* [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
@ 2019-11-18 21:09 Kees Cook
2019-11-19 10:07 ` Borislav Petkov
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2019-11-18 21:09 UTC (permalink / raw)
To: Borislav Petkov
Cc: Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86, tyhicks,
colin.king, linux-security-module, Matthew Garrett
Zhang Xiaoxu noted that physical address locations for MTRR were
visible to non-root users, which could be considered an information
leak. In discussing[1] the options for solving this, it sounded like
just moving the capable check into open() was the first step. If this
breaks userspace, then we will have a test case for the more conservative
approaches discussed in the thread. In summary:
- MTRR should check capabilities at open time (or retain the
checks on the opener's permissions for later checks).
- changing the DAC permissions might break something that expects to
open mtrr when not uid 0.
- if we leave the DAC permissions alone and just move the capable check
to the opener, we should get the desired protection. (i.e. check
against CAP_SYS_ADMIN not just the wider uid 0.)
- if that still breaks things, as in userspace expects to be able to
read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
we need to censor the contents using the opener's permissions. For
example, as done in other /proc cases, like commit 51d7b120418e
("/proc/iomem: only expose physical resource addresses to privileged
users").
[1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
index 4d36dcc1cf87..9c86aeae1b14 100644
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
int length;
size_t linelen;
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
memset(line, 0, LINE_SIZE);
len = min_t(size_t, len, LINE_SIZE - 1);
@@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 0);
@@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_add(sentry.base, sentry.size, sentry.type, false);
break;
case MTRRIOC_DEL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 0);
break;
case MTRRIOC_KILL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_ENTRY:
@@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 1);
@@ -289,8 +276,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_add_page(sentry.base, sentry.size, sentry.type, false);
break;
@@ -298,16 +283,12 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 1);
break;
case MTRRIOC_KILL_PAGE_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del_page(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_PAGE_ENTRY:
@@ -381,6 +362,8 @@ static int mtrr_open(struct inode *inode, struct file *file)
return -EIO;
if (!mtrr_if->get)
return -ENXIO;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return single_open(file, mtrr_seq_show, NULL);
}
--
2.17.1
--
Kees Cook
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
@ 2019-11-19 10:07 ` Borislav Petkov
2019-11-20 20:24 ` James Morris
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
1 sibling, 1 reply; 4+ messages in thread
From: Borislav Petkov @ 2019-11-19 10:07 UTC (permalink / raw)
To: Kees Cook
Cc: Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86, tyhicks,
colin.king, linux-security-module, Matthew Garrett
On Mon, Nov 18, 2019 at 01:09:21PM -0800, Kees Cook wrote:
> Zhang Xiaoxu noted that physical address locations for MTRR were
> visible to non-root users, which could be considered an information
> leak. In discussing[1] the options for solving this, it sounded like
> just moving the capable check into open() was the first step. If this
> breaks userspace, then we will have a test case for the more conservative
> approaches discussed in the thread. In summary:
>
> - MTRR should check capabilities at open time (or retain the
> checks on the opener's permissions for later checks).
>
> - changing the DAC permissions might break something that expects to
> open mtrr when not uid 0.
>
> - if we leave the DAC permissions alone and just move the capable check
> to the opener, we should get the desired protection. (i.e. check
> against CAP_SYS_ADMIN not just the wider uid 0.)
>
> - if that still breaks things, as in userspace expects to be able to
> read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
> we need to censor the contents using the opener's permissions. For
> example, as done in other /proc cases, like commit 51d7b120418e
> ("/proc/iomem: only expose physical resource addresses to privileged
> users").
>
> [1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
>
> Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
> 1 file changed, 2 insertions(+), 19 deletions(-)
Yap, LGTM, thanks!
Reviewed-by: Borislav Petkov <bp@suse.de>
However, as it has a user-visible impact and it is not an urgent thing
to have in the tree, I'd not queue this now but after the merge window
is done so that we have a maximum time of exposure in linux-next and we
can have ample time to addres fallout.
/me puts it on the list for after the merge window.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-19 10:07 ` Borislav Petkov
@ 2019-11-20 20:24 ` James Morris
0 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2019-11-20 20:24 UTC (permalink / raw)
To: Borislav Petkov
Cc: Kees Cook, Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86,
tyhicks, colin.king, linux-security-module, Matthew Garrett
On Tue, 19 Nov 2019, Borislav Petkov wrote:
> > arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
> > 1 file changed, 2 insertions(+), 19 deletions(-)
>
> Yap, LGTM, thanks!
>
> Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip: x86/mtrr] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
2019-11-19 10:07 ` Borislav Petkov
@ 2019-12-09 8:51 ` tip-bot2 for Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: tip-bot2 for Kees Cook @ 2019-12-09 8:51 UTC (permalink / raw)
To: linux-tip-commits
Cc: Zhang Xiaoxu, Kees Cook, Borislav Petkov, James Morris,
H. Peter Anvin, Colin Ian King, Ingo Molnar,
linux-security-module, Matthew Garrett, Thomas Gleixner,
Tyler Hicks, x86-ml, LKML
The following commit has been merged into the x86/mtrr branch of tip:
Commit-ID: 4fc265a9c9b258ddd7eafbd0dbfca66687c3d8aa
Gitweb: https://git.kernel.org/tip/4fc265a9c9b258ddd7eafbd0dbfca66687c3d8aa
Author: Kees Cook <keescook@chromium.org>
AuthorDate: Mon, 18 Nov 2019 13:09:21 -08:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Mon, 09 Dec 2019 09:24:24 +01:00
x86/mtrr: Require CAP_SYS_ADMIN for all access
Zhang Xiaoxu noted that physical address locations for MTRR were visible
to non-root users, which could be considered an information leak.
In discussing[1] the options for solving this, it sounded like just
moving the capable check into open() was the first step.
If this breaks userspace, then we will have a test case for the more
conservative approaches discussed in the thread. In summary:
- MTRR should check capabilities at open time (or retain the
checks on the opener's permissions for later checks).
- changing the DAC permissions might break something that expects to
open mtrr when not uid 0.
- if we leave the DAC permissions alone and just move the capable check
to the opener, we should get the desired protection. (i.e. check
against CAP_SYS_ADMIN not just the wider uid 0.)
- if that still breaks things, as in userspace expects to be able to
read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
we need to censor the contents using the opener's permissions. For
example, as done in other /proc cases, like commit
51d7b120418e ("/proc/iomem: only expose physical resource addresses to privileged users").
[1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-security-module@vger.kernel.org
Cc: Matthew Garrett <mjg59@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/201911181308.63F06502A1@keescook
---
arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
index 268d318..da532f6 100644
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
int length;
size_t linelen;
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
memset(line, 0, LINE_SIZE);
len = min_t(size_t, len, LINE_SIZE - 1);
@@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 0);
@@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_add(sentry.base, sentry.size, sentry.type, false);
break;
case MTRRIOC_DEL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 0);
break;
case MTRRIOC_KILL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_ENTRY:
@@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 1);
@@ -289,8 +276,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_add_page(sentry.base, sentry.size, sentry.type, false);
break;
@@ -298,16 +283,12 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 1);
break;
case MTRRIOC_KILL_PAGE_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del_page(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_PAGE_ENTRY:
@@ -410,6 +391,8 @@ static int mtrr_open(struct inode *inode, struct file *file)
return -EIO;
if (!mtrr_if->get)
return -ENXIO;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return single_open(file, mtrr_seq_show, NULL);
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-09 8:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
2019-11-19 10:07 ` Borislav Petkov
2019-11-20 20:24 ` James Morris
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.