* [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
@ 2019-11-18 21:09 Kees Cook
2019-11-19 10:07 ` Borislav Petkov
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
0 siblings, 2 replies; 4+ messages in thread
From: Kees Cook @ 2019-11-18 21:09 UTC (permalink / raw)
To: Borislav Petkov
Cc: Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86, tyhicks,
colin.king, linux-security-module, Matthew Garrett
Zhang Xiaoxu noted that physical address locations for MTRR were
visible to non-root users, which could be considered an information
leak. In discussing[1] the options for solving this, it sounded like
just moving the capable check into open() was the first step. If this
breaks userspace, then we will have a test case for the more conservative
approaches discussed in the thread. In summary:
- MTRR should check capabilities at open time (or retain the
checks on the opener's permissions for later checks).
- changing the DAC permissions might break something that expects to
open mtrr when not uid 0.
- if we leave the DAC permissions alone and just move the capable check
to the opener, we should get the desired protection. (i.e. check
against CAP_SYS_ADMIN not just the wider uid 0.)
- if that still breaks things, as in userspace expects to be able to
read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
we need to censor the contents using the opener's permissions. For
example, as done in other /proc cases, like commit 51d7b120418e
("/proc/iomem: only expose physical resource addresses to privileged
users").
[1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
---
arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
index 4d36dcc1cf87..9c86aeae1b14 100644
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
int length;
size_t linelen;
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
memset(line, 0, LINE_SIZE);
len = min_t(size_t, len, LINE_SIZE - 1);
@@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 0);
@@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_add(sentry.base, sentry.size, sentry.type, false);
break;
case MTRRIOC_DEL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 0);
break;
case MTRRIOC_KILL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_ENTRY:
@@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 1);
@@ -289,8 +276,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_add_page(sentry.base, sentry.size, sentry.type, false);
break;
@@ -298,16 +283,12 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 1);
break;
case MTRRIOC_KILL_PAGE_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del_page(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_PAGE_ENTRY:
@@ -381,6 +362,8 @@ static int mtrr_open(struct inode *inode, struct file *file)
return -EIO;
if (!mtrr_if->get)
return -ENXIO;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return single_open(file, mtrr_seq_show, NULL);
}
--
2.17.1
--
Kees Cook
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
@ 2019-11-19 10:07 ` Borislav Petkov
2019-11-20 20:24 ` James Morris
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
1 sibling, 1 reply; 4+ messages in thread
From: Borislav Petkov @ 2019-11-19 10:07 UTC (permalink / raw)
To: Kees Cook
Cc: Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86, tyhicks,
colin.king, linux-security-module, Matthew Garrett
On Mon, Nov 18, 2019 at 01:09:21PM -0800, Kees Cook wrote:
> Zhang Xiaoxu noted that physical address locations for MTRR were
> visible to non-root users, which could be considered an information
> leak. In discussing[1] the options for solving this, it sounded like
> just moving the capable check into open() was the first step. If this
> breaks userspace, then we will have a test case for the more conservative
> approaches discussed in the thread. In summary:
>
> - MTRR should check capabilities at open time (or retain the
> checks on the opener's permissions for later checks).
>
> - changing the DAC permissions might break something that expects to
> open mtrr when not uid 0.
>
> - if we leave the DAC permissions alone and just move the capable check
> to the opener, we should get the desired protection. (i.e. check
> against CAP_SYS_ADMIN not just the wider uid 0.)
>
> - if that still breaks things, as in userspace expects to be able to
> read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
> we need to censor the contents using the opener's permissions. For
> example, as done in other /proc cases, like commit 51d7b120418e
> ("/proc/iomem: only expose physical resource addresses to privileged
> users").
>
> [1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
>
> Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
> 1 file changed, 2 insertions(+), 19 deletions(-)
Yap, LGTM, thanks!
Reviewed-by: Borislav Petkov <bp@suse.de>
However, as it has a user-visible impact and it is not an urgent thing
to have in the tree, I'd not queue this now but after the merge window
is done so that we have a maximum time of exposure in linux-next and we
can have ample time to addres fallout.
/me puts it on the list for after the merge window.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-19 10:07 ` Borislav Petkov
@ 2019-11-20 20:24 ` James Morris
0 siblings, 0 replies; 4+ messages in thread
From: James Morris @ 2019-11-20 20:24 UTC (permalink / raw)
To: Borislav Petkov
Cc: Kees Cook, Thomas Gleixner, Zhang Xiaoxu, linux-kernel, x86,
tyhicks, colin.king, linux-security-module, Matthew Garrett
On Tue, 19 Nov 2019, Borislav Petkov wrote:
> > arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
> > 1 file changed, 2 insertions(+), 19 deletions(-)
>
> Yap, LGTM, thanks!
>
> Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [tip: x86/mtrr] x86/mtrr: Require CAP_SYS_ADMIN for all access
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
2019-11-19 10:07 ` Borislav Petkov
@ 2019-12-09 8:51 ` tip-bot2 for Kees Cook
1 sibling, 0 replies; 4+ messages in thread
From: tip-bot2 for Kees Cook @ 2019-12-09 8:51 UTC (permalink / raw)
To: linux-tip-commits
Cc: Zhang Xiaoxu, Kees Cook, Borislav Petkov, James Morris,
H. Peter Anvin, Colin Ian King, Ingo Molnar,
linux-security-module, Matthew Garrett, Thomas Gleixner,
Tyler Hicks, x86-ml, LKML
The following commit has been merged into the x86/mtrr branch of tip:
Commit-ID: 4fc265a9c9b258ddd7eafbd0dbfca66687c3d8aa
Gitweb: https://git.kernel.org/tip/4fc265a9c9b258ddd7eafbd0dbfca66687c3d8aa
Author: Kees Cook <keescook@chromium.org>
AuthorDate: Mon, 18 Nov 2019 13:09:21 -08:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Mon, 09 Dec 2019 09:24:24 +01:00
x86/mtrr: Require CAP_SYS_ADMIN for all access
Zhang Xiaoxu noted that physical address locations for MTRR were visible
to non-root users, which could be considered an information leak.
In discussing[1] the options for solving this, it sounded like just
moving the capable check into open() was the first step.
If this breaks userspace, then we will have a test case for the more
conservative approaches discussed in the thread. In summary:
- MTRR should check capabilities at open time (or retain the
checks on the opener's permissions for later checks).
- changing the DAC permissions might break something that expects to
open mtrr when not uid 0.
- if we leave the DAC permissions alone and just move the capable check
to the opener, we should get the desired protection. (i.e. check
against CAP_SYS_ADMIN not just the wider uid 0.)
- if that still breaks things, as in userspace expects to be able to
read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then
we need to censor the contents using the opener's permissions. For
example, as done in other /proc cases, like commit
51d7b120418e ("/proc/iomem: only expose physical resource addresses to privileged users").
[1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/
Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: James Morris <jamorris@linux.microsoft.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: linux-security-module@vger.kernel.org
Cc: Matthew Garrett <mjg59@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: x86-ml <x86@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/201911181308.63F06502A1@keescook
---
arch/x86/kernel/cpu/mtrr/if.c | 21 ++-------------------
1 file changed, 2 insertions(+), 19 deletions(-)
diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c
index 268d318..da532f6 100644
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
int length;
size_t linelen;
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
memset(line, 0, LINE_SIZE);
len = min_t(size_t, len, LINE_SIZE - 1);
@@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 0);
@@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_add(sentry.base, sentry.size, sentry.type, false);
break;
case MTRRIOC_DEL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 0);
break;
case MTRRIOC_KILL_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_ENTRY:
@@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_ADD_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
file, 1);
@@ -289,8 +276,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_SET_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err =
mtrr_add_page(sentry.base, sentry.size, sentry.type, false);
break;
@@ -298,16 +283,12 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
#ifdef CONFIG_COMPAT
case MTRRIOC32_DEL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_file_del(sentry.base, sentry.size, file, 1);
break;
case MTRRIOC_KILL_PAGE_ENTRY:
#ifdef CONFIG_COMPAT
case MTRRIOC32_KILL_PAGE_ENTRY:
#endif
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
err = mtrr_del_page(-1, sentry.base, sentry.size);
break;
case MTRRIOC_GET_PAGE_ENTRY:
@@ -410,6 +391,8 @@ static int mtrr_open(struct inode *inode, struct file *file)
return -EIO;
if (!mtrr_if->get)
return -ENXIO;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return single_open(file, mtrr_seq_show, NULL);
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-09 8:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-18 21:09 [PATCH] x86/mtrr: Require CAP_SYS_ADMIN for all access Kees Cook
2019-11-19 10:07 ` Borislav Petkov
2019-11-20 20:24 ` James Morris
2019-12-09 8:51 ` [tip: x86/mtrr] " tip-bot2 for Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).