[PATCH v3 0/5] hardening : prevent write to proces's read-only pages

[PATCH v3 0/5] hardening : prevent write to proces's read-only pages

[Lev Olshvang]

v2 --> v3
	Split patch to architecture independ part and separate patches
	for architectures that have arch_vma_access_permitted() handler.
	I tested it only on arm and x86
v1 --> v2
	I sent empty v1 patch, just resending
v0 --> v1
---
	Added sysctl_forbid_write_ro_mem to control whether to allow write
    or deny. (Advised by Kees Cook, KSPP issue 37)
    It has values range [0-2] and it gets the initial value from
    CONFIG_PROTECT_READONLY_USER_MEMORY (defaulted to 0, so it cant break)
    Setting it to 0 disables write checks.
    Setting it to 1 deny writes from other processes.
    Setting it to 2 deny writes from any processes including itself
----
v0
----

The purpose of this patch is produce hardened kernel for Embedded
or Production systems.
This patch shouild close issue 37 opened by Kees Cook in KSPP project

Typically debuggers, such as gdb, write to read-only code [text]
sections of target process.(ptrace)
This kind of page protectiion violation raises minor page fault, but
kernel's fault handler allows it by default.
This is clearly attack surface for adversary.

The proposed kernel hardening configuration option checks the type of
protection of the foreign vma and blocks writes to read only vma.

When enabled, it will stop attacks modifying code or jump tables, etc.

Code of arch_vma_access_permitted() function was extended to
check foreign vma flags.

Tested on x86_64 and ARM(QEMU) with dd command which writes to
/proc/PID/mem in r--p or r--xp of vma area addresses range

dd reports IO failure when tries to write to adress taken from
from /proc/PID/maps (PLT or code section)


Lev Olshvang (5):
  Hardening x86: Forbid writes to read-only memory pages of a process
  Hardening PowerPC: Forbid writes to read-only memory pages of a
    process
  Hardening um: Forbid writes to read-only memory pages of a process
  Hardening unicore32: Forbid writes to read-only memory pages of a
    process
  Hardening : PPC book3s64: Forbid writes to read-only memory pages of a
    process

 arch/powerpc/include/asm/mmu_context.h   | 9 +--------
 arch/powerpc/mm/book3s64/pkeys.c         | 5 -----
 arch/um/include/asm/mmu_context.h        | 8 +-------
 arch/unicore32/include/asm/mmu_context.h | 7 +------
 arch/x86/include/asm/mmu_context.h       | 8 +-------
 5 files changed, 4 insertions(+), 33 deletions(-)

-- 
2.17.1

[PATCH v3 1/5] Hardening x86: Forbid writes to read-only memory pages of a process

[Lev Olshvang]

Signed-off-by: Lev Olshvang <levonshe@gmail.com>
---
 arch/x86/include/asm/mmu_context.h | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index 701a7367babf..4e55370e48e8 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -5,7 +5,6 @@
 #include <asm/desc.h>
 #include <linux/atomic.h>
 #include <linux/mm_types.h>
-#include <linux/printk.h>
 #include <linux/pkeys.h>
 
 #include <trace/events/tlb.h>
@@ -217,12 +216,7 @@ static inline void arch_unmap(struct mm_struct *mm, unsigned long start,
 static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
 		bool write, bool execute, bool foreign)
 {
-	if (unlikely(!vma_write_allowed(vma, write, execute, foreign))) {
-		pr_err_once("Error : PID[%d] %s writes to read only memory\n",
-			current->tgid, current->comm);
-		return false;
-	}
-	/* Don't check PKRU since pkeys never affect instruction fetches */
+	/* pkeys never affect instruction fetches */
 	if (execute)
 		return true;
 	/* allow access if the VMA is not one from this process */
-- 
2.17.1

[PATCH v3 2/5] Hardening PowerPC: Forbid writes to read-only memory pages of a process

[Lev Olshvang]

Signed-off-by: Lev Olshvang <levonshe@gmail.com>
---
 arch/powerpc/include/asm/mmu_context.h | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/arch/powerpc/include/asm/mmu_context.h b/arch/powerpc/include/asm/mmu_context.h
index ddd6d01dd2a1..f4b6b44e304c 100644
--- a/arch/powerpc/include/asm/mmu_context.h
+++ b/arch/powerpc/include/asm/mmu_context.h
@@ -10,7 +10,6 @@
 #include <asm/mmu.h>
 #include <asm/cputable.h>
 #include <asm/cputhreads.h>
-#include <linux/sched.h>
 
 /*
  * Most if the context management is out of line
@@ -248,15 +247,9 @@ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
 		bool write, bool execute, bool foreign)
 {
 	/* by default, allow everything */
-	if (likely(vma_write_allowed(vma, write, execute, foreign)))
-		return true;
-
-	pr_err_once("Error : PID[%d] %s writes to read only memory\n",
-			current->tgid, current->comm);
-	return false;
+	return true;
 }
 
-#endif
 #define pkey_mm_init(mm)
 #define thread_pkey_regs_save(thread)
 #define thread_pkey_regs_restore(new_thread, old_thread)
-- 
2.17.1

[PATCH v3 3/5] Hardening um: Forbid writes to read-only memory pages of a process

[Lev Olshvang]

Signed-off-by: Lev Olshvang <levonshe@gmail.com>
---
 arch/um/include/asm/mmu_context.h | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/arch/um/include/asm/mmu_context.h b/arch/um/include/asm/mmu_context.h
index 3dcee05f950f..b4deb1bfbb68 100644
--- a/arch/um/include/asm/mmu_context.h
+++ b/arch/um/include/asm/mmu_context.h
@@ -8,7 +8,6 @@
 
 #include <linux/sched.h>
 #include <linux/mm_types.h>
-#include <linux/mm.h>
 
 #include <asm/mmu.h>
 
@@ -30,12 +29,7 @@ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
 		bool write, bool execute, bool foreign)
 {
 	/* by default, allow everything */
-	if (likely(vma_write_allowed(vma, write, execute, foreign)))
-		return true;
-
-	pr_err_once("Error : PID[%d] %s writes to read only memory\n",
-			current->tgid, current->comm);
-	return false;
+	return true;
 }
 
 /*
-- 
2.17.1

[PATCH v3 4/5] Hardening unicore32: Forbid writes to read-only memory pages of a process

[Lev Olshvang]

Signed-off-by: Lev Olshvang <levonshe@gmail.com>
---
 arch/unicore32/include/asm/mmu_context.h | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/arch/unicore32/include/asm/mmu_context.h b/arch/unicore32/include/asm/mmu_context.h
index 50961d4b4951..388c0c811c68 100644
--- a/arch/unicore32/include/asm/mmu_context.h
+++ b/arch/unicore32/include/asm/mmu_context.h
@@ -93,11 +93,6 @@ static inline bool arch_vma_access_permitted(struct vm_area_struct *vma,
 		bool write, bool execute, bool foreign)
 {
 	/* by default, allow everything */
-	if (likely(vma_write_allowed(vma, write, execute, foreign)))
-		return true;
-
-	pr_err_once("Error : PID[%d] %s writes to read only memory\n",
-			current->tgid, current->comm);
-	return false;
+	return true;
 }
 #endif
-- 
2.17.1

[PATCH v3 5/5] Hardening : PPC book3s64: Forbid writes to read-only memory pages of a process

[Lev Olshvang]

Signed-off-by: Lev Olshvang <levonshe@gmail.com>
---
 arch/powerpc/mm/book3s64/pkeys.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/arch/powerpc/mm/book3s64/pkeys.c b/arch/powerpc/mm/book3s64/pkeys.c
index 4c537af6ab01..1199fc2bfaec 100644
--- a/arch/powerpc/mm/book3s64/pkeys.c
+++ b/arch/powerpc/mm/book3s64/pkeys.c
@@ -384,11 +384,6 @@ bool arch_pte_access_permitted(u64 pte, bool write, bool execute)
 bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write,
 			       bool execute, bool foreign)
 {
-	if (unlikely(!vma_write_allowed(vma, write, execute, foreign))) {
-		pr_err_once("Error : PID[%d] %s writes to read only memory\n",
-			current->tgid, current->comm);
-		return false;
-	}
 	if (static_branch_likely(&pkey_disabled))
 		return true;
 	/*
-- 
2.17.1

Re: [PATCH v3 0/5] hardening : prevent write to proces's read-only pages

[Kees Cook]

On Mon, Apr 13, 2020 at 06:32:06PM +0300, Lev Olshvang wrote:
> v2 --> v3
> 	Split patch to architecture independ part and separate patches
> 	for architectures that have arch_vma_access_permitted() handler.
> 	I tested it only on arm and x86

Hi; thanks for the update!

It looks like you sent patches inverted (you're showing the removals,
not the additions) and are missing the new function that does the test?

Please make sure you're testing the patches you send (rather than your
local tree). :)

-Kees


> v1 --> v2
> 	I sent empty v1 patch, just resending
> v0 --> v1
> ---
> 	Added sysctl_forbid_write_ro_mem to control whether to allow write
>     or deny. (Advised by Kees Cook, KSPP issue 37)
>     It has values range [0-2] and it gets the initial value from
>     CONFIG_PROTECT_READONLY_USER_MEMORY (defaulted to 0, so it cant break)
>     Setting it to 0 disables write checks.
>     Setting it to 1 deny writes from other processes.
>     Setting it to 2 deny writes from any processes including itself
> ----
> v0
> ----
> 
> The purpose of this patch is produce hardened kernel for Embedded
> or Production systems.
> This patch shouild close issue 37 opened by Kees Cook in KSPP project
> 
> Typically debuggers, such as gdb, write to read-only code [text]
> sections of target process.(ptrace)
> This kind of page protectiion violation raises minor page fault, but
> kernel's fault handler allows it by default.
> This is clearly attack surface for adversary.
> 
> The proposed kernel hardening configuration option checks the type of
> protection of the foreign vma and blocks writes to read only vma.
> 
> When enabled, it will stop attacks modifying code or jump tables, etc.
> 
> Code of arch_vma_access_permitted() function was extended to
> check foreign vma flags.
> 
> Tested on x86_64 and ARM(QEMU) with dd command which writes to
> /proc/PID/mem in r--p or r--xp of vma area addresses range
> 
> dd reports IO failure when tries to write to adress taken from
> from /proc/PID/maps (PLT or code section)
> 
> 
> Lev Olshvang (5):
>   Hardening x86: Forbid writes to read-only memory pages of a process
>   Hardening PowerPC: Forbid writes to read-only memory pages of a
>     process
>   Hardening um: Forbid writes to read-only memory pages of a process
>   Hardening unicore32: Forbid writes to read-only memory pages of a
>     process
>   Hardening : PPC book3s64: Forbid writes to read-only memory pages of a
>     process
> 
>  arch/powerpc/include/asm/mmu_context.h   | 9 +--------
>  arch/powerpc/mm/book3s64/pkeys.c         | 5 -----
>  arch/um/include/asm/mmu_context.h        | 8 +-------
>  arch/unicore32/include/asm/mmu_context.h | 7 +------
>  arch/x86/include/asm/mmu_context.h       | 8 +-------
>  5 files changed, 4 insertions(+), 33 deletions(-)
> 
> -- 
> 2.17.1
> 

-- 
Kees Cook