From: Jann Horn <jannh@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Guixiong Wei <guixiongwei@gmail.com>,
linux-hardening@vger.kernel.org, jgross@suse.com,
boris.ostrovsky@oracle.com, linux-kernel@vger.kernel.org,
Guixiong Wei <weiguixiong@bytedance.com>
Subject: Re: [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access
Date: Mon, 19 Feb 2024 14:21:37 +0100 [thread overview]
Message-ID: <CAG48ez32+y7jK5e7WHJxD9aP20WHLmHiXX8U8F=jBtFO3qakAQ@mail.gmail.com> (raw)
In-Reply-To: <2024021825-skiing-trustee-a56a@gregkh>
On Sun, Feb 18, 2024 at 8:47 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Sun, Feb 18, 2024 at 03:35:01PM +0800, Guixiong Wei wrote:
> > From: Guixiong Wei <weiguixiong@bytedance.com>
> >
> > Restrict non-privileged user access to /sys/kernel/notes to
> > avoid security attack.
> >
> > The non-privileged users have read access to notes. The notes
> > expose the load address of startup_xen. This address could be
> > used to bypass KASLR.
>
> How can it be used to bypass it?
>
> KASLR is, for local users, pretty much not an issue, as that's not what
> it protects from, only remote ones.
>
> > For example, the startup_xen is built at 0xffffffff82465180 and
> > commit_creds is built at 0xffffffff810ad570 which could read from
> > the /boot/System.map. And the loaded address of startup_xen is
> > 0xffffffffbc265180 which read from /sys/kernel/notes. So the loaded
> > address of commit_creds is 0xffffffffbc265180 - (0xffffffff82465180
> > - 0xffffffff810ad570) = 0xffffffffbaead570.
>
> I've cc: the hardening list on this, I'm sure the developers there have
> opinions about this.
>
> > Signed-off-by: Guixiong Wei <weiguixiong@bytedance.com>
> > ---
> > kernel/ksysfs.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
> > index b1292a57c2a5..09bc0730239b 100644
> > --- a/kernel/ksysfs.c
> > +++ b/kernel/ksysfs.c
> > @@ -199,7 +199,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
> > static struct bin_attribute notes_attr __ro_after_init = {
> > .attr = {
> > .name = "notes",
> > - .mode = S_IRUGO,
> > + .mode = S_IRUSR,
> > },
> > .read = ¬es_read,
> > };
>
> No objection from me, but what userspace tool requires access to this
> file today? Will it break if permissions are changed on it?
FWIW, https://codesearch.debian.net/search?q=%2Fsys%2Fkernel%2Fnotes&literal=1
shows that (from what I can tell) this is mostly used by stuff like
perf, libdwfl and systemtap for figuring out the kernel's build-id,
probably mostly for kernel profiling?
next prev parent reply other threads:[~2024-02-19 13:22 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-18 7:35 [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access Guixiong Wei
2024-02-18 7:47 ` Greg KH
2024-02-18 9:04 ` Kees Cook
2024-02-19 11:41 ` Guixiong Wei
2024-02-19 13:07 ` Jürgen Groß
2024-02-19 13:21 ` Jann Horn [this message]
[not found] <CAJe52t-XxSn2rK+wEg1hNAdsPdq+TO-fj3wEYPK_eBH0d-bsSg@mail.gmail.com>
2024-02-18 7:16 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAG48ez32+y7jK5e7WHJxD9aP20WHLmHiXX8U8F=jBtFO3qakAQ@mail.gmail.com' \
--to=jannh@google.com \
--cc=boris.ostrovsky@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=guixiongwei@gmail.com \
--cc=jgross@suse.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=weiguixiong@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.