linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] x86: do not leak kernel page mapping locations
@ 2013-02-07 17:44 Kees Cook
  2013-02-07 19:26 ` H. Peter Anvin
  2013-02-08 14:05 ` [tip:x86/urgent] x86: Do " tip-bot for Kees Cook
  0 siblings, 2 replies; 3+ messages in thread
From: Kees Cook @ 2013-02-07 17:44 UTC (permalink / raw)
  To: linux-kernel
  Cc: Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, Andrew Morton,
	Paul E. McKenney, Frederic Weisbecker, Eric W. Biederman,
	Dan Rosenberg, Brad Spengler

Without this patch, it is trivial to determine kernel page mappings by
examining the error code reported to dmesg[1]. Instead, declare the entire
kernel memory space as a violation of a present page.

Additionally, since show_unhandled_signals is enabled by default, switch
branch hinting to the more realistic expectation, and unobfuscate the
setting of the PF_PROT bit to improve readability.

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/

Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Suggested-by: Brad Spengler <spender@grsecurity.net>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/mm/fault.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 027088f..fb674fd 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -748,13 +748,15 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
 				return;
 		}
 #endif
+		/* Kernel addresses are always protection faults: */
+		if (address >= TASK_SIZE)
+			error_code |= PF_PROT;
 
-		if (unlikely(show_unhandled_signals))
+		if (likely(show_unhandled_signals))
 			show_signal_msg(regs, error_code, address, tsk);
 
-		/* Kernel addresses are always protection faults: */
 		tsk->thread.cr2		= address;
-		tsk->thread.error_code	= error_code | (address >= TASK_SIZE);
+		tsk->thread.error_code	= error_code;
 		tsk->thread.trap_nr	= X86_TRAP_PF;
 
 		force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0);
-- 
1.7.9.5


-- 
Kees Cook
Chrome OS Security

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] x86: do not leak kernel page mapping locations
  2013-02-07 17:44 [PATCH] x86: do not leak kernel page mapping locations Kees Cook
@ 2013-02-07 19:26 ` H. Peter Anvin
  2013-02-08 14:05 ` [tip:x86/urgent] x86: Do " tip-bot for Kees Cook
  1 sibling, 0 replies; 3+ messages in thread
From: H. Peter Anvin @ 2013-02-07 19:26 UTC (permalink / raw)
  To: Kees Cook
  Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, x86, Andrew Morton,
	Paul E. McKenney, Frederic Weisbecker, Eric W. Biederman,
	Dan Rosenberg, Brad Spengler

On 02/07/2013 09:44 AM, Kees Cook wrote:
> Without this patch, it is trivial to determine kernel page mappings by
> examining the error code reported to dmesg[1]. Instead, declare the entire
> kernel memory space as a violation of a present page.
> 
> Additionally, since show_unhandled_signals is enabled by default, switch
> branch hinting to the more realistic expectation, and unobfuscate the
> setting of the PF_PROT bit to improve readability.
> 
> [1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/
> 
> Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
> Suggested-by: Brad Spengler <spender@grsecurity.net>
> Cc: stable@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>

There is, of course, tons of information in dmesg which can be used for
nefarious purposes, and it is hard to avoid that without neutering dmesg
to uselessness.

So the question is to some degree how much this adds in isolation from
locking down dmesg (and if dmesg_restrict isn't enough, what more do we
need...)?

That being said, the patch doesn't seem to do any harm so I acked it and
Ingo is going to apply it.

	-hpa




^ permalink raw reply	[flat|nested] 3+ messages in thread
* [tip:x86/urgent] x86: Do not leak kernel page mapping locations
  2013-02-07 17:44 [PATCH] x86: do not leak kernel page mapping locations Kees Cook
  2013-02-07 19:26 ` H. Peter Anvin
@ 2013-02-08 14:05 ` tip-bot for Kees Cook
  1 sibling, 0 replies; 3+ messages in thread
From: tip-bot for Kees Cook @ 2013-02-08 14:05 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: linux-kernel, hpa, mingo, a.p.zijlstra, torvalds, ebiederm,
	dan.j.rosenberg, spender, paulmck, keescook, fweisbec, akpm,
	tglx

Commit-ID:  e575a86fdc50d013bf3ad3aa81d9100e8e6cc60d
Gitweb:     http://git.kernel.org/tip/e575a86fdc50d013bf3ad3aa81d9100e8e6cc60d
Author:     Kees Cook <keescook@chromium.org>
AuthorDate: Thu, 7 Feb 2013 09:44:13 -0800
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Thu, 7 Feb 2013 19:57:44 +0100

x86: Do not leak kernel page mapping locations

Without this patch, it is trivial to determine kernel page
mappings by examining the error code reported to dmesg[1].
Instead, declare the entire kernel memory space as a violation
of a present page.

Additionally, since show_unhandled_signals is enabled by
default, switch branch hinting to the more realistic
expectation, and unobfuscate the setting of the PF_PROT bit to
improve readability.

[1] http://vulnfactory.org/blog/2013/02/06/a-linux-memory-trick/

Reported-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Suggested-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Acked-by: H. Peter Anvin <hpa@zytor.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Link: http://lkml.kernel.org/r/20130207174413.GA12485@www.outflux.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/mm/fault.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 027088f..fb674fd 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -748,13 +748,15 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
 				return;
 		}
 #endif
+		/* Kernel addresses are always protection faults: */
+		if (address >= TASK_SIZE)
+			error_code |= PF_PROT;
 
-		if (unlikely(show_unhandled_signals))
+		if (likely(show_unhandled_signals))
 			show_signal_msg(regs, error_code, address, tsk);
 
-		/* Kernel addresses are always protection faults: */
 		tsk->thread.cr2		= address;
-		tsk->thread.error_code	= error_code | (address >= TASK_SIZE);
+		tsk->thread.error_code	= error_code;
 		tsk->thread.trap_nr	= X86_TRAP_PF;
 
 		force_sig_info_fault(SIGSEGV, si_code, address, tsk, 0);

^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-02-08 14:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-07 17:44 [PATCH] x86: do not leak kernel page mapping locations Kees Cook
2013-02-07 19:26 ` H. Peter Anvin
2013-02-08 14:05 ` [tip:x86/urgent] x86: Do " tip-bot for Kees Cook

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).