From patchwork Fri Jul 8 09:22:28 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 9220265 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8C2026044F for ; Fri, 8 Jul 2016 09:19:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77FBC28610 for ; Fri, 8 Jul 2016 09:19:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6AEEB28613; Fri, 8 Jul 2016 09:19:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 791C728610 for ; Fri, 8 Jul 2016 09:19:49 +0000 (UTC) Received: (qmail 21973 invoked by uid 550); 8 Jul 2016 09:19:47 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: kernel-hardening@lists.openwall.com Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 21937 invoked from network); 8 Jul 2016 09:19:46 -0000 From: Arnd Bergmann To: Kees Cook Cc: "linuxppc-dev@lists.ozlabs.org" , LKML , Jan Kara , "kernel-hardening@lists.openwall.com" , Catalin Marinas , Will Deacon , Linux-MM , sparclinux , linux-ia64@vger.kernel.org, Christoph Lameter , Andrea Arcangeli , linux-arch , "x86@kernel.org" , Russell King , "linux-arm-kernel@lists.infradead.org" , PaX Team , Mathias Krause , Fenghua Yu , Rik van Riel , David Rientjes , Tony Luck , Andy Lutomirski , Joonsoo Kim , Dmitry Vyukov , Laura Abbott <"la bbott"@fedoraproject.org>, Brad Spengler , Ard Biesheuvel , Pekka Enberg , Casey Schaufler , Andrew Morton , "David S. Miller" Date: Fri, 08 Jul 2016 11:22:28 +0200 Message-ID: <9920033.q6Ud9av8s4@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-22-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: References: <1467843928-29351-1-git-send-email-keescook@chromium.org> <3418914.byvl8Wuxlf@wuerfel> MIME-Version: 1.0 X-Provags-ID: V03:K0:Eqe8bjIhN1fBoZN0j7so6IjDwsFvKa8Enzt1v2VjBA966KE9PaF o9BdFLXDBqZdsc2lbKZYZ7FL6rjI8EDjSRhxcQB0lcG1TJoheNJFDDP4R67x/ciYOJ5lTx+ xSb0S8sfiKHDUMI2VVdM4Q0P0/J8gycbMOBXx/GRjXCJOAVKCPb5zQ2W2+2KgQVTZlrna+b GH5nv+wqzm0+iLqCa4bxw== X-UI-Out-Filterresults: notjunk:1; V01:K0:cqLCIoPHz3Q=:CxbpgDkLDbKT2VR7pNStZ8 VmSmZOxLVAkoMV5wBB4u0s0dYV0C2LYkmP7NmYAeCXRLQ44EkJcuE5GAJ96XFa764pocKomU1 7GIvdbRWKGYXEm9Fj3WYBGJ7bJnFByQG53qmfacMAK3gvWnRInW+kb4cVpd6ajAiHGiUGJx1l 43NNz5Pk8md/bvFnFIA0IdEZJe3hJrSIsDzvs/Qm5+pXls5O2kxW++Bj52fA2ftsMCYokk9Rz 5zNO7KWaKeMV/PhSp//hv+MDQTKZog8Cl+Gz7y2MJfFxtwX/7tANTKlyTM/4T74Rk/Kbe3Niu jD51iH+CsmUCJFo7IJIYwYlx1/HhWQ1FZ2Xc9fKhSgtpjX7kiu1CkCQmWDLjpI0Z6clQWTNdA uN34gxTTLXyywfAmlddcT4wvVwkZUKS0OJUHo6wzoVhd9Eahvg16RfdtIT/fbclX526x5bQ+7 G6hAzaOAdpS4Pm1/Tbdxtql+/9hiGMSdWAmnFYkyrIymx+nV7xZX/9rx8kAPtBEIKfzbgbwFL PADr9i5MF9g9DP9ly2RT9NRs0Q5ixhzrl+dF7H6HjQvc3gCwiJ+J369hgirxPbgED2nr/h094 DBvm2wXootswGGAdLFx9jECIKSeJQvgMxQhVWp9Q+TeCpFGH0vnvD/a0F5X1ijGgYcaa1dfCV krnqHdr6DOELA3WEQFoN3JO4+Vh8P4m9a2XxlJVwOc0qvH2ILMxrYdSrxvR/rD7CUJSSHP9Ve v6R8gBLnB2m7TS5d Subject: [kernel-hardening] Re: [PATCH 1/9] mm: Hardened usercopy X-Virus-Scanned: ClamAV using ClamSMTP On Thursday, July 7, 2016 1:37:43 PM CEST Kees Cook wrote: > > > >> + /* Allow kernel bss region (if not marked as Reserved). */ > >> + if (ptr >= (const void *)__bss_start && > >> + end <= (const void *)__bss_stop) > >> + return NULL; > > > > accesses to .data/.rodata/.bss are probably not performance critical, > > so we could go further here and check the kallsyms table to ensure > > that we are not spanning multiple symbols here. > > Oh, interesting! Yeah, would you be willing to put together that patch > and test it? Not at the moment, sorry. I've given it a closer look and unfortunately realized that kallsyms today only covers .text and .init.text, so it's currently useless because those sections are already disallowed. We could extend kallsyms to also cover all other sections, but doing that right will likely cause a number of problems (most likely kallsyms size mismatch) that will have to be debugged first.\ I think it's doable but time-consuming. The check function should actually be trivial: static bool usercopy_spans_multiple_symbols(void *ptr, size_t len) { unsigned long size, offset; if (kallsyms_lookup_size_offset((unsigned long)ptr, &size, &offset)) return 0; /* no symbol found or kallsyms disabled */ if (size - offset <= len) return 0; /* range is within one symbol */ return 1; } This part would also be trivial: but I fear that if you actually try that, things start falling apart in a big way, so I didn't try ;-) > I wonder if there are any cases where there are > legitimate usercopys across multiple symbols. The only possible use case I can think of is for reading out the entire kernel memory from /dev/kmem, but your other checks in here already define that as illegitimate. On that subject, we probably want to make CONFIG_DEVKMEM mutually exclusive with CONFIG_HARDENED_USERCOPY. Arnd diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c index 1f22a186c18c..e0f37212e2a9 100644 --- a/scripts/kallsyms.c +++ b/scripts/kallsyms.c @@ -50,6 +50,11 @@ static struct addr_range text_ranges[] = { { "_sinittext", "_einittext" }, { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */ { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */ +#ifdef CONFIG_HARDENED_USERCOPY + { "_sdata", "_edata" }, + { "__bss_start", "__bss_stop" }, + { "__start_rodata", "__end_rodata" }, +#endif }; #define text_range_text (&text_ranges[0]) #define text_range_inittext (&text_ranges[1])