From patchwork Thu Apr 27 14:42:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Garnier X-Patchwork-Id: 9702981 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id CFCF2601D3 for ; Thu, 27 Apr 2017 14:43:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BA12228645 for ; Thu, 27 Apr 2017 14:43:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ADDD72865A; Thu, 27 Apr 2017 14:43:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id A195A28645 for ; Thu, 27 Apr 2017 14:43:13 +0000 (UTC) Received: (qmail 23959 invoked by uid 550); 27 Apr 2017 14:43:12 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 23931 invoked from network); 27 Apr 2017 14:43:11 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QRso5wojL+pjdEAy4hBD7o92ETyARQ1An+6M5ODoSI0=; b=lQtIJB41PAslSY825+4EjZ/FnoBe00OvoRNaS6/Daan8BqCd+KaZwCgM5tbxB/CBfr Zj3Y4NZDDOlGFONCvj9CsaEhaC0VaI9WngEv+OjDJvihUDNetpenca5l1rKwSz7/nCa/ JIT/Now/vMMUminT6ZU/EkI6t7jODho+NIuCuLSqKVzbBigBrhlke+QXOk84XsyqvX57 rHQYHv0ss/Kmq0Q5XPqL8kxwB2m4X2tmVj0j+Wv1zJ2SzTsjlXFkVXtN+8xlArSqStZ0 UIBan5OxKsItmrHpv7aUGyUnzz56AxOYh7uetevRlV6cMIVwRGC6AcCCclFQ/99Iu2cD dFRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QRso5wojL+pjdEAy4hBD7o92ETyARQ1An+6M5ODoSI0=; b=Nzrs7P2mnWOuKObbcQ5FiCs3hN3rPQI69WQpfhkGplZ4hFFkOVm2KoVElMNokWv5WW oUL69RORYuzHiWDswB0wtTPFVvGdkFhxzcwYBa+sW6NEaSGwhdcvCFjoac2ZJqCFaLVK AB8Bk7sL4YtUL14Ze+obAUJPEYukVn721QCrNU5td924yg9a6vSSa1dKMcHWJYt1UH1V PQa8iNpWZfh1hi68NmM7tRYk01lyi+1d1+eZ6ycRGhd5PgWgcLTyhAWWkm7fkwRCDu+w MH6OZR7fuOhrKQeOW/OSJgEtNHj5+OUXpzjBuBvreLK9J5az0qDcIjcYnFIV0I1WAnxb HhdA== X-Gm-Message-State: AN3rC/7W8S1wdl1y11hMDINY419KYPocj+CHuzH3XH+pElSqoYd3skJp oEbZVapQPG/86EuP X-Received: by 10.84.199.194 with SMTP id d2mr8162688plh.33.1493304179245; Thu, 27 Apr 2017 07:42:59 -0700 (PDT) From: Thomas Garnier To: Martin Schwidefsky , Heiko Carstens , Dave Hansen , Arnd Bergmann , Andrew Morton , Al Viro , Thomas Garnier , David Howells , =?UTF-8?q?Ren=C3=A9=20Nyffenegger?= , "Paul E . McKenney" , Ingo Molnar , Thomas Gleixner , "Eric W . Biederman" , Oleg Nesterov , Pavel Tikhomirov , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Paolo Bonzini , Rik van Riel , Kees Cook , Josh Poimboeuf , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , Christian Borntraeger , Russell King , Will Deacon , Catalin Marinas , Mark Rutland , James Morse Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com Date: Thu, 27 Apr 2017 07:42:27 -0700 Message-Id: <20170427144227.113630-1-thgarnie@google.com> X-Mailer: git-send-email 2.13.0.rc0.306.g87b477812d-goog In-Reply-To: References: Subject: [kernel-hardening] [PATCH v8 1/4] syscalls: Verify address limit before returning to user-mode X-Virus-Scanned: ClamAV using ClamSMTP Ensure that a syscall does not return to user-mode with a kernel address limit. If that happens, a process can corrupt kernel-mode memory and elevate privileges [1]. The CONFIG_ADDR_LIMIT_CHECK option disables the generic check so each architecture can create optimized versions. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=990 Signed-off-by: Thomas Garnier Tested-by: Kees Cook --- Based on next-20170426 --- arch/s390/Kconfig | 1 + include/linux/syscalls.h | 27 ++++++++++++++++++++++++++- init/Kconfig | 6 ++++++ kernel/sys.c | 13 +++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index d25435d94b6e..164de1d24e92 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select ARCH_INLINE_WRITE_UNLOCK_BH select ARCH_INLINE_WRITE_UNLOCK_IRQ select ARCH_INLINE_WRITE_UNLOCK_IRQRESTORE + select ADDR_LIMIT_CHECK select ARCH_SAVE_PAGE_KEYS if HIBERNATION select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 980c3c9b06f8..ebde64f1622c 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -191,6 +191,28 @@ extern struct trace_event_functions exit_syscall_print_funcs; SYSCALL_METADATA(sname, x, __VA_ARGS__) \ __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) + +/* + * Called before coming back to user-mode. Returning to user-mode with an + * address limit different than USER_DS can allow to overwrite kernel memory. + */ +static inline void addr_limit_check_syscall(void) +{ + BUG_ON(!segment_eq(get_fs(), USER_DS)); +} + +#ifndef CONFIG_ADDR_LIMIT_CHECK +#define ADDR_LIMIT_CHECK_PRE() \ + bool user_caller = segment_eq(get_fs(), USER_DS) +#define ADDR_LIMIT_CHECK_POST() \ + if (user_caller) addr_limit_check_syscall() +#else +#define ADDR_LIMIT_CHECK_PRE() +#define ADDR_LIMIT_CHECK_POST() +asmlinkage void addr_limit_check_failed(void) __noreturn; +#endif + + #define __PROTECT(...) asmlinkage_protect(__VA_ARGS__) #define __SYSCALL_DEFINEx(x, name, ...) \ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ @@ -199,7 +221,10 @@ extern struct trace_event_functions exit_syscall_print_funcs; asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ { \ - long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + long ret; \ + ADDR_LIMIT_CHECK_PRE(); \ + ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + ADDR_LIMIT_CHECK_POST(); \ __MAP(x,__SC_TEST,__VA_ARGS__); \ __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \ return ret; \ diff --git a/init/Kconfig b/init/Kconfig index 42a346b0df43..599d9fe30703 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1961,6 +1961,12 @@ config PROFILING config TRACEPOINTS bool +config ADDR_LIMIT_CHECK + bool + help + Disable the generic address limit check. Allow each architecture to + optimize how and when the verification is done. + source "arch/Kconfig" endmenu # General setup diff --git a/kernel/sys.c b/kernel/sys.c index 8a94b4eabcaa..a1cbcd715d62 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2458,3 +2458,16 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info) return 0; } #endif /* CONFIG_COMPAT */ + +#ifdef CONFIG_ADDR_LIMIT_CHECK +/* + * Used when an architecture specific implementation detects an invalid address + * limit. This function does not return. + */ +asmlinkage void addr_limit_check_failed(void) +{ + /* Try to fail on the generic address limit check */ + addr_limit_check_syscall(); + panic("Invalid address limit before returning to user-mode"); +} +#endif