| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <f766e3c623fd9cf76568741e28e28d0de7d912ce.1464129798.git.luto@kernel.org>
Date: Tue, 24 May 2016 15:48:44 -0700
From: Andy Lutomirski <luto@...nel.org>
To: x86@...nel.org
Cc: linux-kernel@...r.kernel.org, Borislav Petkov <bp@...en8.de>,
Kees Cook <keescook@...omium.org>,
Brian Gerst <brgerst@...il.com>,
Andy Lutomirski <luto@...nel.org>
Subject: [PATCH 7/7] x86/uaccess: OOPS or warn on a fault with KERNEL_DS and !pagefault_disabled()
If someone calls set_fs(KERNEL_DS), then they are responsible for
making sure that whatever addresses are accessed are safe. If they
get it wrong on a kernel address, OOPS. If they get it wrong on a user
address, warn.
This will make it harder to exploit bugs in which user code controls
a pointer accessed with KERNEL_DS: an attacker will OOPS if they
access an unmapped page, and they'll therefore need luck or a kASLR
bypass in addition.
To keep probe_kernel_read(), probe_kernel_write(), and
probe_kernel_address() working, skip this check if
pagefault_disabled().
Signed-off-by: Andy Lutomirski <luto@...nel.org>
---
arch/x86/mm/extable.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index 818cc7ffef79..4bf3ab2b8be1 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -60,6 +60,37 @@ static bool uaccess_fault_okay(int trapnr, unsigned long error_code,
return false;
}
+ /*
+ * If fs == KERNEL_DS, then all uaccess should be directed to
+ * known-good kernel addresses.
+ *
+ * We still need to support probe_kernel_read and
+ * probe_kernel_address, which disable page faults. This could be
+ * tightened up a bit if we explicitly annotated probe_kernel_read(),
+ * probe_kernel_write() and probe_kernel_address(), perhaps by
+ * introducing PROBE_KERNEL_DS.
+ */
+ if (unlikely(!is_user_ds && !pagefault_disabled())) {
+ if (extra < TASK_SIZE_MAX) {
+ /*
+ * Accessing user address under KERNEL_DS. This is a
+ * bug and should be fixed, but OOPSing is not helpful
+ * for exploit mitigation.
+ */
+ WARN_ONCE(1, "BUG: uaccess fault at 0x%lx with KERNEL_DS\n",
+ extra);
+ } else {
+ /*
+ * If a bug that allows user-controlled KERNEL_DS
+ * access exists, this will prevent it from being used
+ * to trivially bypass kASLR.
+ */
+ pr_crit("BUG: uaccess fault at 0x%lx with KERNEL_DS\n",
+ extra);
+ return false;
+ }
+ }
+
return true;
}
--
2.5.5
Powered by blists - more mailing lists