Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

[Kees Cook]

On March 9, 2023 1:00:20 PM PST, Ornaghi Davide <davide.ornaghi@intre.it> wrote:
>Per-system-call kernel-stack randomization was introduced to
>prevent attackers from predicting the addresses of certain data
>structures on the stack upon sequential syscalls.
>
>However, when entering soft interrupt context, a new stack is allocated
>via vmalloc at a location that stays constant for each cpu until reboot.
>
>Recent security vulnerabilities such as CVE-2023-0179 showed how an
>infoleak under the softirq context could allow the attacker to locate
>kernel data structures like nftables registers, where a malicious payload
>could be stored.
>
>Instead of keeping a constant address, reuse kstack_offset to also
>randomize the soft interrupt stack on every __do_softirq entry.
>
>This basic patch version has the drawback of using the same base
>address for all pending softirqs, including softirqd ones, but has low
>impacts on performance.
>Alternatively, the stack offset could be updated for every softirq
>action, which I suspect might cause some performance issues.
>
>Signed-off-by: Davide Ornaghi <davide.ornaghi@intre.it>

This seems like a good place to start. Thanks!

Reviewed-by: Kees Cook <keescook@chromium.org>

One thought is that without a reselection of the offset after this use, the offset will be shared by the next syscall too. If softirq timing is controllable by an attacker, this might allow for some exposure?

-Kees

>---
> kernel/softirq.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/kernel/softirq.c b/kernel/softirq.c
>index c8a6913c067d..8c3eb2fffe39 100644
>--- a/kernel/softirq.c
>+++ b/kernel/softirq.c
>@@ -27,6 +27,7 @@
> #include <linux/tick.h>
> #include <linux/irq.h>
> #include <linux/wait_bit.h>
>+#include <linux/randomize_kstack.h>
>
> #include <asm/softirq_stack.h>
>
>@@ -535,6 +536,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void)
>  __u32 pending;
>  int softirq_bit;
>
>+ add_random_kstack_offset();
>  /*
>  * Mask out PF_MEMALLOC as the current task context is borrowed for the
>  * softirq. A softirq handled, such as network RX, might set PF_MEMALLOC
>--
>2.34.1
>
>
>Davide Ornaghi
>Offensive Security Specialist & Intrusion Analyst
>
>T. +39 039 28.45.774 +39 039 96.34.717
>Intré Security - a venture of Intré S.r.l.
>www.intre.it
>
>Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell'autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell'art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all'indirizzo privacy@intre.it e distruggere il presente messaggio.
>
>Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@intre.it and delete the email transmission immediately.


-- 
Kees Cook

R: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

[Ornaghi Davide]

Davide Ornaghi
Offensive Security Specialist & Intrusion Analyst

T. +39 039 28.45.774  +39 039 96.34.717
Intré Security - a venture of Intré S.r.l.
www.intre.it

Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell’autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell’art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all’indirizzo privacy@intre.it e distruggere il presente messaggio.
Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@intre.it and delete the email transmission immediately.
> -----Messaggio originale-----
> Da: Kees Cook <kees@kernel.org>
> Inviato: venerdì 10 marzo 2023 16:47
> A: Ornaghi Davide <davide.ornaghi@intre.it>; keescook@chromium.org;
> paulmck@kernel.org; nsaenzju@redhat.com; peterz@infradead.org;
> bigeasy@linutronix.de; frederic@kernel.org; linux-hardening@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Oggetto: Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization
>
> On March 9, 2023 1:00:20 PM PST, Ornaghi Davide <davide.ornaghi@intre.it>
> wrote:
> >Per-system-call kernel-stack randomization was introduced to prevent
> >attackers from predicting the addresses of certain data structures on
> >the stack upon sequential syscalls.
> >
> >However, when entering soft interrupt context, a new stack is allocated
> >via vmalloc at a location that stays constant for each cpu until reboot.
> >
> >Recent security vulnerabilities such as CVE-2023-0179 showed how an
> >infoleak under the softirq context could allow the attacker to locate
> >kernel data structures like nftables registers, where a malicious
> >payload could be stored.
> >
> >Instead of keeping a constant address, reuse kstack_offset to also
> >randomize the soft interrupt stack on every __do_softirq entry.
> >
> >This basic patch version has the drawback of using the same base
> >address for all pending softirqs, including softirqd ones, but has low
> >impacts on performance.
> >Alternatively, the stack offset could be updated for every softirq
> >action, which I suspect might cause some performance issues.
> >
> >Signed-off-by: Davide Ornaghi <davide.ornaghi@intre.it>
>
> This seems like a good place to start. Thanks!
>
> Reviewed-by: Kees Cook <keescook@chromium.org>
>
> One thought is that without a reselection of the offset after this use, the offset
> will be shared by the next syscall too. If softirq timing is controllable by an
> attacker, this might allow for some exposure?

That would be a problem indeed, one way to solve it is to keep the softirq offset independent from the syscall one and update it at the end of __do_softirq.
Should we add a new build option or integrate it with CONFIG_RANDOMIZE_KSTACK_OFFSET?

- Davide

>
> -Kees
>
> >---
> > kernel/softirq.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> >diff --git a/kernel/softirq.c b/kernel/softirq.c index
> >c8a6913c067d..8c3eb2fffe39 100644
> >--- a/kernel/softirq.c
> >+++ b/kernel/softirq.c
> >@@ -27,6 +27,7 @@
> > #include <linux/tick.h>
> > #include <linux/irq.h>
> > #include <linux/wait_bit.h>
> >+#include <linux/randomize_kstack.h>
> >
> > #include <asm/softirq_stack.h>
> >
> >@@ -535,6 +536,7 @@ asmlinkage __visible void __softirq_entry
> >__do_softirq(void)
> >  __u32 pending;
> >  int softirq_bit;
> >
> >+ add_random_kstack_offset();
> >  /*
> >  * Mask out PF_MEMALLOC as the current task context is borrowed for
> >the
> >  * softirq. A softirq handled, such as network RX, might set
> >PF_MEMALLOC
> >--
> >2.34.1
> >
> >
> >Davide Ornaghi
> >Offensive Security Specialist & Intrusion Analyst
> >
> >T. +39 039 28.45.774 +39 039 96.34.717
> >Intré Security - a venture of Intré S.r.l.
> >www.intre.it
> >
> >Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento
> UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute
> in questo messaggio sono strettamente riservate e sono esclusivamente
> indirizzate al destinatario indicato (oppure alla persona responsabile di
> rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell'autore e,
> a meno che non sia chiaramente scritto, non rappresentano necessariamente
> quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo
> messaggio e' vietata, anche ai sensi dell'art. 616 c.p. italiano. Nel caso in cui
> aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a
> mezzo posta elettronica all'indirizzo privacy@intre.it e distruggere il presente
> messaggio.
> >
> >Please note: In reference to Italian law 196/2003 and to the Regulation EU
> 679/2016 (GDPR), this email transmission including its attachments, is
> intended only for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. Any views or opinions are
> solely those of the author and do not necessarily represent those of Intré S.r.l.,
> unless specifically stated. Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received this
> email due to an error, please contact the sender via e-mail to the address
> privacy@intre.it and delete the email transmission immediately.
>
>
> --
> Kees Cook

Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

[Jere Viikari]

I am concerned about the disclaimer. When I replied, I had also to
remove all other information to ensure that I did not violate the
terms.

> Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell’autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell’art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all’indirizzo privacy@intre.it e distruggere il presente messaggio.
> Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@intre.it and delete the email transmission immediately.

Google translation in English:

Information note: In compliance with Law 196/2003 and EU Regulation
679/2016 (GDPR) on the protection of personal data, the information
contained in this message is strictly confidential and is exclusively
addressed to the indicated recipient (or to the person responsible for
forwarding it to the recipient). The ideas and opinions expressed are
those of the author and, unless clearly stated, do not necessarily
represent those of Intré S.r.l. Any use, reproduction or disclosure of
this message is prohibited, also pursuant to art. 616 criminal code
Italian. If you have received this e-mail in error, please notify us
as soon as possible by e-mail at privacy@intre.it and destroy this
message.
Please note: In reference to Italian law 196/2003 and to the
Regulation EU 679/2016 (GDPR), this email transmission including its
attachments, is intended only for the person or entity to which it is
addressed and may contain confidential and/or privileged material. Any
views or opinions are solely those of the author and do not
necessarily represent those of Intré S.r.l., unless specifically
stated. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you
received this email due to an error, please contact the sender via
email to the address privacy@intre.it and delete the email
transmission immediately.

-Jere

R: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

[Ornaghi Davide]

> -----Messaggio originale-----
> Da: Jere Viikari <jere.viikari@gmail.com>
> Inviato: sabato 11 marzo 2023 23:56
> A: Ornaghi Davide <davide.ornaghi@intre.it>
> Cc: Kees Cook <kees@kernel.org>; keescook@chromium.org;
> paulmck@kernel.org; nsaenzju@redhat.com; peterz@infradead.org;
> bigeasy@linutronix.de; frederic@kernel.org; linux-hardening@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Oggetto: Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization
> 
> I am concerned about the disclaimer. When I replied, I had also to remove all
> other information to ensure that I did not violate the terms.
> 

Sorry, Italian regulations that obviously don't apply to public mailing lists...
The disclaimer should be gone now, so you can reply to this thread if you prefer.

- Davide

> > Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento
> UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute
> in questo messaggio sono strettamente riservate e sono esclusivamente
> indirizzate al destinatario indicato (oppure alla persona responsabile di
> rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell’autore e,
> a meno che non sia chiaramente scritto, non rappresentano necessariamente
> quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo
> messaggio e' vietata, anche ai sensi dell’art. 616 c.p. italiano. Nel caso in cui
> aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a
> mezzo posta elettronica all’indirizzo privacy@intre.it e distruggere il presente
> messaggio.
> > Please note: In reference to Italian law 196/2003 and to the Regulation EU
> 679/2016 (GDPR), this email transmission including its attachments, is
> intended only for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. Any views or opinions are
> solely those of the author and do not necessarily represent those of Intré S.r.l.,
> unless specifically stated. Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received this
> email due to an error, please contact the sender via e-mail to the address
> privacy@intre.it and delete the email transmission immediately.
> 
> Google translation in English:
> 
> Information note: In compliance with Law 196/2003 and EU Regulation
> 679/2016 (GDPR) on the protection of personal data, the information
> contained in this message is strictly confidential and is exclusively addressed to
> the indicated recipient (or to the person responsible for forwarding it to the
> recipient). The ideas and opinions expressed are those of the author and,
> unless clearly stated, do not necessarily represent those of Intré S.r.l. Any use,
> reproduction or disclosure of this message is prohibited, also pursuant to art.
> 616 criminal code Italian. If you have received this e-mail in error, please notify
> us as soon as possible by e-mail at privacy@intre.it and destroy this message.
> Please note: In reference to Italian law 196/2003 and to the Regulation EU
> 679/2016 (GDPR), this email transmission including its attachments, is
> intended only for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. Any views or opinions are
> solely those of the author and do not necessarily represent those of Intré S.r.l.,
> unless specifically stated. Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received this
> email due to an error, please contact the sender via email to the address
> privacy@intre.it and delete the email transmission immediately.
> 
> -Jere