jun 2018 20:43:32 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org AD995608C9 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932582AbeFGUna (ORCPT + 25 others); Thu, 7 Jun 2018 16:43:30 -0400 Received: from mga09.intel.com ([134.134.136.24]:55802 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750892AbeFGUn2 (ORCPT ); Thu, 7 Jun 2018 16:43:28 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Jun 2018 13:43:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,488,1520924400"; d="scan'208";a="47626651" Received: from 2b52.sc.intel.com (HELO [143.183.136.51]) ([143.183.136.51]) by orsmga008.jf.intel.com with ESMTP; 07 Jun 2018 13:43:27 -0700 Message-ID: <1528404016.5646.0.camel@2b52.sc.intel.com> Subject: Re: [PATCH 05/10] x86/cet: ELF header parsing of Control Flow Enforcement From: Yu-cheng Yu To: Andy Lutomirski Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Date: Thu, 07 Jun 2018 13:40:16 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-6-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-06-07 at 11:38 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrote: > > > > Look in .note.gnu.property of an ELF file and check if shadow stack needs > > to be enabled for the task. > > Nice! But please structure it so it's one function that parses out > all the ELF notes and some other code (a table or a switch statement) > that handles them. We will probably want to add more kernel-parsed > ELF notes some day, so let's structure the code to make it easier. > > > +static int find_cet(u8 *buf, u32 size, u32 align, int *shstk, int *ibt) > > +{ > > + unsigned long start = (unsigned long)buf; > > + struct elf_note *note = (struct elf_note *)buf; > > + > > + *shstk = 0; > > + *ibt = 0; > > + > > + /* > > + * Go through the x86_note_gnu_property array pointed by > > + * buf and look for shadow stack and indirect branch > > + * tracking features. > > + * The GNU_PROPERTY_X86_FEATURE_1_AND entry contains only > > + * one u32 as data. Do not go beyond buf_size. > > + */ > > + > > + while ((unsigned long) (note + 1) - start < size) { > > + /* Find the NT_GNU_PROPERTY_TYPE_0 note. */ > > + if (note->n_namesz == 4 && > > + note->n_type == NT_GNU_PROPERTY_TYPE_0 && > > + memcmp(note + 1, "GNU", 4) == 0) { > > + u8 *ptr, *ptr_end; > > + > > + /* Check for invalid property. */ > > + if (note->n_descsz < 8 || > > + (note->n_descsz % align) != 0) > > + return 0; > > + > > + /* Start and end of property array. */ > > + ptr = (u8 *)(note + 1) + 4; > > + ptr_end = ptr + note->n_descsz; > > Exploitable bug here? You haven't checked that ptr is in bounds or > that ptr + ptr_end is in bounds (or that ptr_end > ptr, for that > matter). > > > + > > + while (1) { > > + u32 type = *(u32 *)ptr; > > + u32 datasz = *(u32 *)(ptr + 4); > > + > > + ptr += 8; > > + if ((ptr + datasz) > ptr_end) > > + break; > > + > > + if (type == GNU_PROPERTY_X86_FEATURE_1_AND && > > + datasz == 4) { > > + u32 p = *(u32 *)ptr; > > + > > + if (p & GNU_PROPERTY_X86_FEATURE_1_SHSTK) > > + *shstk = 1; > > + if (p & GNU_PROPERTY_X86_FEATURE_1_IBT) > > + *ibt = 1; > > + return 1; > > + } > > + } > > + } > > + > > + /* > > + * Note sections like .note.ABI-tag and .note.gnu.build-id > > + * are aligned to 4 bytes in 64-bit ELF objects. > > + */ > > + note = (void *)note + ELF_NOTE_NEXT_OFFSET(note, align); > > A malicious value here will probably just break out of the while > statement, but it's still scary. > > > + } > > + > > + return 0; > > +} > > + > > +static int check_pt_note_segment(struct file *file, > > + unsigned long note_size, loff_t *pos, > > + u32 align, int *shstk, int *ibt) > > +{ > > + int retval; > > + char *note_buf; > > + > > + /* > > + * Try to read in the whole PT_NOTE segment. > > + */ > > + note_buf = kmalloc(note_size, GFP_KERNEL); > > kmalloc() with fully user-controlled, unchecked size is not a good idea. I will fix these problems. Thanks! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id E82357D062 for ; Thu, 7 Jun 2018 20:43:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932346AbeFGUn3 (ORCPT ); Thu, 7 Jun 2018 16:43:29 -0400 Received: from mga09.intel.com ([134.134.136.24]:55802 "EHLO mga09.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750892AbeFGUn2 (ORCPT ); Thu, 7 Jun 2018 16:43:28 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Jun 2018 13:43:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,488,1520924400"; d="scan'208";a="47626651" Received: from 2b52.sc.intel.com (HELO [143.183.136.51]) ([143.183.136.51]) by orsmga008.jf.intel.com with ESMTP; 07 Jun 2018 13:43:27 -0700 Message-ID: <1528404016.5646.0.camel@2b52.sc.intel.com> Subject: Re: [PATCH 05/10] x86/cet: ELF header parsing of Control Flow Enforcement From: Yu-cheng Yu To: Andy Lutomirski Cc: LKML , linux-doc@vger.kernel.org, Linux-MM , linux-arch , X86 ML , "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , "H. J. Lu" , "Shanbhogue, Vedvyas" , "Ravi V. Shankar" , Dave Hansen , Jonathan Corbet , Oleg Nesterov , Arnd Bergmann , mike.kravetz@oracle.com Date: Thu, 07 Jun 2018 13:40:16 -0700 In-Reply-To: References: <20180607143807.3611-1-yu-cheng.yu@intel.com> <20180607143807.3611-6-yu-cheng.yu@intel.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org On Thu, 2018-06-07 at 11:38 -0700, Andy Lutomirski wrote: > On Thu, Jun 7, 2018 at 7:41 AM Yu-cheng Yu wrote: > > > > Look in .note.gnu.property of an ELF file and check if shadow stack needs > > to be enabled for the task. > > Nice! But please structure it so it's one function that parses out > all the ELF notes and some other code (a table or a switch statement) > that handles them. We will probably want to add more kernel-parsed > ELF notes some day, so let's structure the code to make it easier. > > > +static int find_cet(u8 *buf, u32 size, u32 align, int *shstk, int *ibt) > > +{ > > + unsigned long start = (unsigned long)buf; > > + struct elf_note *note = (struct elf_note *)buf; > > + > > + *shstk = 0; > > + *ibt = 0; > > + > > + /* > > + * Go through the x86_note_gnu_property array pointed by > > + * buf and look for shadow stack and indirect branch > > + * tracking features. > > + * The GNU_PROPERTY_X86_FEATURE_1_AND entry contains only > > + * one u32 as data. Do not go beyond buf_size. > > + */ > > + > > + while ((unsigned long) (note + 1) - start < size) { > > + /* Find the NT_GNU_PROPERTY_TYPE_0 note. */ > > + if (note->n_namesz == 4 && > > + note->n_type == NT_GNU_PROPERTY_TYPE_0 && > > + memcmp(note + 1, "GNU", 4) == 0) { > > + u8 *ptr, *ptr_end; > > + > > + /* Check for invalid property. */ > > + if (note->n_descsz < 8 || > > + (note->n_descsz % align) != 0) > > + return 0; > > + > > + /* Start and end of property array. */ > > + ptr = (u8 *)(note + 1) + 4; > > + ptr_end = ptr + note->n_descsz; > > Exploitable bug here? You haven't checked that ptr is in bounds or > that ptr + ptr_end is in bounds (or that ptr_end > ptr, for that > matter). > > > + > > + while (1) { > > + u32 type = *(u32 *)ptr; > > + u32 datasz = *(u32 *)(ptr + 4); > > + > > + ptr += 8; > > + if ((ptr + datasz) > ptr_end) > > + break; > > + > > + if (type == GNU_PROPERTY_X86_FEATURE_1_AND && > > + datasz == 4) { > > + u32 p = *(u32 *)ptr; > > + > > + if (p & GNU_PROPERTY_X86_FEATURE_1_SHSTK) > > + *shstk = 1; > > + if (p & GNU_PROPERTY_X86_FEATURE_1_IBT) > > + *ibt = 1; > > + return 1; > > + } > > + } > > + } > > + > > + /* > > + * Note sections like .note.ABI-tag and .note.gnu.build-id > > + * are aligned to 4 bytes in 64-bit ELF objects. > > + */ > > + note = (void *)note + ELF_NOTE_NEXT_OFFSET(note, align); > > A malicious value here will probably just break out of the while > statement, but it's still scary. > > > + } > > + > > + return 0; > > +} > > + > > +static int check_pt_note_segment(struct file *file, > > + unsigned long note_size, loff_t *pos, > > + u32 align, int *shstk, int *ibt) > > +{ > > + int retval; > > + char *note_buf; > > + > > + /* > > + * Try to read in the whole PT_NOTE segment. > > + */ > > + note_buf = kmalloc(note_size, GFP_KERNEL); > > kmalloc() with fully user-controlled, unchecked size is not a good idea. I will fix these problems. Thanks! -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html