lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110718193337.GB4489@albatros>
Date:	Mon, 18 Jul 2011 23:33:38 +0400
From:	Vasiliy Kulikov <segoon@...nwall.com>
To:	kernel-hardening@...ts.openwall.com
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
	Arnd Bergmann <arnd@...db.de>,
	Christoph Lameter <cl@...ux-foundation.org>,
	Pekka Enberg <penberg@...nel.org>,
	Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org,
	linux-arch@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [kernel-hardening] Re: [RFC v2] implement SL*B and stack
 usercopy runtime checks

On Mon, Jul 18, 2011 at 11:52 -0700, Andrew Morton wrote:
> On Mon, 18 Jul 2011 22:39:51 +0400
> Vasiliy Kulikov <segoon@...nwall.com> wrote:
> 
> >   */
> >  #define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
> >  
> > +#if defined(CONFIG_FRAME_POINTER)
> 
> #ifdef is conventional in this case

OK.

> > +/*
> > + * MUST be always_inline to correctly count stack frame numbers.
> > + *
> > + * low ----------------------------------------------> high
> > + * [saved bp][saved ip][args][local vars][saved bp][saved ip]
> > + *		       ^----------------^
> > + *		  allow copies only within here
> > +*/
> > +#undef arch_check_object_on_stack_frame
> > +inline static __attribute__((always_inline))
> 
> static inline __always_inline

OK.

> > +bool arch_check_object_on_stack_frame(const void *stack,
> > +	     const void *stackend, const void *obj, unsigned long len)
> > +{
> > +	const void *frame = NULL;
> > +	const void *oldframe;
> > +
> > +	/*
> > +	 * Get the kernel_access_ok() caller frame.
> > +	 * __builtin_frame_address(0) returns kernel_access_ok() frame
> > +	 * as arch_ and stack_ are inline and kernel_ is noinline.
> > +	 */
> > +	oldframe = __builtin_frame_address(0);
> > +	if (oldframe)
> > +		frame = __builtin_frame_address(1);
> > +
> > +	while (stack <= frame && frame < stackend) {
> > +		/*
> > +		 * If obj + len extends past the last frame, this
> > +		 * check won't pass and the next frame will be 0,
> > +		 * causing us to bail out and correctly report
> > +		 * the copy as invalid.
> > +		 */
> > +		if (obj + len <= frame) {
> > +			/* EBP + EIP */
> > +			int protected_regs_size = 2*sizeof(void *);
> 
> size_t?

Yes, it looks better here.

> > +static inline unsigned long __must_check copy_from_user_uncheched(void *to,
> 
> typo

Oops, sure.

> > diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
> > index 1c66d30..10c5a0a 100644
> > --- a/arch/x86/include/asm/uaccess_64.h
> > +++ b/arch/x86/include/asm/uaccess_64.h
> > @@ -50,8 +50,10 @@ static inline unsigned long __must_check copy_from_user(void *to,
> >  	int sz = __compiletime_object_size(to);
> 
> size_t? (ssize_t?)

It doesn't touch my patch, however, ssize_t seems reasonable here.

> >  	might_fault();
> > -	if (likely(sz == -1 || sz >= n))
> > -		n = _copy_from_user(to, from, n);
> > +	if (likely(sz == -1 || sz >= n)) {
> > +		if (kernel_access_ok(to, n))
> > +			n = _copy_from_user(to, from, n);
> > +	}
> >  #ifdef CONFIG_DEBUG_VM
> >  	else
> >  		WARN(1, "Buffer overflow detected!\n");
> >
> > ...
> >
> > --- a/mm/maccess.c
> > +++ b/mm/maccess.c
> > @@ -3,8 +3,11 @@
> >   */
> >  #include <linux/module.h>
> >  #include <linux/mm.h>
> > +#include <linux/sched.h>
> >  #include <linux/uaccess.h>
> >  
> > +extern bool slab_access_ok(const void *ptr, unsigned long len);
> 
> no externs in .c - use a header

I thought it would make less noise.  OK, will do.

> > +noinline bool __kernel_access_ok(const void *ptr, unsigned long len)
> 
> noinline seems unneeded

It is needed here because arch_check_object_on_stack_frame() needs the
precise number of frames it should skip.


Thank you!

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ