From patchwork Thu Feb  9 18:33:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thomas Garnier <thgarnie@google.com>
X-Patchwork-Id: 9565347
Return-Path: 
 <kernel-hardening-return-6439-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3155F6020C for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  9 Feb 2017 18:35:21 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 228E028488
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  9 Feb 2017 18:35:21 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 155EC28540; Thu,  9 Feb 2017 18:35:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from mother.openwall.net (mother.openwall.net [195.42.179.200])
	by mail.wl.linuxfoundation.org (Postfix) with SMTP id 33C0228488
	for <patchwork-kernel-hardening@patchwork.kernel.org>;
	Thu,  9 Feb 2017 18:35:19 +0000 (UTC)
Received: (qmail 12197 invoked by uid 550); 9 Feb 2017 18:35:17 -0000
Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:kernel-hardening@lists.openwall.com>
List-Help: <mailto:kernel-hardening-help@lists.openwall.com>
List-Unsubscribe: <mailto:kernel-hardening-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:kernel-hardening-subscribe@lists.openwall.com>
List-ID: <kernel-hardening.lists.openwall.com>
Delivered-To: mailing list kernel-hardening@lists.openwall.com
Received: (qmail 12176 invoked from network); 9 Feb 2017 18:35:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=cLHkp41ybTuq9yNCfk5BWpI7vNHY+zhf70JWR6dhMM0=;
	b=BRh7hwF9tND2XiPHKs3bnJ+dPYmq23rBBv8kEt2gBlnOm6ouQuX/zhe2Hk2rfyQofR
	8rllatSwmkSgrfXXTNS7rG8sdepwE327NUHdv371bIXSDnrfIZh6iKyChdy9ivfXmLd7
	z0wEaPfTg+3NZ9/eHPsX8VchT/iLliM96PgdwTQRA/KzSsJ8PclLPnBj309J5ny70gdJ
	Wnu4rtLpXPMdezoktzvHhVOb/3H2UtZz1snVtC75GvayokRApcVSduixjocMMKwXWsDf
	YUWkMvj0s9ebU9viHGXl2mqaaV+b5YtFLCmmEHIg+F4wUNagWwceq9QcXB2O6PlHMPFf
	Rymw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=cLHkp41ybTuq9yNCfk5BWpI7vNHY+zhf70JWR6dhMM0=;
	b=Jmh7Wmmv1ExGuCsthZINy36qOlcUD/RRf2ZI5ShV9Qm38W0H5IhvRVz14AgvuLC69Q
	2ZG3UELKoRF9q2xS7WnoWzl0r3RQEQmzyTD4HZRnMgakv/PFJdJSOqkdg+GgyGBYl73y
	13crlIe6EEADEvw6t3potYW3fBbqE6UQaaFzwhKGIf9uygrtFNQMJEBs2qsBdMt/fiK/
	HRXRv9ZF37I7+MdYD/VXkLolI0rUQFcPwIJD3SulL9RnnSa37f68l6sWZn0nvAqlIWN9
	RHjN8IFI0Ijz5Uqj52J0hOjZmPXEeCIiyXV7SEwlvbRfdBfHjIZQlmIK2CrxZcvgnxdc
	0/zw==
X-Gm-Message-State: 
 AMke39kYvCJJCuEwwJCj/fFE7EC+Abq7IPJUstz85I7e9EogUHq3THX9VVhREwHwcN0SYj7o
X-Received: by 10.84.129.67 with SMTP id 61mr5907494plb.103.1486665304654;
	Thu, 09 Feb 2017 10:35:04 -0800 (PST)
From: Thomas Garnier <thgarnie@google.com>
To: Dave Hansen <dave.hansen@intel.com>, Arnd Bergmann <arnd@arndb.de>,
	=?UTF-8?q?Ren=C3=A9=20Nyffenegger?= <mail@renenyffenegger.ch>,
	Stephen Bates <stephen.bates@pmcs.com>, Jeff Moyer <jmoyer@redhat.com>,
	Milosz Tanski <milosz@adfin.com>, Thomas Garnier <thgarnie@google.com>
Cc: linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
	kernel-hardening@lists.openwall.com
Date: Thu,  9 Feb 2017 10:33:58 -0800
Message-Id: <20170209183358.103094-1-thgarnie@google.com>
X-Mailer: git-send-email 2.11.0.483.g087da7b7c-goog
Subject: [kernel-hardening] [RFC] syscalls: Restore address limit after a
	syscall
X-Virus-Scanned: ClamAV using ClamSMTP

This patch prevents a syscall to modify the address limit of the
caller. The address limit is kept by the syscall wrapper and restored
just after the syscall ends.

For example, it would mitigation this bug:

- https://bugs.chromium.org/p/project-zero/issues/detail?id=990

Signed-off-by: Thomas Garnier <thgarnie@google.com>
---
Based on next-20170209
---
 include/linux/syscalls.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 91a740f6b884..a1b6a62a9849 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -198,7 +198,10 @@ extern struct trace_event_functions exit_syscall_print_funcs;
 	asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__));	\
 	asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__))	\
 	{								\
-		long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__));	\
+		long ret;						\
+		mm_segment_t fs = get_fs();				\
+		ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__));	\
+		set_fs(fs);						\
 		__MAP(x,__SC_TEST,__VA_ARGS__);				\
 		__PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__));	\
 		return ret;						\