From: Kees Cook <keescook@chromium.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Peter Collingbourne <pcc@google.com>
Cc: Jann Horn <jannh@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
Daniel Bristot de Oliveira <bristot@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
YiFei Zhu <yifeifz2@illinois.edu>,
Colin Ian King <colin.king@canonical.com>,
Mark Rutland <mark.rutland@arm.com>,
Frederic Weisbecker <frederic@kernel.org>,
Viresh Kumar <viresh.kumar@linaro.org>,
Andrey Konovalov <andreyknvl@gmail.com>,
Gabriel Krisman Bertazi <krisman@collabora.com>,
Balbir Singh <sblbir@amazon.com>,
Chris Hyser <chris.hyser@oracle.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Chris Wilson <chris@chris-wilson.co.uk>,
Arnd Bergmann <arnd@arndb.de>, Dmitry Vyukov <dvyukov@google.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Alexey Gladkov <legion@kernel.org>,
Ran Xiaokai <ran.xiaokai@zte.com.cn>,
David Hildenbrand <david@redhat.com>,
Xiaofeng Cao <caoxiaofeng@yulong.com>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Thomas Cedeno <thomascedeno@google.com>,
Marco Elver <elver@google.com>,
Alexander Potapenko <glider@google.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Evgenii Stepanov <eugenis@google.com>
Subject: Re: [PATCH] kernel: introduce prctl(PR_LOG_UACCESS)
Date: Wed, 22 Sep 2021 08:30:40 -0700 [thread overview]
Message-ID: <202109220755.B0CFED9F5@keescook> (raw)
In-Reply-To: <87k0j8zo35.fsf@disp2133>
On Wed, Sep 22, 2021 at 09:23:10AM -0500, Eric W. Biederman wrote:
> Peter Collingbourne <pcc@google.com> writes:
>
> > This patch introduces a kernel feature known as uaccess logging.
> > With uaccess logging, the userspace program passes the address and size
> > of a so-called uaccess buffer to the kernel via a prctl(). The prctl()
> > is a request for the kernel to log any uaccesses made during the next
> > syscall to the uaccess buffer. When the next syscall returns, the address
> > one past the end of the logged uaccess buffer entries is written to the
> > location specified by the third argument to the prctl(). In this way,
> > the userspace program may enumerate the uaccesses logged to the access
> > buffer to determine which accesses occurred.
> > [...]
> > 3) Kernel fuzzing. We may use the list of reported kernel accesses to
> > guide a kernel fuzzing tool such as syzkaller (so that it knows which
> > parts of user memory to fuzz), as an alternative to providing the tool
> > with a list of syscalls and their uaccesses (which again thanks to
> > (2) may not be accurate).
>
> How is logging the kernel's activity like this not a significant
> information leak? How is this safe for unprivileged users?
This does result in userspace being able to "watch" the kernel progress
through a syscall. I'd say it's less dangerous than userfaultfd, but
still worrisome. (And userfaultfd is normally disabled[1] for unprivileged
users trying to interpose the kernel accessing user memory.)
Regardless, this is a pretty useful tool for this kind of fuzzing.
Perhaps the timing exposure could be mitigated by having the kernel
collect the record in a separate kernel-allocated buffer and flush the
results to userspace at syscall exit? (This would solve the
copy_to_user() recursion issue too.)
I'm pondering what else might be getting exposed by creating this level
of probing... kernel addresses would already be getting rejected, so
they wouldn't show up in the buffer. Hmm. Jann, any thoughts here?
Some other thoughts:
Instead of reimplementing copy_*_user() with a new wrapper that
bypasses some checks and adds others and has to stay in sync, etc,
how about just adding a "recursion" flag? Something like:
copy_from_user(...)
instrument_copy_from_user(...)
uaccess_buffer_log_read(...)
if (current->uaccess_buffer.writing)
return;
uaccess_buffer_log(...)
current->uaccess_buffer.writing = true;
copy_to_user(...)
current->uaccess_buffer.writing = false;
How about using this via seccomp instead of a per-syscall prctl? This
would mean you would have very specific control over which syscalls
should get the uaccess tracing, and wouldn't need to deal with
the signal mask (I think). I would imagine something similar to
SECCOMP_FILTER_FLAG_LOG, maybe SECCOMP_FILTER_FLAG_UACCESS_TRACE, and
add a new top-level seccomp command, (like SECCOMP_GET_NOTIF_SIZES)
maybe named SECCOMP_SET_UACCESS_TRACE_BUFFER.
This would likely only make sense for SECCOMP_RET_TRACE or _TRAP if the
program wants to collect the results after every syscall. And maybe this
won't make any sense across exec (losing the mm that was used during
SECCOMP_SET_UACCESS_TRACE_BUFFER). Hmmm.
-Kees
[1] https://git.kernel.org/linus/d0d4730ac2e404a5b0da9a87ef38c73e51cb1664
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Peter Collingbourne <pcc@google.com>
Cc: Jann Horn <jannh@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Juri Lelli <juri.lelli@redhat.com>,
Vincent Guittot <vincent.guittot@linaro.org>,
Dietmar Eggemann <dietmar.eggemann@arm.com>,
Steven Rostedt <rostedt@goodmis.org>,
Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>,
Daniel Bristot de Oliveira <bristot@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
YiFei Zhu <yifeifz2@illinois.edu>,
Colin Ian King <colin.king@canonical.com>,
Mark Rutland <mark.rutland@arm.com>,
Frederic Weisbecker <frederic@kernel.org>,
Viresh Kumar <viresh.kumar@linaro.org>,
Andrey Konovalov <andreyknvl@gmail.com>,
Gabriel Krisman Bertazi <krisman@collabora.com>,
Balbir Singh <sblbir@amazon.com>,
Chris Hyser <chris.hyser@oracle.com>,
Daniel Vetter <daniel.vetter@ffwll.ch>,
Chris Wilson <chris@chris-wilson.co.uk>,
Arnd Bergmann <arnd@arndb.de>, Dmitry Vyukov <dvyukov@google.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Alexey Gladkov <legion@kernel.org>,
Ran Xiaokai <ran.xiaokai@zte.com.cn>,
David Hildenbrand <david@redhat.com>,
Xiaofeng Cao <caoxiaofeng@yulong.com>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Thomas Cedeno <thomascedeno@google.com>,
Marco Elver <elver@google.com>,
Alexander Potapenko <glider@google.com>,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
Evgenii Stepanov <eugenis@google.com>
Subject: Re: [PATCH] kernel: introduce prctl(PR_LOG_UACCESS)
Date: Wed, 22 Sep 2021 08:30:40 -0700 [thread overview]
Message-ID: <202109220755.B0CFED9F5@keescook> (raw)
In-Reply-To: <87k0j8zo35.fsf@disp2133>
On Wed, Sep 22, 2021 at 09:23:10AM -0500, Eric W. Biederman wrote:
> Peter Collingbourne <pcc@google.com> writes:
>
> > This patch introduces a kernel feature known as uaccess logging.
> > With uaccess logging, the userspace program passes the address and size
> > of a so-called uaccess buffer to the kernel via a prctl(). The prctl()
> > is a request for the kernel to log any uaccesses made during the next
> > syscall to the uaccess buffer. When the next syscall returns, the address
> > one past the end of the logged uaccess buffer entries is written to the
> > location specified by the third argument to the prctl(). In this way,
> > the userspace program may enumerate the uaccesses logged to the access
> > buffer to determine which accesses occurred.
> > [...]
> > 3) Kernel fuzzing. We may use the list of reported kernel accesses to
> > guide a kernel fuzzing tool such as syzkaller (so that it knows which
> > parts of user memory to fuzz), as an alternative to providing the tool
> > with a list of syscalls and their uaccesses (which again thanks to
> > (2) may not be accurate).
>
> How is logging the kernel's activity like this not a significant
> information leak? How is this safe for unprivileged users?
This does result in userspace being able to "watch" the kernel progress
through a syscall. I'd say it's less dangerous than userfaultfd, but
still worrisome. (And userfaultfd is normally disabled[1] for unprivileged
users trying to interpose the kernel accessing user memory.)
Regardless, this is a pretty useful tool for this kind of fuzzing.
Perhaps the timing exposure could be mitigated by having the kernel
collect the record in a separate kernel-allocated buffer and flush the
results to userspace at syscall exit? (This would solve the
copy_to_user() recursion issue too.)
I'm pondering what else might be getting exposed by creating this level
of probing... kernel addresses would already be getting rejected, so
they wouldn't show up in the buffer. Hmm. Jann, any thoughts here?
Some other thoughts:
Instead of reimplementing copy_*_user() with a new wrapper that
bypasses some checks and adds others and has to stay in sync, etc,
how about just adding a "recursion" flag? Something like:
copy_from_user(...)
instrument_copy_from_user(...)
uaccess_buffer_log_read(...)
if (current->uaccess_buffer.writing)
return;
uaccess_buffer_log(...)
current->uaccess_buffer.writing = true;
copy_to_user(...)
current->uaccess_buffer.writing = false;
How about using this via seccomp instead of a per-syscall prctl? This
would mean you would have very specific control over which syscalls
should get the uaccess tracing, and wouldn't need to deal with
the signal mask (I think). I would imagine something similar to
SECCOMP_FILTER_FLAG_LOG, maybe SECCOMP_FILTER_FLAG_UACCESS_TRACE, and
add a new top-level seccomp command, (like SECCOMP_GET_NOTIF_SIZES)
maybe named SECCOMP_SET_UACCESS_TRACE_BUFFER.
This would likely only make sense for SECCOMP_RET_TRACE or _TRAP if the
program wants to collect the results after every syscall. And maybe this
won't make any sense across exec (losing the mm that was used during
SECCOMP_SET_UACCESS_TRACE_BUFFER). Hmmm.
-Kees
[1] https://git.kernel.org/linus/d0d4730ac2e404a5b0da9a87ef38c73e51cb1664
--
Kees Cook
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-09-22 15:30 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-22 6:18 [PATCH] kernel: introduce prctl(PR_LOG_UACCESS) Peter Collingbourne
2021-09-22 6:18 ` Peter Collingbourne
2021-09-22 6:30 ` Cyrill Gorcunov
2021-09-22 6:30 ` Cyrill Gorcunov
2021-11-23 5:17 ` Peter Collingbourne
2021-11-23 5:17 ` Peter Collingbourne
2021-09-22 10:44 ` Marco Elver
2021-09-22 10:44 ` Marco Elver
2021-11-23 5:17 ` Peter Collingbourne
2021-11-23 5:17 ` Peter Collingbourne
2021-09-22 13:45 ` Dmitry Vyukov
2021-09-22 13:45 ` Dmitry Vyukov
2021-09-22 22:30 ` Peter Collingbourne
2021-09-22 22:30 ` Peter Collingbourne
2021-09-22 14:23 ` Eric W. Biederman
2021-09-22 14:23 ` Eric W. Biederman
2021-09-22 15:30 ` Kees Cook [this message]
2021-09-22 15:30 ` Kees Cook
2021-09-22 15:59 ` Jann Horn
2021-09-22 15:59 ` Jann Horn
2021-09-24 21:50 ` Peter Collingbourne
2021-09-24 21:50 ` Peter Collingbourne
2021-09-26 2:20 ` Kees Cook
2021-09-26 2:20 ` Kees Cook
2021-11-23 5:17 ` Peter Collingbourne
2021-11-23 5:17 ` Peter Collingbourne
2021-09-22 17:46 ` David Hildenbrand
2021-09-22 17:46 ` David Hildenbrand
2021-09-22 19:22 ` Steven Rostedt
2021-09-22 19:22 ` Steven Rostedt
2021-09-22 19:53 ` Peter Zijlstra
2021-09-22 19:53 ` Peter Zijlstra
2021-09-22 22:05 ` Peter Collingbourne
2021-09-22 22:05 ` Peter Collingbourne
2021-09-23 8:08 ` David Hildenbrand
2021-09-23 8:08 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109220755.B0CFED9F5@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=arnd@arndb.de \
--cc=bristot@redhat.com \
--cc=bsegall@google.com \
--cc=caoxiaofeng@yulong.com \
--cc=catalin.marinas@arm.com \
--cc=chris.hyser@oracle.com \
--cc=chris@chris-wilson.co.uk \
--cc=christian.brauner@ubuntu.com \
--cc=colin.king@canonical.com \
--cc=daniel.vetter@ffwll.ch \
--cc=david@redhat.com \
--cc=dietmar.eggemann@arm.com \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=elver@google.com \
--cc=eugenis@google.com \
--cc=frederic@kernel.org \
--cc=glider@google.com \
--cc=gorcunov@gmail.com \
--cc=jannh@google.com \
--cc=juri.lelli@redhat.com \
--cc=krisman@collabora.com \
--cc=legion@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=masahiroy@kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=pcc@google.com \
--cc=peterz@infradead.org \
--cc=ran.xiaokai@zte.com.cn \
--cc=rostedt@goodmis.org \
--cc=samitolvanen@google.com \
--cc=sblbir@amazon.com \
--cc=tglx@linutronix.de \
--cc=thomascedeno@google.com \
--cc=vincent.guittot@linaro.org \
--cc=viresh.kumar@linaro.org \
--cc=will@kernel.org \
--cc=yifeifz2@illinois.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.