From patchwork Fri Nov 3 23:04:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laura Abbott X-Patchwork-Id: 10041329 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1FE4B600C5 for ; Fri, 3 Nov 2017 23:04:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 10F4A29973 for ; Fri, 3 Nov 2017 23:04:56 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0422C299D6; Fri, 3 Nov 2017 23:04:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 2CD4329973 for ; Fri, 3 Nov 2017 23:04:54 +0000 (UTC) Received: (qmail 25762 invoked by uid 550); 3 Nov 2017 23:04:48 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 25632 invoked from network); 3 Nov 2017 23:04:46 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=VOBp6gH+UlFS29mR9UtPyITNYq4q9z8CWZX+F3w3Izw=; b=DZUWzPmNe+mIynp7hIAMHt7nwq7IDN7RL7tvPfChZn3wtv6iPoHuJM5F4SSLv0aATw 7Sf2wDGRvg/2XMB5H+dcwcuib8Wf7QYrWZiqiEbbwBdJ7pU5BnMqDwCmJwjxBNlqVGh6 GaGTcPsswmWr+Zu3TsxupJCkxfSkL1UwG3Ii38A+t9Fz2NLyurVmL4RbcGLr0xbY4kFO A23znECwK3sOmGZLYs5+aayD+CIRpK7nJaRPAN0fWq5f7Udp1VvwELn/pIF7FOpQAZEb RAx0mECzEJb1HH0W7XJtgOSJnLgrBZES96w/j3DXt/PCGE+ZkPNmEORBCrJpltn9Zomi PQLA== X-Gm-Message-State: AMCzsaXKy6cql0Bs+DERESkzli+773Hr+OVUFhhRzQcSf9yzqHyKJtn+ rqFYtgrUFhu5LV/HOjpvz8FCrP0scGA= X-Google-Smtp-Source: ABhQp+SnWw4j2HrGHUnCXcStHNyB9iMEupZXMAndW3QeqNF00mJLKaykEdq0RxKoK8YsaQlDfYOJIA== X-Received: by 10.202.75.207 with SMTP id y198mr4731818oia.204.1509750274865; Fri, 03 Nov 2017 16:04:34 -0700 (PDT) From: Laura Abbott To: kernel-hardening@lists.openwall.com Cc: Laura Abbott , linux-kernel@vger.kernel.org, Mark Rutland , Kees Cook , x86@kernel.org Date: Fri, 3 Nov 2017 16:04:26 -0700 Message-Id: <20171103230426.19114-2-labbott@redhat.com> X-Mailer: git-send-email 2.13.5 In-Reply-To: <20171103230426.19114-1-labbott@redhat.com> References: <20171103230426.19114-1-labbott@redhat.com> Subject: [kernel-hardening] [RFC PATCH 2/2] x86: Allow paranoid __{get, put}_user X-Virus-Scanned: ClamAV using ClamSMTP __{get,put}_user calls are designed to be fast and have no checks, relying on the caller to have made the appropriate calls previously. It's very easy to forget a check though, leaving the kernel vulnerable to exploits. Add an option to do the checks and kill the kernel if it catches something bad. Signed-off-by: Laura Abbott --- This is the actual implemtation for __{get,put}_user on x86 based on Mark Rutland's work for arm66 lkml.kernel.org/r/<20171026090942.7041-1-mark.rutland@arm.com> x86 turns out to be easier since the safe and unsafe paths are mostly disjoint so we don't have to worry about gcc optimizing out access_ok. I tweaked the Kconfig to someting a bit more generic. The size increase was ~8K in text with a config I tested. --- arch/x86/Kconfig | 3 +++ arch/x86/include/asm/uaccess.h | 11 ++++++++++- security/Kconfig | 11 +++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 2fdb23313dd5..10c6e150a91e 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -261,6 +261,9 @@ config RWSEM_XCHGADD_ALGORITHM config GENERIC_CALIBRATE_DELAY def_bool y +config ARCH_HAS_PARANOID_UACCESS + def_bool y + config ARCH_HAS_CPU_RELAX def_bool y diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index d23fb5844404..767febe1c720 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -132,6 +132,13 @@ extern int __get_user_bad(void); #define __inttype(x) \ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + +#define verify_uaccess(dir, ptr) \ +({ \ + if (IS_ENABLED(CONFIG_PARANOID_UACCESS)) \ + BUG_ON(!access_ok(dir, (ptr), sizeof(*(ptr)))); \ +}) + /** * get_user: - Get a simple variable from user space. * @x: Variable to store result. @@ -278,6 +285,7 @@ do { \ typeof(ptr) __pu_ptr = (ptr); \ retval = 0; \ __chk_user_ptr(__pu_ptr); \ + verify_uaccess(VERIFY_WRITE, __pu_ptr); \ switch (size) { \ case 1: \ __put_user_asm(x, __pu_ptr, retval, "b", "b", "iq", \ @@ -293,7 +301,7 @@ do { \ break; \ case 8: \ __put_user_asm_u64((__typeof__(*ptr))(x), __pu_ptr, \ - retval, \ errret); \ + retval, errret); \ break; \ default: \ __put_user_bad(); \ @@ -359,6 +367,7 @@ do { \ typeof(ptr) __gu_ptr = (ptr); \ retval = 0; \ __chk_user_ptr(__gu_ptr); \ + verify_uaccess(VERIFY_READ, __gu_ptr); \ switch (size) { \ case 1: \ __get_user_asm(x, __gu_ptr, retval, "b", "b", "=q", \ diff --git a/security/Kconfig b/security/Kconfig index e8e449444e65..0a9ec1a4e86b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -205,6 +205,17 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config PARANOID_UACCESS + bool "Use paranoid uaccess primitives" + depends on ARCH_HAS_PARANOID_UACCESS + help + Forces access_ok() checks in __get_user(), __put_user(), and other + low-level uaccess primitives which usually do not have checks. This + can limit the effect of missing access_ok() checks in higher-level + primitives, with a runtime performance overhead in some cases and a + small code size overhead. + + source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig