From patchwork Wed Apr 26 18:34:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Garnier X-Patchwork-Id: 9701813 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E88076032C for ; Wed, 26 Apr 2017 18:35:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DEE2128399 for ; Wed, 26 Apr 2017 18:35:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D2D31285F2; Wed, 26 Apr 2017 18:35:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 2A79528399 for ; Wed, 26 Apr 2017 18:35:06 +0000 (UTC) Received: (qmail 20396 invoked by uid 550); 26 Apr 2017 18:35:04 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 20372 invoked from network); 26 Apr 2017 18:35:03 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=E8uMIKTXTk0HDHqW/2D9pLGkIdNmBo7aYhEP0sOljik=; b=Tp5w6NB5d9wKNvOID8eaqkpMX+Z1xrZEsW4tgUE3GGCXOkjqiedjMaXS3DdUCRVAkP rstJrBylBol6+K0sOY+4fFhEY4CxEkCRk6aOClNVBNMl0lF08yERllX04T3MHv9oMVzw nHHx8hqEDWG23Xn+J6KrotRj/YBU1mh3yi3PW8b3KvIm8123tUwwx+qlkLroAks2fnZb pXKPbY1swWlWsabB5OnKRDVkMAQUS4BN1DyaPLuqgot0/idAj458O1zahb0FEqtOf2sG vLG1mmYWY/POLtlblwNPmhhGvbNvBZsFAocZGgNHIMpY9hVYD2voGk+EJ5ukLMpxclWn X8OQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=E8uMIKTXTk0HDHqW/2D9pLGkIdNmBo7aYhEP0sOljik=; b=CsPXHFiyOrXqdqrdpGltNaaGlD4J11q4lfmXMKNkDg2Eg0Ln6ULvPBmUCms1x0IPqe RJt5n9VO38/V2aR6slzvq1poTNFplsSEL9su7Rxbtdu9PI2NLOkpufnd0xc5WIqpANn6 zHLc0aoC/VdNc2/pM9cVOUMk05pM85H//It9Gnd9lwpMCsiODT2o0ZDuHL40P4VelPSh 1id0lEsS2gHB3gHt781+shHtz7RkdpUXcsIUY5Z9glbSybEVICeoMGcxt3mAcvgxkOAb rpDHwU0lTlg69k3tqwPaNl2mK2iGBevNcFWVr42oynkO9ZNahJ/S8lsM+S4Dr1Ml9Jhr 7yBw== X-Gm-Message-State: AN3rC/7k4EwZwe3+u9WdFAFTFK4kXVbCvDGM7RczN6jm0f8iLra8Qh7p OGNDXNQrrTxA4u7M X-Received: by 10.84.217.205 with SMTP id d13mr1636699plj.114.1493231690823; Wed, 26 Apr 2017 11:34:50 -0700 (PDT) From: Thomas Garnier To: Martin Schwidefsky , Heiko Carstens , Dave Hansen , Arnd Bergmann , David Howells , =?UTF-8?q?Ren=C3=A9=20Nyffenegger?= , Thomas Garnier , Andrew Morton , "Paul E . McKenney" , Ingo Molnar , "Eric W . Biederman" , Thomas Gleixner , Oleg Nesterov , Pavel Tikhomirov , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Paolo Bonzini , Kees Cook , Rik van Riel , Josh Poimboeuf , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , Christian Borntraeger , Russell King , Will Deacon , Catalin Marinas , Mark Rutland , James Morse Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com Date: Wed, 26 Apr 2017 11:34:22 -0700 Message-Id: <20170426183425.32158-1-thgarnie@google.com> X-Mailer: git-send-email 2.13.0.rc0.306.g87b477812d-goog Subject: [kernel-hardening] [PATCH v8 1/4] syscalls: Verify address limit before returning to user-mode X-Virus-Scanned: ClamAV using ClamSMTP Ensure that a syscall does not return to user-mode with a kernel address limit. If that happens, a process can corrupt kernel-mode memory and elevate privileges [1]. The CONFIG_ADDR_LIMIT_CHECK option disables the generic check so each architecture can create optimized versions. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=990 Signed-off-by: Thomas Garnier Tested-by: Kees Cook --- Based on next-20170426 --- arch/s390/Kconfig | 1 + include/linux/syscalls.h | 27 ++++++++++++++++++++++++++- init/Kconfig | 6 ++++++ kernel/sys.c | 13 +++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index d25435d94b6e..164de1d24e92 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select ARCH_INLINE_WRITE_UNLOCK_BH select ARCH_INLINE_WRITE_UNLOCK_IRQ select ARCH_INLINE_WRITE_UNLOCK_IRQRESTORE + select ADDR_LIMIT_CHECK select ARCH_SAVE_PAGE_KEYS if HIBERNATION select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 980c3c9b06f8..ebde64f1622c 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -191,6 +191,28 @@ extern struct trace_event_functions exit_syscall_print_funcs; SYSCALL_METADATA(sname, x, __VA_ARGS__) \ __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) + +/* + * Called before coming back to user-mode. Returning to user-mode with an + * address limit different than USER_DS can allow to overwrite kernel memory. + */ +static inline void addr_limit_check_syscall(void) +{ + BUG_ON(!segment_eq(get_fs(), USER_DS)); +} + +#ifndef CONFIG_ADDR_LIMIT_CHECK +#define __CHECK_USERMODE_SYSCALL() \ + bool user_caller = segment_eq(get_fs(), USER_DS) +#define __VERIFY_ADDR_LIMIT() \ + if (user_caller) addr_limit_check_syscall() +#else +#define __CHECK_USERMODE_SYSCALL() +#define __VERIFY_ADDR_LIMIT() +asmlinkage void addr_limit_check_failed(void) __noreturn; +#endif + + #define __PROTECT(...) asmlinkage_protect(__VA_ARGS__) #define __SYSCALL_DEFINEx(x, name, ...) \ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ @@ -199,7 +221,10 @@ extern struct trace_event_functions exit_syscall_print_funcs; asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ { \ - long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + long ret; \ + __CHECK_USERMODE_SYSCALL(); \ + ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + __VERIFY_ADDR_LIMIT(); \ __MAP(x,__SC_TEST,__VA_ARGS__); \ __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \ return ret; \ diff --git a/init/Kconfig b/init/Kconfig index 42a346b0df43..599d9fe30703 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1961,6 +1961,12 @@ config PROFILING config TRACEPOINTS bool +config ADDR_LIMIT_CHECK + bool + help + Disable the generic address limit check. Allow each architecture to + optimize how and when the verification is done. + source "arch/Kconfig" endmenu # General setup diff --git a/kernel/sys.c b/kernel/sys.c index 8a94b4eabcaa..a1cbcd715d62 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2458,3 +2458,16 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info) return 0; } #endif /* CONFIG_COMPAT */ + +#ifdef CONFIG_ADDR_LIMIT_CHECK +/* + * Used when an architecture specific implementation detects an invalid address + * limit. This function does not return. + */ +asmlinkage void addr_limit_check_failed(void) +{ + /* Try to fail on the generic address limit check */ + addr_limit_check_syscall(); + panic("Invalid address limit before returning to user-mode"); +} +#endif