From: Thomas Garnier <thgarnie@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kees Cook" <keescook@chromium.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Petr Mladek" <pmladek@suse.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"John Stultz" <john.stultz@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>
Subject: Re: [PATCH v2 1/4] syscalls: Restore address limit after a syscall
Date: Thu, 9 Mar 2017 07:52:30 -0800 [thread overview]
Message-ID: <CAJcbSZHY5Et+EqjbQPx4KfgAiaYCo29vFfSbX2Aj=BZBg8i0Gg@mail.gmail.com> (raw)
In-Reply-To: <20170309120955.GA6320@leverpostej>
On Thu, Mar 9, 2017 at 4:09 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> Hi,
>
> On Wed, Mar 08, 2017 at 05:24:53PM -0800, Thomas Garnier wrote:
>> This patch ensures a syscall does not return to user-mode with a kernel
>> address limit. If that happened, a process can corrupt kernel-mode
>> memory and elevate privileges.
>>
>> For example, it would mitigation this bug:
>>
>> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>>
>> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect
>> state will result in a BUG_ON.
>>
>> The CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE option is also
>> added so each architecture can optimize this change.
>
>> +#ifndef CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE
>> +static inline bool has_user_ds(void) {
>> + bool ret = segment_eq(get_fs(), USER_DS);
>> + // Prevent re-ordering the call
>> + barrier();
>
> What ordering are we trying to ensure, that isn't otherwise given?
>
> We expect get_fs() and set_fs() to be ordered w.r.t. each other and
> w.r.t. uaccess uses, or we'd need barriers all over the place.
>
> Given that, I can't see why we need a barrier here. So this needs a
> better comment, at least.
>
I was half sure of that so that's why I added the barrier. If it is
not needed then I can remove it. Thanks!
>> + return ret;
>> +}
>> +#else
>> +static inline bool has_user_ds(void) {
>> + return false;
>> +}
>> +#endif
>
> It would be simpler to wrap the call entirely, e.g. have:
>
> #ifdef CONFIG_WHATEVER
> static inline void verify_pre_usermode_state(void)
> {
> if (segment_eq(get_fs(), USER_DS))
> __verify_pre_usermode_state();
> }
> #else
> static inline void verify_pre_usermode_state(void) { }
> #endif
>
>> @@ -199,7 +215,10 @@ extern struct trace_event_functions exit_syscall_print_funcs;
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
>> { \
>> + bool user_caller = has_user_ds(); \
>> long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \
>> + if (user_caller) \
>> + verify_pre_usermode_state(); \
>
> ... then we can unconditionally use verify_pre_usermode_state() here ...
Not sure I understood that point. The goal is to see if get_fs was
changed, that's why I check before the syscall and I want to ensure
the call is not shuffled after the syscall, therefore the original
barrier.
>
>> __MAP(x,__SC_TEST,__VA_ARGS__); \
>> __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \
>> return ret; \
>
> [...]
>
>> +/* Called before coming back to user-mode */
>> +asmlinkage void verify_pre_usermode_state(void)
>
> ... and we just prepend a couple of underscores here.
>
>> +{
>> + if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
>> + "incorrect get_fs() on user-mode return"))
>> + set_fs(USER_DS);
>> +}
>
> Thanks,
> Mark.
--
Thomas
WARNING: multiple messages have this Message-ID (diff)
From: thgarnie@google.com (Thomas Garnier)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v2 1/4] syscalls: Restore address limit after a syscall
Date: Thu, 9 Mar 2017 07:52:30 -0800 [thread overview]
Message-ID: <CAJcbSZHY5Et+EqjbQPx4KfgAiaYCo29vFfSbX2Aj=BZBg8i0Gg@mail.gmail.com> (raw)
In-Reply-To: <20170309120955.GA6320@leverpostej>
On Thu, Mar 9, 2017 at 4:09 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> Hi,
>
> On Wed, Mar 08, 2017 at 05:24:53PM -0800, Thomas Garnier wrote:
>> This patch ensures a syscall does not return to user-mode with a kernel
>> address limit. If that happened, a process can corrupt kernel-mode
>> memory and elevate privileges.
>>
>> For example, it would mitigation this bug:
>>
>> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>>
>> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect
>> state will result in a BUG_ON.
>>
>> The CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE option is also
>> added so each architecture can optimize this change.
>
>> +#ifndef CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE
>> +static inline bool has_user_ds(void) {
>> + bool ret = segment_eq(get_fs(), USER_DS);
>> + // Prevent re-ordering the call
>> + barrier();
>
> What ordering are we trying to ensure, that isn't otherwise given?
>
> We expect get_fs() and set_fs() to be ordered w.r.t. each other and
> w.r.t. uaccess uses, or we'd need barriers all over the place.
>
> Given that, I can't see why we need a barrier here. So this needs a
> better comment, at least.
>
I was half sure of that so that's why I added the barrier. If it is
not needed then I can remove it. Thanks!
>> + return ret;
>> +}
>> +#else
>> +static inline bool has_user_ds(void) {
>> + return false;
>> +}
>> +#endif
>
> It would be simpler to wrap the call entirely, e.g. have:
>
> #ifdef CONFIG_WHATEVER
> static inline void verify_pre_usermode_state(void)
> {
> if (segment_eq(get_fs(), USER_DS))
> __verify_pre_usermode_state();
> }
> #else
> static inline void verify_pre_usermode_state(void) { }
> #endif
>
>> @@ -199,7 +215,10 @@ extern struct trace_event_functions exit_syscall_print_funcs;
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
>> { \
>> + bool user_caller = has_user_ds(); \
>> long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \
>> + if (user_caller) \
>> + verify_pre_usermode_state(); \
>
> ... then we can unconditionally use verify_pre_usermode_state() here ...
Not sure I understood that point. The goal is to see if get_fs was
changed, that's why I check before the syscall and I want to ensure
the call is not shuffled after the syscall, therefore the original
barrier.
>
>> __MAP(x,__SC_TEST,__VA_ARGS__); \
>> __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \
>> return ret; \
>
> [...]
>
>> +/* Called before coming back to user-mode */
>> +asmlinkage void verify_pre_usermode_state(void)
>
> ... and we just prepend a couple of underscores here.
>
>> +{
>> + if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
>> + "incorrect get_fs() on user-mode return"))
>> + set_fs(USER_DS);
>> +}
>
> Thanks,
> Mark.
--
Thomas
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Garnier <thgarnie@google.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: "David Howells" <dhowells@redhat.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kees Cook" <keescook@chromium.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"David S . Miller" <davem@davemloft.net>,
"Andy Lutomirski" <luto@kernel.org>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Petr Mladek" <pmladek@suse.com>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"John Stultz" <john.stultz@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Frederic Weisbecker" <fweisbec@gmail.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Stanislav Kinsburskiy" <skinsbursky@virtuozzo.com>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Brian Gerst" <brgerst@gmail.com>,
"Jan Beulich" <JBeulich@suse.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Luis R . Rodriguez" <mcgrof@kernel.org>,
"He Chen" <he.chen@linux.intel.com>,
"Russell King" <linux@armlinux.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"James Morse" <james.morse@arm.com>,
"Pratyush Anand" <panand@redhat.com>,
"Vladimir Murzin" <vladimir.murzin@arm.com>,
"Chris Metcalf" <cmetcalf@mellanox.com>,
"Andre Przywara" <andre.przywara@arm.com>,
"Linux API" <linux-api@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
linux-arm-kernel@lists.infradead.org,
"Kernel Hardening" <kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH v2 1/4] syscalls: Restore address limit after a syscall
Date: Thu, 9 Mar 2017 07:52:30 -0800 [thread overview]
Message-ID: <CAJcbSZHY5Et+EqjbQPx4KfgAiaYCo29vFfSbX2Aj=BZBg8i0Gg@mail.gmail.com> (raw)
In-Reply-To: <20170309120955.GA6320@leverpostej>
On Thu, Mar 9, 2017 at 4:09 AM, Mark Rutland <mark.rutland@arm.com> wrote:
> Hi,
>
> On Wed, Mar 08, 2017 at 05:24:53PM -0800, Thomas Garnier wrote:
>> This patch ensures a syscall does not return to user-mode with a kernel
>> address limit. If that happened, a process can corrupt kernel-mode
>> memory and elevate privileges.
>>
>> For example, it would mitigation this bug:
>>
>> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>>
>> If the CONFIG_BUG_ON_DATA_CORRUPTION option is enabled, an incorrect
>> state will result in a BUG_ON.
>>
>> The CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE option is also
>> added so each architecture can optimize this change.
>
>> +#ifndef CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE
>> +static inline bool has_user_ds(void) {
>> + bool ret = segment_eq(get_fs(), USER_DS);
>> + // Prevent re-ordering the call
>> + barrier();
>
> What ordering are we trying to ensure, that isn't otherwise given?
>
> We expect get_fs() and set_fs() to be ordered w.r.t. each other and
> w.r.t. uaccess uses, or we'd need barriers all over the place.
>
> Given that, I can't see why we need a barrier here. So this needs a
> better comment, at least.
>
I was half sure of that so that's why I added the barrier. If it is
not needed then I can remove it. Thanks!
>> + return ret;
>> +}
>> +#else
>> +static inline bool has_user_ds(void) {
>> + return false;
>> +}
>> +#endif
>
> It would be simpler to wrap the call entirely, e.g. have:
>
> #ifdef CONFIG_WHATEVER
> static inline void verify_pre_usermode_state(void)
> {
> if (segment_eq(get_fs(), USER_DS))
> __verify_pre_usermode_state();
> }
> #else
> static inline void verify_pre_usermode_state(void) { }
> #endif
>
>> @@ -199,7 +215,10 @@ extern struct trace_event_functions exit_syscall_print_funcs;
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
>> { \
>> + bool user_caller = has_user_ds(); \
>> long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \
>> + if (user_caller) \
>> + verify_pre_usermode_state(); \
>
> ... then we can unconditionally use verify_pre_usermode_state() here ...
Not sure I understood that point. The goal is to see if get_fs was
changed, that's why I check before the syscall and I want to ensure
the call is not shuffled after the syscall, therefore the original
barrier.
>
>> __MAP(x,__SC_TEST,__VA_ARGS__); \
>> __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \
>> return ret; \
>
> [...]
>
>> +/* Called before coming back to user-mode */
>> +asmlinkage void verify_pre_usermode_state(void)
>
> ... and we just prepend a couple of underscores here.
>
>> +{
>> + if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS),
>> + "incorrect get_fs() on user-mode return"))
>> + set_fs(USER_DS);
>> +}
>
> Thanks,
> Mark.
--
Thomas
next prev parent reply other threads:[~2017-03-09 15:52 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 1:24 [PATCH v2 1/4] syscalls: Restore address limit after a syscall Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 3/4] arm/syscalls: " Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 1:24 ` [PATCH v2 4/4] arm64/syscalls: " Thomas Garnier
2017-03-09 1:24 ` [kernel-hardening] " Thomas Garnier
2017-03-09 12:23 ` Mark Rutland
2017-03-09 12:23 ` [kernel-hardening] " Mark Rutland
2017-03-09 12:23 ` Mark Rutland
2017-03-09 15:56 ` Thomas Garnier
2017-03-09 15:56 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:56 ` Thomas Garnier
2017-03-09 16:05 ` Mark Rutland
2017-03-09 16:05 ` [kernel-hardening] " Mark Rutland
2017-03-09 16:05 ` Mark Rutland
2017-03-09 16:19 ` Thomas Garnier
2017-03-09 16:19 ` [kernel-hardening] " Thomas Garnier
2017-03-09 16:19 ` Thomas Garnier
2017-03-09 16:26 ` Russell King - ARM Linux
2017-03-09 16:26 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 16:26 ` Russell King - ARM Linux
2017-03-09 16:35 ` Thomas Garnier
2017-03-09 16:35 ` [kernel-hardening] " Thomas Garnier
2017-03-09 16:35 ` Thomas Garnier
2017-03-09 17:05 ` Russell King - ARM Linux
2017-03-09 17:05 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 17:05 ` Russell King - ARM Linux
2017-03-09 8:42 ` [PATCH v2 1/4] syscalls: Restore address limit after a syscall Borislav Petkov
2017-03-09 8:42 ` [kernel-hardening] " Borislav Petkov
2017-03-09 8:42 ` Borislav Petkov
2017-03-09 15:48 ` Thomas Garnier
2017-03-09 15:48 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:48 ` Thomas Garnier
2017-03-09 17:27 ` Andy Lutomirski
2017-03-09 17:27 ` [kernel-hardening] " Andy Lutomirski
2017-03-09 17:41 ` Thomas Garnier
2017-03-09 17:41 ` [kernel-hardening] " Thomas Garnier
2017-03-09 10:39 ` Sergey Senozhatsky
2017-03-09 10:39 ` [kernel-hardening] " Sergey Senozhatsky
2017-03-09 12:09 ` Mark Rutland
2017-03-09 12:09 ` [kernel-hardening] " Mark Rutland
2017-03-09 12:09 ` Mark Rutland
2017-03-09 13:44 ` Russell King - ARM Linux
2017-03-09 13:44 ` [kernel-hardening] " Russell King - ARM Linux
2017-03-09 13:44 ` Russell King - ARM Linux
2017-03-09 15:21 ` Mark Rutland
2017-03-09 15:21 ` [kernel-hardening] " Mark Rutland
2017-03-09 15:21 ` Mark Rutland
2017-03-09 15:54 ` Thomas Garnier
2017-03-09 15:54 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:54 ` Thomas Garnier
2017-03-09 15:52 ` Thomas Garnier [this message]
2017-03-09 15:52 ` [kernel-hardening] " Thomas Garnier
2017-03-09 15:52 ` Thomas Garnier
2017-03-09 12:32 ` Christian Borntraeger
2017-03-09 12:32 ` [kernel-hardening] " Christian Borntraeger
2017-03-09 15:53 ` Thomas Garnier
2017-03-09 15:53 ` [kernel-hardening] " Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJcbSZHY5Et+EqjbQPx4KfgAiaYCo29vFfSbX2Aj=BZBg8i0Gg@mail.gmail.com' \
--to=thgarnie@google.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=dave.hansen@intel.com \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dhowells@redhat.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=luto@kernel.org \
--cc=mail@renenyffenegger.ch \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pmladek@suse.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=sergey.senozhatsky@gmail.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.