From: Thomas Garnier <thgarnie@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Arnd Bergmann" <arnd@arndb.de>,
"David Howells" <dhowells@redhat.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Dave Hansen" <dave.hansen@intel.com>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Petr Mladek" <pmladek@suse.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Sebastian Andrzej Siewior" <bigeasy@linutronix.de>,
"Sergey Senozhatsky" <sergey.senozhatsky@gmail.com>,
"Helge Deller" <deller@gmx.de>, "Rik van Riel" <riel@redhat.com>,
"Ingo Molnar" <mingo@kernel.org>,
"John Stultz" <john.stultz@linaro.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Oleg Nesterov" <oleg@redhat.com>,
"Stanislav Kinsburskiy" <skinsbursky@virtuozzo.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Stephen Smalley" <sds@tych>
Subject: Re: [PATCH v1 1/4] syscalls: Restore address limit after a syscall
Date: Wed, 8 Mar 2017 17:13:41 -0800 [thread overview]
Message-ID: <CAJcbSZF5Ya6jhh+bweL1r5o7ajK70VRUyRB0U7WjnbSxN_kEsQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5jJw2XW30NUnoNOMunZMhZ5V-3K9rspOFTOnyt5bxnkA+A@mail.gmail.com>
On Wed, Mar 8, 2017 at 1:57 PM, Kees Cook <keescook@chromium.org> wrote:
> On Wed, Mar 8, 2017 at 1:38 PM, Thomas Garnier <thgarnie@google.com> wrote:
>> This patch prevents a syscall to modify the address limit of the
>> caller. The address limit is kept by the syscall wrapper and restored
>> just after the syscall ends.
>>
>> For example, it would mitigation this bug:
>>
>> - https://bugs.chromium.org/p/project-zero/issues/detail?id=990
>>
>> By default, this change warns if the segment is incorrect while
>> returning to user-mode and fix it. The
>> CONFIG_VERIFY_PRE_USERMODE_STATE_BUG option can be enabled to halt
>> instead if needed.
>
> Instead of this new config, please reuse the CHECK_DATA_CORRUPTION
> test instead, which already controls very similar WARN vs BUG
> behavior. Example below...
>
>>
>> The CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE option is also
>> added so each architecture can optimize how the
>> verify_pre_usermode_state function is called.
>>
>> Signed-off-by: Thomas Garnier <thgarnie@google.com>
>> ---
>> Based on next-20170308
>> ---
>> include/linux/syscalls.h | 19 +++++++++++++++++++
>> init/Kconfig | 16 ++++++++++++++++
>> kernel/sys.c | 11 +++++++++++
>> 3 files changed, 46 insertions(+)
>>
>> diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
>> index 980c3c9b06f8..78a2268ecd6e 100644
>> --- a/include/linux/syscalls.h
>> +++ b/include/linux/syscalls.h
>> @@ -191,6 +191,22 @@ extern struct trace_event_functions exit_syscall_print_funcs;
>> SYSCALL_METADATA(sname, x, __VA_ARGS__) \
>> __SYSCALL_DEFINEx(x, sname, __VA_ARGS__)
>>
>> +asmlinkage void verify_pre_usermode_state(void);
>> +
>> +#ifndef CONFIG_ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE
>> +static inline bool has_user_ds(void) {
>> + bool ret = segment_eq(get_fs(), USER_DS);
>> + // Prevent re-ordering the call
>> + barrier();
>> + return ret;
>> +}
>> +#else
>> +static inline bool has_user_ds(void) {
>> + return false;
>> +}
>> +#endif
>> +
>> +
>> #define __PROTECT(...) asmlinkage_protect(__VA_ARGS__)
>> #define __SYSCALL_DEFINEx(x, name, ...) \
>> asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \
>> @@ -199,7 +215,10 @@ extern struct trace_event_functions exit_syscall_print_funcs;
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \
>> asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \
>> { \
>> + bool user_caller = has_user_ds(); \
>> long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \
>> + if (user_caller) \
>> + verify_pre_usermode_state(); \
>> __MAP(x,__SC_TEST,__VA_ARGS__); \
>> __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \
>> return ret; \
>> diff --git a/init/Kconfig b/init/Kconfig
>> index c859c993c26f..ab958b59063f 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -1929,6 +1929,22 @@ config PROFILING
>> config TRACEPOINTS
>> bool
>>
>> +#
>> +# Set by each architecture that want to optimize how verify_pre_usermode_state
>> +# is called.
>> +#
>> +config ARCH_NO_SYSCALL_VERIFY_PRE_USERMODE_STATE
>> + bool
>> +
>> +config VERIFY_PRE_USERMODE_STATE_BUG
>> + bool "Halt on incorrect state on returning to user-mode"
>> + default n
>> + help
>> + By default a warning is logged and the state is fixed. This option
>> + crashes the kernel instead.
>> +
>> + If unsure, say Y.
>> +
>> source "arch/Kconfig"
>>
>> endmenu # General setup
>> diff --git a/kernel/sys.c b/kernel/sys.c
>> index 196c7134bee6..cc2ebf7fae55 100644
>> --- a/kernel/sys.c
>> +++ b/kernel/sys.c
>> @@ -2459,3 +2459,14 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
>> return 0;
>> }
>> #endif /* CONFIG_COMPAT */
>> +
>> +/* Called before coming back to user-mode */
>> +asmlinkage void verify_pre_usermode_state(void)
>> +{
>> +#ifdef CONFIG_VERIFY_PRE_USERMODE_STATE_BUG
>> + BUG_ON(!segment_eq(get_fs(), USER_DS));
>> +#else
>> + if (WARN_ON(!segment_eq(get_fs(), USER_DS)))
>> + set_fs(USER_DS);
>> +#endif
>
> I would just make this:
>
> if (CHECK_DATA_CORRUPTION(!segment_eq(get_fs(), USER_DS))
> set_fs(USER_DS);
>
Make sense, I will remove my custom CONFIG and use that one instead
(still doing inline assembly if not set).
> -Kees
>
>
> --
> Kees Cook
> Pixel Security
--
Thomas
next prev parent reply other threads:[~2017-03-09 1:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-08 21:38 [PATCH v1 1/4] syscalls: Restore address limit after a syscall Thomas Garnier
2017-03-08 21:38 ` [PATCH v1 2/4] x86/syscalls: Specific usage of verify_pre_usermode_state Thomas Garnier
2017-03-08 21:38 ` [PATCH v1 3/4] arm/syscalls: " Thomas Garnier
2017-03-08 21:49 ` Russell King - ARM Linux
2017-03-08 22:05 ` Nicolas Pitre
2017-03-08 22:33 ` Thomas Garnier
2017-03-08 21:38 ` [PATCH v1 4/4] arm64/syscalls: " Thomas Garnier
2017-03-08 21:57 ` [PATCH v1 1/4] syscalls: Restore address limit after a syscall Kees Cook
2017-03-09 1:13 ` Thomas Garnier [this message]
2017-03-08 21:58 ` Russell King - ARM Linux
2017-03-08 22:20 ` Andy Lutomirski
2017-03-08 22:27 ` Thomas Garnier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJcbSZF5Ya6jhh+bweL1r5o7ajK70VRUyRB0U7WjnbSxN_kEsQ@mail.gmail.com \
--to=thgarnie@google.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bigeasy@linutronix.de \
--cc=dave.hansen@intel.com \
--cc=deller@gmx.de \
--cc=dhowells@redhat.com \
--cc=john.stultz@linaro.org \
--cc=keescook@chromium.org \
--cc=luto@kernel.org \
--cc=mail@renenyffenegger.ch \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pmladek@suse.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=sds@tych \
--cc=sergey.senozhatsky@gmail.com \
--cc=skinsbursky@virtuozzo.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).