linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Richard Weinberger <richard@nod.at>
To: linux-kernel@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, rientjes@google.com,
	atomlin@redhat.com, keescook@chromium.org,
	daeseok.youn@gmail.com, tglx@linutronix.de,
	vdavydov@parallels.com, riel@redhat.com, oleg@redhat.com,
	akpm@linux-foundation.org, peterz@infradead.org,
	mingo@redhat.com, viro@zeniv.linux.org.uk, luto@amacapital.net,
	Richard Weinberger <richard@nod.at>
Subject: [PATCH] [RFC] Deter exploit bruteforcing
Date: Wed, 24 Dec 2014 22:39:27 +0100	[thread overview]
Message-ID: <1419457167-15042-1-git-send-email-richard@nod.at> (raw)

While exploring the offset2lib attack I remembered that
grsecurity has an interesting feature to make such attacks
much harder. Exploits can brute stack canaries often very easily
if the target is a forking server like sshd or Apache httpd.
The problem is that after fork() the child has by definition
exactly the same memory as the parent and therefore also the same
stack canaries.
The attacker can guess the stack canaries byte by byte.
After 256 times 7 forks() a good exploit can find the correct
canary value.

The basic idea behind this patch is to delay fork() if a child died
due to a fatal error.
Currently it delays fork() by 30 seconds if the parent tries to fork()
within 60 seconds after a child died due to a fatal error.

I'm sure you'll hate this patch but I want to find out how much you hate it
and whether there is a little chance to get it mainline in a modified form.
Later I'd make it depend on a new Kconfig option and off by default
and the timing constants changeable via sysctl.

Credit for the concept goes to grsecurity folks, I'll take the flames.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 fs/coredump.c         | 10 ++++++++++
 include/linux/sched.h |  1 +
 kernel/fork.c         |  7 +++++++
 3 files changed, 18 insertions(+)

diff --git a/fs/coredump.c b/fs/coredump.c
index b5c86ff..d7730c8 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -512,6 +512,7 @@ void do_coredump(const siginfo_t *siginfo)
 	bool need_nonrelative = false;
 	bool core_dumped = false;
 	static atomic_t core_dump_count = ATOMIC_INIT(0);
+	int sig = siginfo->si_signo;
 	struct coredump_params cprm = {
 		.siginfo = siginfo,
 		.regs = signal_pt_regs(),
@@ -526,6 +527,15 @@ void do_coredump(const siginfo_t *siginfo)
 
 	audit_core_dumps(siginfo->si_signo);
 
+	if (sig == SIGSEGV || sig == SIGBUS || sig == SIGKILL || sig == SIGILL) {
+		rcu_read_lock();
+		read_lock(&tasklist_lock);
+		if (current->real_parent && (current->flags & PF_FORKNOEXEC))
+			current->real_parent->brute_expires = get_seconds() + (30 * 60);
+		read_unlock(&tasklist_lock);
+		rcu_read_unlock();
+	}
+
 	binfmt = mm->binfmt;
 	if (!binfmt || !binfmt->core_dump)
 		goto fail;
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 8db31ef..c616735 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1701,6 +1701,7 @@ struct task_struct {
 #ifdef CONFIG_DEBUG_ATOMIC_SLEEP
 	unsigned long	task_state_change;
 #endif
+	unsigned long brute_expires;
 };
 
 /* Future-safe accessor for struct task_struct's cpus_allowed. */
diff --git a/kernel/fork.c b/kernel/fork.c
index 4dc2dda..178c80e 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -74,6 +74,7 @@
 #include <linux/uprobes.h>
 #include <linux/aio.h>
 #include <linux/compiler.h>
+#include <linux/delay.h>
 
 #include <asm/pgtable.h>
 #include <asm/pgalloc.h>
@@ -352,6 +353,8 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
 	tsk->splice_pipe = NULL;
 	tsk->task_frag.page = NULL;
 
+	tsk->brute_expires = 0;
+
 	account_kernel_stack(ti, 1);
 
 	return tsk;
@@ -1669,6 +1672,10 @@ long do_fork(unsigned long clone_flags,
 		if (clone_flags & CLONE_PARENT_SETTID)
 			put_user(nr, parent_tidptr);
 
+		if (unlikely(current->brute_expires) && time_before(get_seconds(),
+		    current->brute_expires))
+			msleep(30 * 1000);
+
 		if (clone_flags & CLONE_VFORK) {
 			p->vfork_done = &vfork;
 			init_completion(&vfork);
-- 
2.1.0

             reply	other threads:[~2014-12-24 21:39 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-24 21:39 Richard Weinberger [this message]
2014-12-30 18:40 ` Kees Cook
2014-12-30 18:49   ` Andy Lutomirski
2014-12-30 18:50   ` Richard Weinberger
2015-01-02  5:11   ` Pavel Machek
2015-01-02 11:00     ` Richard Weinberger
2015-01-02 19:46       ` Pavel Machek
2015-01-02 21:40         ` Richard Weinberger
2015-01-02 22:29           ` Pavel Machek
2015-01-02 22:32             ` Jiri Kosina
2015-01-02 22:46               ` Pavel Machek
2015-01-02 22:49                 ` Jiri Kosina
2015-01-02 22:53                   ` Jiri Kosina
2015-01-02 22:54                   ` Pavel Machek
2015-01-02 23:00                     ` Richard Weinberger
2015-01-02 23:08                       ` Pavel Machek
2015-01-03  9:45                         ` Richard Weinberger
2015-01-03 22:36                           ` Pavel Machek
2015-01-03 22:44                             ` Richard Weinberger
2015-01-03 23:01                               ` Pavel Machek
2015-01-03 23:07                                 ` Richard Weinberger
2015-01-03 23:06                             ` Andy Lutomirski
2015-01-03 23:19                               ` Richard Weinberger
2015-01-05 22:56                                 ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1419457167-15042-1-git-send-email-richard@nod.at \
    --to=richard@nod.at \
    --cc=akpm@linux-foundation.org \
    --cc=atomlin@redhat.com \
    --cc=daeseok.youn@gmail.com \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=mingo@redhat.com \
    --cc=oleg@redhat.com \
    --cc=peterz@infradead.org \
    --cc=riel@redhat.com \
    --cc=rientjes@google.com \
    --cc=tglx@linutronix.de \
    --cc=vdavydov@parallels.com \
    --cc=viro@zeniv.linux.org.uk \
    --subject='Re: [PATCH] [RFC] Deter exploit bruteforcing' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).