From patchwork Fri Apr 28 15:32:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thomas Garnier X-Patchwork-Id: 9704981 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3FD17602BE for ; Fri, 28 Apr 2017 15:32:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2F88928458 for ; Fri, 28 Apr 2017 15:32:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2169A28682; Fri, 28 Apr 2017 15:32:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 1493D28458 for ; Fri, 28 Apr 2017 15:32:35 +0000 (UTC) Received: (qmail 19661 invoked by uid 550); 28 Apr 2017 15:32:33 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 19642 invoked from network); 28 Apr 2017 15:32:32 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=MXJqu+X9IrOUS05bHcvDJpooI5H/IznEWjDdJoGYeh0=; b=YwX8O0MvQG9QhIAIMHhzJz0ecnyPsQ1OXoyBcsJjn8oEqja2fw+ilIacNCsmM4jXzk jsh2LXmzmH5u2rkIB2K/5cpvkBs5BcrR7es9x649ZMOBUpYoWKu3YnflWQe9L2iznxzx 7Xm2emUgvoalC1YP3ICkEcyDso8OewunMkt231UidmIEgAvnT2SqsRdQVmenXuhSLnzw 00+sSrzzu9fdhngrqnOB4U+kCR1kIm/wmCpEsbTNjl4M1axmpLSTSUFYdH0887M1c7mz iDi2euafjPmymw6UkTdKqITOvjvqkIbyC/6C0Jzd9hqvo2E8pUVQJAgsXkDqOnn504hG +M4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MXJqu+X9IrOUS05bHcvDJpooI5H/IznEWjDdJoGYeh0=; b=GGdrdOWdjK9aNbJmzfopYJo59ACjU3/AP09KtxOHk8oL3XRtu5ebG+aU0Psah+tx3R gsA+N6NP8J3WzB4u8JKUfB2Ztym+zV+Spu26S0cIzYFNkM64WoTlt6VgUvyl+8Z7WBst z3BB6S0O78Td6VMIkWrMti4r8W4hT9pzkjGw7dt4NWoBNxSEJp33z/jVLngw1XidGZJS iV0/Afli6PtLkHStftjd+6rD1b7uxerpty4DFp/qxx/7ZNI7kLt/4arYQfVidDft8M9p KT99G7TvyVCCvqtijsjxhsQB2addQziypmFx2X4k0ptAmJP7M95X7EA2Je0SC1RdffbK cVEw== X-Gm-Message-State: AN3rC/5OTimbNY9Xn8NVJ3ZmYJfpkRWj1t6W2QhpBF/CXCANxjcFSMwB yNKU19/AYy6x1Ggg X-Received: by 10.84.208.102 with SMTP id f35mr16118958plh.19.1493393539563; Fri, 28 Apr 2017 08:32:19 -0700 (PDT) From: Thomas Garnier To: Martin Schwidefsky , Heiko Carstens , Dave Hansen , Arnd Bergmann , Thomas Gleixner , David Howells , Thomas Garnier , =?UTF-8?q?Ren=C3=A9=20Nyffenegger?= , Andrew Morton , "Paul E . McKenney" , Ingo Molnar , "Eric W . Biederman" , Oleg Nesterov , Pavel Tikhomirov , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Paolo Bonzini , Rik van Riel , Kees Cook , Josh Poimboeuf , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , Christian Borntraeger , Russell King , Will Deacon , Catalin Marinas , Mark Rutland , James Morse Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, x86@kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com Date: Fri, 28 Apr 2017 08:32:10 -0700 Message-Id: <20170428153213.137279-1-thgarnie@google.com> X-Mailer: git-send-email 2.13.0.rc0.306.g87b477812d-goog Subject: [kernel-hardening] [PATCH v9 1/4] syscalls: Verify address limit before returning to user-mode X-Virus-Scanned: ClamAV using ClamSMTP Ensure that a syscall does not return to user-mode with a kernel address limit. If that happens, a process can corrupt kernel-mode memory and elevate privileges [1]. The CONFIG_ADDR_LIMIT_CHECK option disables the generic check so each architecture can create optimized versions. This option is enabled by default on s390 because a similar feature already exists. [1] https://bugs.chromium.org/p/project-zero/issues/detail?id=990 Signed-off-by: Thomas Garnier Tested-by: Kees Cook --- Based on next-20170426 --- arch/s390/Kconfig | 1 + include/linux/syscalls.h | 27 ++++++++++++++++++++++++++- init/Kconfig | 6 ++++++ kernel/sys.c | 13 +++++++++++++ 4 files changed, 46 insertions(+), 1 deletion(-) diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index d25435d94b6e..3d2ec084d5fc 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -64,6 +64,7 @@ config ARCH_SUPPORTS_UPROBES config S390 def_bool y + select ADDR_LIMIT_CHECK select ARCH_HAS_DEVMEM_IS_ALLOWED select ARCH_HAS_ELF_RANDOMIZE select ARCH_HAS_GCOV_PROFILE_ALL diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h index 980c3c9b06f8..e534b93ce43a 100644 --- a/include/linux/syscalls.h +++ b/include/linux/syscalls.h @@ -191,6 +191,28 @@ extern struct trace_event_functions exit_syscall_print_funcs; SYSCALL_METADATA(sname, x, __VA_ARGS__) \ __SYSCALL_DEFINEx(x, sname, __VA_ARGS__) + +/* + * Called before coming back to user-mode. Returning to user-mode with an + * address limit different than USER_DS can allow to overwrite kernel memory. + */ +static inline void addr_limit_check_syscall(void) +{ + BUG_ON(!segment_eq(get_fs(), USER_DS)); +} + +#ifndef CONFIG_ADDR_LIMIT_CHECK +#define ADDR_LIMIT_CHECK_PRE() \ + bool user_caller = segment_eq(get_fs(), USER_DS) +#define ADDR_LIMIT_CHECK_POST() \ + if (user_caller) addr_limit_check_syscall() +#else +#define ADDR_LIMIT_CHECK_PRE() +#define ADDR_LIMIT_CHECK_POST() +asmlinkage void addr_limit_check_failed(void) __noreturn; +#endif + + #define __PROTECT(...) asmlinkage_protect(__VA_ARGS__) #define __SYSCALL_DEFINEx(x, name, ...) \ asmlinkage long sys##name(__MAP(x,__SC_DECL,__VA_ARGS__)) \ @@ -199,7 +221,10 @@ extern struct trace_event_functions exit_syscall_print_funcs; asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)); \ asmlinkage long SyS##name(__MAP(x,__SC_LONG,__VA_ARGS__)) \ { \ - long ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + long ret; \ + ADDR_LIMIT_CHECK_PRE(); \ + ret = SYSC##name(__MAP(x,__SC_CAST,__VA_ARGS__)); \ + ADDR_LIMIT_CHECK_POST(); \ __MAP(x,__SC_TEST,__VA_ARGS__); \ __PROTECT(x, ret,__MAP(x,__SC_ARGS,__VA_ARGS__)); \ return ret; \ diff --git a/init/Kconfig b/init/Kconfig index 42a346b0df43..599d9fe30703 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1961,6 +1961,12 @@ config PROFILING config TRACEPOINTS bool +config ADDR_LIMIT_CHECK + bool + help + Disable the generic address limit check. Allow each architecture to + optimize how and when the verification is done. + source "arch/Kconfig" endmenu # General setup diff --git a/kernel/sys.c b/kernel/sys.c index 8a94b4eabcaa..a1cbcd715d62 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2458,3 +2458,16 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info) return 0; } #endif /* CONFIG_COMPAT */ + +#ifdef CONFIG_ADDR_LIMIT_CHECK +/* + * Used when an architecture specific implementation detects an invalid address + * limit. This function does not return. + */ +asmlinkage void addr_limit_check_failed(void) +{ + /* Try to fail on the generic address limit check */ + addr_limit_check_syscall(); + panic("Invalid address limit before returning to user-mode"); +} +#endif