From patchwork Thu Nov  2 06:16:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tobin Harding <me@tobin.cc>
X-Patchwork-Id: 10037959
Return-Path: 
 <kernel-hardening-return-10366-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E572E603B5 for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  2 Nov 2017 06:17:28 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D675728871
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  2 Nov 2017 06:17:28 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C9DFB28BEC; Thu,  2 Nov 2017 06:17:28 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 061CE28871
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  2 Nov 2017 06:17:27 +0000 (UTC)
Received: (qmail 21816 invoked by uid 550); 2 Nov 2017 06:17:09 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 21743 invoked from network); 2 Nov 2017 06:17:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc
	:date:from:in-reply-to:message-id:references:subject:to
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ts3+r0L6ZNsEvluWU
	QHs/wz07CCWmIONYirqepejf3Y=; b=qIKrm7By4is7PEX9hunNoqx4NDB8YTNUt
	/AuUopkWDTVpMF7fO+OweeloK2v7/2i4nT5UgCw5ahIxXxpbAei6ORNfnjJDXB0h
	cKAVUN2kVYwgM97YeiGKsSePgRe+Qg+O9gQuF1L6G7mUAu8P9E+rMitYZKqIqCEt
	NXrk0Eth/un9IjEzt+EeZ/wscmw3m3tQaZca57KzRlWlT68fzbR45x1kpYLBtJN/
	phQYCcitYBdRsc3DRwI0KtpOlM/jusxQTv/un1Sm4CP2Fr5LBsyR/rfEEZt1gXzs
	BJzY5+8/ogOIaJ2UPajnT9oUuxuQmwngRnuZ7IDC9XLTjrx+z22fg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:date:from:in-reply-to:message-id
	:references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; bh=ts3+r0L6ZNsEvluWUQHs/wz07CCWmIONYirqepejf3Y=; b=KPr7NS/p
	GTg43PxcQT3gsgel/E3Lgz1wNnA1DEtcaL+9anIBi/xiuGBngoXz9UOcueEyCu2x
	/njZAlQh8okOnqbix4PN9HddROqYmGwJHYEqjqJpNzSJMGVGHXy81/FbhCo05Uw/
	GtjOQn8GXIiLCIEUqIsDwTuO6OvcKMOrIVTy1KWKmiVPFEb6BEXBMBFJ3/iD0o3Q
	aw0B9jwKEs9e105RVYFL5LODWKqHXJIhZkbJ8cfKaP8cPFw8SE9ycjYIyyfFMI3g
	O0YiE0kxTvF4u/qA+TF3G4UALkgXewsU7O+IgNw4rZOLCbvvixe8aMUJmV6dzi4p
	3tVPuVNhhJ1c5g==
X-ME-Sender: <xms:Vrj6WdSl51SoMAJ0WWDcmaR191DmKZ7x6yGtyTujCHzAvettdWxSyQ>
From: "Tobin C. Harding" <me@tobin.cc>
To: kernel-hardening@lists.openwall.com
Cc: "Tobin C. Harding" <me@tobin.cc>
Date: Thu,  2 Nov 2017 17:16:30 +1100
Message-Id: <1509603390-7587-3-git-send-email-me@tobin.cc>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1509603390-7587-1-git-send-email-me@tobin.cc>
References: <1509603390-7587-1-git-send-email-me@tobin.cc>
Subject: [kernel-hardening] [RFC 2/2] seq_file: sanitize for non-privileged
	processes
X-Virus-Scanned: ClamAV using ClamSMTP

Kernel addresses should not be leaked to user space. Currently the only
mechanism we have to restrict kernel addresses from leaking is the
sysctl kptr_restrict. We don't need to rely on this mechanism, we can
sanitize kernel addresses in seq_files whenever a non-privileged
process attempts to show them.

Call vsnprintf_sanitize() for non-privileged processes.

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
 fs/seq_file.c            | 13 ++++++++++++-
 include/linux/seq_file.h |  1 +
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/seq_file.c b/fs/seq_file.c
index dc7c2be963ed..740980339b7f 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -46,6 +46,7 @@ static void *seq_buf_alloc(unsigned long size)
  */
 int seq_open(struct file *file, const struct seq_operations *op)
 {
+	const struct cred *cred = current_cred();
 	struct seq_file *p;
 
 	WARN_ON(file->private_data);
@@ -80,6 +81,12 @@ int seq_open(struct file *file, const struct seq_operations *op)
 	 * file.open() which calls seq_open() and then sets FMODE_PWRITE.
 	 */
 	file->f_mode &= ~FMODE_PWRITE;
+
+	p->sanitize = true;
+	if (uid_eq(cred->uid, GLOBAL_ROOT_UID) ||
+	    uid_eq(cred->euid, GLOBAL_ROOT_UID)) {
+		p->sanitize = false;
+	}
 	return 0;
 }
 EXPORT_SYMBOL(seq_open);
@@ -391,9 +398,13 @@ EXPORT_SYMBOL(seq_escape);
 void seq_vprintf(struct seq_file *m, const char *f, va_list args)
 {
 	int len;
+	int (*fn)(char *, size_t, const char *, va_list) = vsnprintf_sanitize;
+
+	if (m->sanitize == false)
+		fn = vsnprintf;
 
 	if (m->count < m->size) {
-		len = vsnprintf(m->buf + m->count, m->size - m->count, f, args);
+		len = fn(m->buf + m->count, m->size - m->count, f, args);
 		if (m->count + len < m->size) {
 			m->count += len;
 			return;
diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
index e305b66a9fb9..45840c866e26 100644
--- a/include/linux/seq_file.h
+++ b/include/linux/seq_file.h
@@ -25,6 +25,7 @@ struct seq_file {
 	const struct seq_operations *op;
 	int poll_event;
 	const struct file *file;
+	bool sanitize;
 	void *private;
 };