lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 16 Nov 2008 01:03:43 +0100
From:	Bernhard Walle <bwalle@...e.de>
To:	x86@...nel.org
Cc:	linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org,
	Bernhard Walle <bwalle@...e.de>
Subject: [PATCH 2/2] Add dev.mem.restricted sysctl

When CONFIG_STRICT_DEVMEM is set, live debugging is not possible with the
crash utility (see http://people.redhat.com/~anderson). For distributors
who ship a generic kernel it's difficult: Disabling CONFIG_STRICT_DEVMEM
is possible, but in general the protection provided by CONFIG_STRICT_DEVMEM
is useful. However, live debugging should be still neceessary.

This patch now adds a dev.mem.restricted sysctl that defaults to 0 (off).
When set to 1 (on), /dev/mem access is unrestricted and crash can be used.

>From a security point of view the sysctl should be no problem. It's already
possible to circumvent that restriction if you have root access by loading
a kernel module that installs a kretprobe that returns 1 for the check function.

I thought of a command line parameter first, but we already have lots of
command line parameters and rebooting the machine is more difficult than
just setting a sysctl to 1. It may be possible to implement setting that
variable in the tools automatically, but that's out of the scope of that
patch for the kernel and should also not be discussed on LKML.


Signed-off-by: Bernhard Walle <bwalle@...e.de>
---
 arch/x86/include/asm/page.h |    7 +++++
 arch/x86/mm/pat.c           |    9 +------
 drivers/char/mem.c          |   57 +++++++++++++++++++++++++++++++++++++-----
 include/linux/sysctl.h      |    6 ++++
 kernel/sysctl_check.c       |    7 +++++
 5 files changed, 71 insertions(+), 15 deletions(-)

diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
index b768401..e5fe778 100644
--- a/arch/x86/include/asm/page.h
+++ b/arch/x86/include/asm/page.h
@@ -65,6 +65,13 @@ extern void unmap_devmem(unsigned long pfn, unsigned long size,
 			 pgprot_t vma_prot);
 #define __HAVE_ARCH_RANGE_IS_ALLOWED 1
 
+
+#ifdef CONFIG_STRICT_DEVMEM
+extern int devmem_restricted;
+#else
+#define devmem_restricted 0
+#endif
+
 extern unsigned long max_low_pfn_mapped;
 extern unsigned long max_pfn_mapped;
 
diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
index eb1bf00..c80ced4 100644
--- a/arch/x86/mm/pat.c
+++ b/arch/x86/mm/pat.c
@@ -26,6 +26,7 @@
 #include <asm/msr.h>
 #include <asm/pat.h>
 #include <asm/io.h>
+#include <asm/page.h>
 
 #ifdef CONFIG_X86_PAT
 int __read_mostly pat_enabled = 1;
@@ -474,13 +475,6 @@ pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn,
 	return vma_prot;
 }
 
-#ifdef CONFIG_STRICT_DEVMEM
-/* This check is done in drivers/char/mem.c in case of STRICT_DEVMEM*/
-static inline int range_is_allowed(unsigned long pfn, unsigned long size)
-{
-	return 1;
-}
-#else
 /* This check is needed to avoid cache aliasing when PAT is enabled */
 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 {
@@ -503,7 +497,6 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 	}
 	return 1;
 }
-#endif /* CONFIG_STRICT_DEVMEM */
 
 int phys_mem_access_prot_allowed(struct file *file, unsigned long pfn,
 				unsigned long size, pgprot_t *vma_prot)
diff --git a/drivers/char/mem.c b/drivers/char/mem.c
index 6431f69..562438e 100644
--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -27,6 +27,7 @@
 #include <linux/splice.h>
 #include <linux/pfn.h>
 #include <linux/smp_lock.h>
+#include <linux/sysctl.h>
 
 #include <asm/uaccess.h>
 #include <asm/io.h>
@@ -35,6 +36,48 @@
 # include <linux/efi.h>
 #endif
 
+
+#ifdef CONFIG_STRICT_DEVMEM
+
+int devmem_restricted = 1;
+
+#ifdef CONFIG_SYSCTL
+struct ctl_table dev_mem_restricted_sysctl_table[] = {
+	{
+		.ctl_name = DEV_MEM_RESTRICTED,
+		.procname = "restricted",
+		.data = &devmem_restricted,
+		.maxlen = sizeof(int),
+		.mode = 0644,
+		.proc_handler = &proc_dointvec,
+	},
+	{ .ctl_name = 0 }
+};
+
+struct ctl_table dev_mem_sysctl_table[] = {
+	{
+	       .ctl_name = DEV_MEM,
+	       .procname = "mem",
+	       .mode = 0555,
+	       .child = dev_mem_restricted_sysctl_table
+	},
+	{ .ctl_name = 0 }
+};
+
+struct ctl_table dev_sysctl_table[] = {
+	{
+		.ctl_name = CTL_DEV,
+		.procname = "dev",
+		.mode = 0555,
+		.child = dev_mem_sysctl_table
+	},
+	{ .ctl_name = 0 }
+};
+#endif
+
+#endif /* CONFIG_STRICT_DEVMEM */
+
+
 /*
  * Architectures vary in how they handle caching for addresses
  * outside of main memory.
@@ -80,13 +123,15 @@ static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
 }
 #endif
 
-#ifdef CONFIG_STRICT_DEVMEM
 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 {
 	u64 from = ((u64)pfn) << PAGE_SHIFT;
 	u64 to = from + size;
 	u64 cursor = from;
 
+	if (!devmem_restricted)
+		return 1;
+
 	while (cursor < to) {
 		if (!devmem_is_allowed(pfn)) {
 			printk(KERN_INFO
@@ -99,12 +144,6 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
 	}
 	return 1;
 }
-#else
-static inline int range_is_allowed(unsigned long pfn, unsigned long size)
-{
-	return 1;
-}
-#endif
 
 void __attribute__((weak)) unxlate_dev_mem_ptr(unsigned long phys, void *addr)
 {
@@ -996,6 +1035,10 @@ static int __init chr_dev_init(void)
 			      MKDEV(MEM_MAJOR, devlist[i].minor), NULL,
 			      devlist[i].name);
 
+#if defined(CONFIG_SYSCTL) && defined(CONFIG_STRICT_DEVMEM)
+	register_sysctl_table(dev_sysctl_table);
+#endif
+
 	return 0;
 }
 
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 39d471d..45ab794 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -858,6 +858,7 @@ enum {
 	DEV_MAC_HID=5,
 	DEV_SCSI=6,
 	DEV_IPMI=7,
+	DEV_MEM=8,
 };
 
 /* /proc/sys/dev/cdrom */
@@ -875,6 +876,11 @@ enum {
 	DEV_PARPORT_DEFAULT=-3
 };
 
+/* /proc/sys/dev/mem */
+enum {
+    DEV_MEM_RESTRICTED=1,
+};
+
 /* /proc/sys/dev/raid */
 enum {
 	DEV_RAID_SPEED_LIMIT_MIN=1,
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index c35da23..2cbdd52 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -870,6 +870,12 @@ static const struct trans_ctl_table trans_parport_table[] = {
 	{}
 };
 
+
+static const struct trans_ctl_table trans_mem_table[] = {
+	{ DEV_MEM_RESTRICTED,	"restricted" },
+	{}
+};
+
 static const struct trans_ctl_table trans_dev_table[] = {
 	{ DEV_CDROM,	"cdrom",	trans_cdrom_table },
 	/* DEV_HWMON unused */
@@ -878,6 +884,7 @@ static const struct trans_ctl_table trans_dev_table[] = {
 	{ DEV_MAC_HID,	"mac_hid",	trans_mac_hid_files },
 	{ DEV_SCSI,	"scsi",		trans_scsi_table },
 	{ DEV_IPMI,	"ipmi",		trans_ipmi_table },
+	{ DEV_MEM,      "mem",          trans_mem_table },
 	{}
 };
 
-- 
1.6.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ