| Message ID | 201911181308.63F06502A1@keescook (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | x86/mtrr: Require CAP_SYS_ADMIN for all access | expand |
On Mon, Nov 18, 2019 at 01:09:21PM -0800, Kees Cook wrote: > Zhang Xiaoxu noted that physical address locations for MTRR were > visible to non-root users, which could be considered an information > leak. In discussing[1] the options for solving this, it sounded like > just moving the capable check into open() was the first step. If this > breaks userspace, then we will have a test case for the more conservative > approaches discussed in the thread. In summary: > > - MTRR should check capabilities at open time (or retain the > checks on the opener's permissions for later checks). > > - changing the DAC permissions might break something that expects to > open mtrr when not uid 0. > > - if we leave the DAC permissions alone and just move the capable check > to the opener, we should get the desired protection. (i.e. check > against CAP_SYS_ADMIN not just the wider uid 0.) > > - if that still breaks things, as in userspace expects to be able to > read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then > we need to censor the contents using the opener's permissions. For > example, as done in other /proc cases, like commit 51d7b120418e > ("/proc/iomem: only expose physical resource addresses to privileged > users"). > > [1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/ > > Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > arch/x86/kernel/cpu/mtrr/if.c | 21 ++------------------- > 1 file changed, 2 insertions(+), 19 deletions(-) Yap, LGTM, thanks! Reviewed-by: Borislav Petkov <bp@suse.de> However, as it has a user-visible impact and it is not an urgent thing to have in the tree, I'd not queue this now but after the merge window is done so that we have a maximum time of exposure in linux-next and we can have ample time to addres fallout. /me puts it on the list for after the merge window. Thx.
On Tue, 19 Nov 2019, Borislav Petkov wrote: > > arch/x86/kernel/cpu/mtrr/if.c | 21 ++------------------- > > 1 file changed, 2 insertions(+), 19 deletions(-) > > Yap, LGTM, thanks! > > Reviewed-by: Borislav Petkov <bp@suse.de> Acked-by: James Morris <jamorris@linux.microsoft.com>
diff --git a/arch/x86/kernel/cpu/mtrr/if.c b/arch/x86/kernel/cpu/mtrr/if.c index 4d36dcc1cf87..9c86aeae1b14 100644 --- a/arch/x86/kernel/cpu/mtrr/if.c +++ b/arch/x86/kernel/cpu/mtrr/if.c @@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos) int length; size_t linelen; - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; - memset(line, 0, LINE_SIZE); len = min_t(size_t, len, LINE_SIZE - 1); @@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) #ifdef CONFIG_COMPAT case MTRRIOC32_ADD_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_file_add(sentry.base, sentry.size, sentry.type, true, file, 0); @@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) #ifdef CONFIG_COMPAT case MTRRIOC32_SET_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_add(sentry.base, sentry.size, sentry.type, false); break; case MTRRIOC_DEL_ENTRY: #ifdef CONFIG_COMPAT case MTRRIOC32_DEL_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_file_del(sentry.base, sentry.size, file, 0); break; case MTRRIOC_KILL_ENTRY: #ifdef CONFIG_COMPAT case MTRRIOC32_KILL_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_del(-1, sentry.base, sentry.size); break; case MTRRIOC_GET_ENTRY: @@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) #ifdef CONFIG_COMPAT case MTRRIOC32_ADD_PAGE_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_file_add(sentry.base, sentry.size, sentry.type, true, file, 1); @@ -289,8 +276,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) #ifdef CONFIG_COMPAT case MTRRIOC32_SET_PAGE_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_add_page(sentry.base, sentry.size, sentry.type, false); break; @@ -298,16 +283,12 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg) #ifdef CONFIG_COMPAT case MTRRIOC32_DEL_PAGE_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_file_del(sentry.base, sentry.size, file, 1); break; case MTRRIOC_KILL_PAGE_ENTRY: #ifdef CONFIG_COMPAT case MTRRIOC32_KILL_PAGE_ENTRY: #endif - if (!capable(CAP_SYS_ADMIN)) - return -EPERM; err = mtrr_del_page(-1, sentry.base, sentry.size); break; case MTRRIOC_GET_PAGE_ENTRY: @@ -381,6 +362,8 @@ static int mtrr_open(struct inode *inode, struct file *file) return -EIO; if (!mtrr_if->get) return -ENXIO; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; return single_open(file, mtrr_seq_show, NULL); }
Zhang Xiaoxu noted that physical address locations for MTRR were visible to non-root users, which could be considered an information leak. In discussing[1] the options for solving this, it sounded like just moving the capable check into open() was the first step. If this breaks userspace, then we will have a test case for the more conservative approaches discussed in the thread. In summary: - MTRR should check capabilities at open time (or retain the checks on the opener's permissions for later checks). - changing the DAC permissions might break something that expects to open mtrr when not uid 0. - if we leave the DAC permissions alone and just move the capable check to the opener, we should get the desired protection. (i.e. check against CAP_SYS_ADMIN not just the wider uid 0.) - if that still breaks things, as in userspace expects to be able to read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then we need to censor the contents using the opener's permissions. For example, as done in other /proc cases, like commit 51d7b120418e ("/proc/iomem: only expose physical resource addresses to privileged users"). [1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/ Reported-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- arch/x86/kernel/cpu/mtrr/if.c | 21 ++------------------- 1 file changed, 2 insertions(+), 19 deletions(-)