From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753308AbcBGGgD (ORCPT ); Sun, 7 Feb 2016 01:36:03 -0500 Received: from mail-am1on0084.outbound.protection.outlook.com ([157.56.112.84]:53943 "EHLO emea01-am1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751028AbcBGGgB (ORCPT ); Sun, 7 Feb 2016 01:36:01 -0500 Authentication-Results: cs.utah.edu; dkim=none (message not signed) header.d=none;cs.utah.edu; dmarc=none action=none header.from=nextfour.com; Subject: Re: [PATCHv2 2/2] x86: SROP mitigation: implement signal cookies To: Scott Bauer , References: <1454801964-50385-1-git-send-email-sbauer@eng.utah.edu> <1454801964-50385-3-git-send-email-sbauer@eng.utah.edu> CC: , , , , , , Abhiram Balasubramanian From: =?UTF-8?Q?Mika_Penttil=c3=a4?= Message-ID: <56B6E5C6.4090209@nextfour.com> Date: Sun, 7 Feb 2016 08:35:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <1454801964-50385-3-git-send-email-sbauer@eng.utah.edu> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [84.250.21.106] X-ClientProxiedBy: HE1PR02CA0061.eurprd02.prod.outlook.com (25.163.170.29) To DB5PR07MB0901.eurprd07.prod.outlook.com (25.161.196.17) X-Microsoft-Exchange-Diagnostics: 1;DB5PR07MB0901;2:EUi7spALR9fIarGTzucyZNwK7UpjNhFxMBpiYu+Ad8PPY2DqoPoGNDR8pGSxWYBvPwJgTbM6hHYBJx+rC5wMdVaPAPEwAd+7HA/KJ8qaUDne0eXFsoGYdXrfd+j3vMb3Z58lIe4vb1T38onaJmrizg==;3:x5fULXZI096IqY2BUWCdqcGUpcAb+7I3C9Tid1LTqTg07phGpKRM4nUivWgTSgVd78xj2T5xITuc+NNvALQdGBKiGxmoROaRIgG2SsdQeWSd60Obvtycw0WbPnqLjltN;25:Y63KV0aexNqR2/doQ4vzaCawE74cPs9QbEJaxRRxa8Om30ciWHOxhsmCDHchHu9qyNP17gmee8FJhFwsMbYhY7mbbfKaQsUtzbTbBdx9NU/lCnwS1d5/x64z/hJoxkyUje5uJcRLeBN/DZWmorBNJXWK2QRoDoxTI3o2OAnO/DwjAe+tE5ICptZUOtTnnozQLUC6D7eAlCefYcDnEZbue/CX9kOuk6+2kvsBbWqtLLk3wmJdtYg/LWvGQ69DJpkCXtn8b0fgsXxX7Z9bvatwgWAySmDfU+M6H1t+yi/nscA4hKsxx5htlQUdZ3uT1J4f X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB5PR07MB0901; X-MS-Office365-Filtering-Correlation-Id: f6ed8d81-255d-4353-f2e8-08d32f88ef97 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046);SRVR:DB5PR07MB0901;BCL:0;PCL:0;RULEID:;SRVR:DB5PR07MB0901; X-Microsoft-Exchange-Diagnostics: 1;DB5PR07MB0901;4:4eUTlnAsI78CYe003PzhVKw2VYk0fgyYYEJpBCwA3OdhiXfwr0Oy0nN7qGtEbJE4z+ICHckQfPrW2yxFSqM3ricXqXnXkKdlks3GMTaMNfbELA+VOxoPgUWVd/AlRcVhnTbeiAe4r/P2cLEr1yICHBdQReg2Px721SGV2AEGZFRrCemFYdnDYE4K38h7IpwOY2YwIBc78jR2QFFI53Z+8IH/PpJvt5U8zBP5D/ozLPzSDKgnu9lPtwXb/Hwt2k4e9E4dkeAnTo7wa60PfjX6S1DJATEzcLtRsTZWd6LHX/lF7XU6ocJ+pBO5jPeYsq9iXoQRBZcg+QxySkwJFH+KF7TSu7BZEjgLGZbotxFUwyCznQ3cFy9Dl2zIInL6K3Aq X-Forefront-PRVS: 08457955C4 X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(6049001)(6009001)(24454002)(77096005)(122386002)(1096002)(64126003)(19580405001)(80316001)(2906002)(4001350100001)(65816999)(4326007)(189998001)(42186005)(2950100001)(19580395003)(230700001)(66066001)(5001770100001)(54356999)(117156001)(5004730100002)(65956001)(5001960100002)(65806001)(586003)(87266999)(2171001)(92566002)(50986999)(3846002)(5008740100001)(76176999)(23746002)(33656002)(87976001)(40100003)(50466002)(83506001)(86362001)(47776003)(36756003);DIR:OUT;SFP:1101;SCL:1;SRVR:DB5PR07MB0901;H:[192.168.1.71];FPR:;SPF:None;MLV:sfv;LANG:en; X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;DB5PR07MB0901;23:H4SIGSnM51AbLk3Av5MoxbuxtNijF8Tslj6ul?= =?Windows-1252?Q?wKY/xPeC1ERJxOseGpABxoqi14bVuNBq1LaA3r6EB5Q04IOov3jTU1fZ?= =?Windows-1252?Q?0Hw6VwRRcSA62xl5GYz+aIc8t9s1nnfw8qr/GGAzxVoV2eQBgyIc5NZl?= =?Windows-1252?Q?6aaMxp52+0NmcM/cnE0+5L9oI0FvSmlJeocBVolxtbowLduinzvYfVFd?= =?Windows-1252?Q?MILX8Y//AWFTwv3wwZWXqjKx8tXXyRe0JYZob44VGUhHjZgSlRKJqH8t?= =?Windows-1252?Q?5xY7KpVoHJTN/u3+HMtBCKOlXBtnHtZp1tDkjwAcP8B2Z24T8RhvHQkK?= =?Windows-1252?Q?shjnPnSB+GeavflD6yYSedHc2Bp3TSj1e9Z9qwF1TC3O1mfEdHqMPpIw?= =?Windows-1252?Q?/21AFIz6tiTIySc0XkUB1A0As5DbGeDqyfuJ2QBg50AzzU1QxEOBBhqU?= =?Windows-1252?Q?IbAVU4BFaNQajZC7OTun72yOlzwevSolMKn5OXZWKQoB0jCqP3IJR0Dm?= =?Windows-1252?Q?d3e0ZpNzaDuPKoLc9XAApZ1kYrxqu7PBUNjZ0bBl8Dc/0RZMgAWfddrl?= =?Windows-1252?Q?LBd9s/UzB+OatQhohTd/TuOoDcU8E7rChSHuLTId6E8v+eDpAKeUfKug?= =?Windows-1252?Q?fXKkl9SdHqmXX5CkSqFE6MbScuJhQrLum5PeXUNUPnf+WhDN4sDB7grR?= =?Windows-1252?Q?/knXTJZjDD1x68MwP6KHcvbyGYhKqPZLNjctwkC7HtBhR9EiE002Crrs?= =?Windows-1252?Q?91MI2NjsAZ2nJYNCfvW0bjai2vux6LyMq/k0A0XneXwu4QBZ33BPPUNB?= =?Windows-1252?Q?asaW2up9HbmDqAsNh3Kl2BbaDw+ZheoJ/7l3CL/LCfwjVWKI0uXqrv8Q?= =?Windows-1252?Q?upHP6dC/ndr2eiG2PuBX71/LyPdepFTzrZnPQUd4gumEt1i/NF56c9/d?= =?Windows-1252?Q?HsDn2O7D+x1C29K0JMPjozr8HXkTYi94UFPe2l1K5oPsnZP+a6jFH1qS?= =?Windows-1252?Q?/iCmspydL1zmEcXr+aDvjGTMoHmGgOub0dVwfb+IMqpdCvE5zBcIWTr2?= =?Windows-1252?Q?dUFGn/8DSrBqeyNp7PFx9CDnrjFqy8yLv7OEc6k7Dhp8RB1Y8aEDC9HJ?= =?Windows-1252?Q?upzCoHZqnhVTfxvYNcnRNKdg4tsvCSraQx/pZHKEfh5S+k1k66ChTsBn?= =?Windows-1252?Q?5MbGiQNN/3Z6YSLo8AiCuB/DI5pNmq4ov5ND9rO+uMXIg1n39ht?= X-Microsoft-Exchange-Diagnostics: 1;DB5PR07MB0901;5:c8gHOVZCPGQa2KWgF2fP/gjseRpzSGMdyGRbcun17c47Ia4omUMGWbILBrxToM+viQGF4Og38RLY0+z1bFhZKBVjQDqfV9QqnVAJSKlNZc98i4PE5Y+qrqytJbv/c8NM/XI1PPdWFLaGLcJKqOPMdw==;24:cq9sNbJxalx2/TdsyVCGIOun4p6VMW2k7EOPx3tWUYpXI4zfywg5oyHSGqgTXzIgRD3SAnkcOl46O1wryD3qNgDB0KraRvxRpSFprdUBO74= SpamDiagnosticOutput: 1:23 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: nextfour.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2016 06:35:56.2704 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR07MB0901 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 07.02.2016 01:39, Scott Bauer wrote: > This patch adds SROP mitigation logic to the x86 signal delivery > and sigreturn code. The cookie is placed in the unused alignment > space above the saved FP state, if it exists. If there is no FP > state to save then the cookie is placed in the alignment space above > the sigframe. > > Cc: Abhiram Balasubramanian > Signed-off-by: Scott Bauer > --- > arch/x86/ia32/ia32_signal.c | 63 +++++++++++++++++++++++++--- > arch/x86/include/asm/fpu/signal.h | 1 + > arch/x86/include/asm/sighandling.h | 5 ++- > arch/x86/kernel/fpu/signal.c | 10 +++++ > arch/x86/kernel/signal.c | 86 +++++++++++++++++++++++++++++++++----- > 5 files changed, 146 insertions(+), 19 deletions(-) > > diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c > index 0552884..2751f47 100644 > --- a/arch/x86/ia32/ia32_signal.c > +++ b/arch/x86/ia32/ia32_signal.c > @@ -68,7 +68,8 @@ > } > > static int ia32_restore_sigcontext(struct pt_regs *regs, > - struct sigcontext_32 __user *sc) > + struct sigcontext_32 __user *sc, > + void __user **user_cookie) > { > unsigned int tmpflags, err = 0; > void __user *buf; > @@ -105,6 +106,16 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, > buf = compat_ptr(tmp); > } get_user_catch(err); > > + /* > + * If there is fp state get cookie from the top of the fp state, > + * else get it from the top of the sig frame. > + */ > + > + if (tmp != 0) > + *user_cookie = compat_ptr(tmp + fpu__getsize(1)); > + else > + *user_cookie = NULL; > + > err |= fpu__restore_sig(buf, 1); > > force_iret(); > @@ -117,6 +128,7 @@ asmlinkage long sys32_sigreturn(void) > struct pt_regs *regs = current_pt_regs(); > struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); > sigset_t set; > + void __user *user_cookie; > > if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) > goto badframe; > @@ -129,8 +141,15 @@ asmlinkage long sys32_sigreturn(void) > > set_current_blocked(&set); > > - if (ia32_restore_sigcontext(regs, &frame->sc)) > + if (ia32_restore_sigcontext(regs, &frame->sc, &user_cookie)) > + goto badframe; > + > + if (user_cookie == NULL) > + user_cookie = compat_ptr((regs->sp - 8) + sizeof(*frame)); > + > + if (verify_clear_sigcookie(user_cookie)) > goto badframe; > + > return regs->ax; > > badframe: > @@ -142,6 +161,7 @@ asmlinkage long sys32_rt_sigreturn(void) > { > struct pt_regs *regs = current_pt_regs(); > struct rt_sigframe_ia32 __user *frame; > + void __user *user_cookie; > sigset_t set; > > frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); > @@ -153,7 +173,13 @@ asmlinkage long sys32_rt_sigreturn(void) > > set_current_blocked(&set); > > - if (ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext)) > + if (ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext, &user_cookie)) > + goto badframe; > + > + if (user_cookie == NULL) > + user_cookie = (void __user *)((regs->sp - 4) + sizeof(*frame)); regs->sp is already restored so you should use frame instead. --Mika From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com References: <1454801964-50385-1-git-send-email-sbauer@eng.utah.edu> <1454801964-50385-3-git-send-email-sbauer@eng.utah.edu> From: =?UTF-8?Q?Mika_Penttil=c3=a4?= Message-ID: <56B6E5C6.4090209@nextfour.com> Date: Sun, 7 Feb 2016 08:35:50 +0200 MIME-Version: 1.0 In-Reply-To: <1454801964-50385-3-git-send-email-sbauer@eng.utah.edu> Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [PATCHv2 2/2] x86: SROP mitigation: implement signal cookies To: Scott Bauer , linux-kernel@vger.kernel.org Cc: kernel-hardening@lists.openwall.com, x86@kernel.org, ak@linux.intel.com, luto@amacapital.net, mingo@redhat.com, tglx@linutronix.de, Abhiram Balasubramanian List-ID: Hi, On 07.02.2016 01:39, Scott Bauer wrote: > This patch adds SROP mitigation logic to the x86 signal delivery > and sigreturn code. The cookie is placed in the unused alignment > space above the saved FP state, if it exists. If there is no FP > state to save then the cookie is placed in the alignment space above > the sigframe. > > Cc: Abhiram Balasubramanian > Signed-off-by: Scott Bauer > --- > arch/x86/ia32/ia32_signal.c | 63 +++++++++++++++++++++++++--- > arch/x86/include/asm/fpu/signal.h | 1 + > arch/x86/include/asm/sighandling.h | 5 ++- > arch/x86/kernel/fpu/signal.c | 10 +++++ > arch/x86/kernel/signal.c | 86 +++++++++++++++++++++++++++++++++----- > 5 files changed, 146 insertions(+), 19 deletions(-) > > diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c > index 0552884..2751f47 100644 > --- a/arch/x86/ia32/ia32_signal.c > +++ b/arch/x86/ia32/ia32_signal.c > @@ -68,7 +68,8 @@ > } > > static int ia32_restore_sigcontext(struct pt_regs *regs, > - struct sigcontext_32 __user *sc) > + struct sigcontext_32 __user *sc, > + void __user **user_cookie) > { > unsigned int tmpflags, err = 0; > void __user *buf; > @@ -105,6 +106,16 @@ static int ia32_restore_sigcontext(struct pt_regs *regs, > buf = compat_ptr(tmp); > } get_user_catch(err); > > + /* > + * If there is fp state get cookie from the top of the fp state, > + * else get it from the top of the sig frame. > + */ > + > + if (tmp != 0) > + *user_cookie = compat_ptr(tmp + fpu__getsize(1)); > + else > + *user_cookie = NULL; > + > err |= fpu__restore_sig(buf, 1); > > force_iret(); > @@ -117,6 +128,7 @@ asmlinkage long sys32_sigreturn(void) > struct pt_regs *regs = current_pt_regs(); > struct sigframe_ia32 __user *frame = (struct sigframe_ia32 __user *)(regs->sp-8); > sigset_t set; > + void __user *user_cookie; > > if (!access_ok(VERIFY_READ, frame, sizeof(*frame))) > goto badframe; > @@ -129,8 +141,15 @@ asmlinkage long sys32_sigreturn(void) > > set_current_blocked(&set); > > - if (ia32_restore_sigcontext(regs, &frame->sc)) > + if (ia32_restore_sigcontext(regs, &frame->sc, &user_cookie)) > + goto badframe; > + > + if (user_cookie == NULL) > + user_cookie = compat_ptr((regs->sp - 8) + sizeof(*frame)); > + > + if (verify_clear_sigcookie(user_cookie)) > goto badframe; > + > return regs->ax; > > badframe: > @@ -142,6 +161,7 @@ asmlinkage long sys32_rt_sigreturn(void) > { > struct pt_regs *regs = current_pt_regs(); > struct rt_sigframe_ia32 __user *frame; > + void __user *user_cookie; > sigset_t set; > > frame = (struct rt_sigframe_ia32 __user *)(regs->sp - 4); > @@ -153,7 +173,13 @@ asmlinkage long sys32_rt_sigreturn(void) > > set_current_blocked(&set); > > - if (ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext)) > + if (ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext, &user_cookie)) > + goto badframe; > + > + if (user_cookie == NULL) > + user_cookie = (void __user *)((regs->sp - 4) + sizeof(*frame)); regs->sp is already restored so you should use frame instead. --Mika