| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jul 2018 13:21:51 -0700
From: tip-bot for Mathieu Desnoyers <tipbot@...or.com>
To: linux-tip-commits@...r.kernel.org
Cc: will.deacon@....com, davejwatson@...com, pjt@...gle.com,
tglx@...utronix.de, mathieu.desnoyers@...icios.com,
torvalds@...ux-foundation.org, cl@...ux.com, hpa@...or.com,
mtk.manpages@...il.com, josh@...htriplett.org,
catalin.marinas@....com, andi@...stfloor.org,
linux@....linux.org.uk, rostedt@...dmis.org, peterz@...radead.org,
akpm@...ux-foundation.org, paulmck@...ux.vnet.ibm.com,
bmaurer@...com, luto@...capital.net, linux-kernel@...r.kernel.org,
boqun.feng@...il.com, joelaf@...gle.com, mingo@...nel.org
Subject: [tip:core/urgent] rseq: Use __u64 for rseq_cs fields, validate user
inputs
Commit-ID: e96d71359e9bbea846a2111e4469a03a055dfa6f
Gitweb: https://git.kernel.org/tip/e96d71359e9bbea846a2111e4469a03a055dfa6f
Author: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
AuthorDate: Mon, 9 Jul 2018 15:51:50 -0400
Committer: Thomas Gleixner <tglx@...utronix.de>
CommitDate: Tue, 10 Jul 2018 22:18:51 +0200
rseq: Use __u64 for rseq_cs fields, validate user inputs
Change the rseq ABI so rseq_cs start_ip, post_commit_offset and abort_ip
fields are seen as 64-bit fields by both 32-bit and 64-bit kernels rather
that ignoring the 32 upper bits on 32-bit kernels. This ensures we have a
consistent behavior for a 32-bit binary executed on 32-bit kernels and in
compat mode on 64-bit kernels.
Validating the value of abort_ip field to be below TASK_SIZE ensures the
kernel don't return to an invalid address when returning to userspace
after an abort. I don't fully trust each architecture code to consistently
deal with invalid return addresses.
Validating the value of the start_ip and post_commit_offset fields
prevents overflow on arithmetic performed on those values, used to
check whether abort_ip is within the rseq critical section.
If validation fails, the process is killed with a segmentation fault.
When the signature encountered before abort_ip does not match the expected
signature, return -EINVAL rather than -EPERM to be consistent with other
input validation return codes from rseq_get_rseq_cs().
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
Cc: linux-api@...r.kernel.org
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: "Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>
Cc: Boqun Feng <boqun.feng@...il.com>
Cc: Andy Lutomirski <luto@...capital.net>
Cc: Dave Watson <davejwatson@...com>
Cc: Paul Turner <pjt@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Russell King <linux@....linux.org.uk>
Cc: "H . Peter Anvin" <hpa@...or.com>
Cc: Andi Kleen <andi@...stfloor.org>
Cc: Chris Lameter <cl@...ux.com>
Cc: Ben Maurer <bmaurer@...com>
Cc: Steven Rostedt <rostedt@...dmis.org>
Cc: Josh Triplett <josh@...htriplett.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Catalin Marinas <catalin.marinas@....com>
Cc: Will Deacon <will.deacon@....com>
Cc: Michael Kerrisk <mtk.manpages@...il.com>
Cc: Joel Fernandes <joelaf@...gle.com>
Cc: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Cc: "H. Peter Anvin" <hpa@...or.com>
Link: https://lkml.kernel.org/r/20180709195155.7654-2-mathieu.desnoyers@efficios.com
---
include/uapi/linux/rseq.h | 6 +++---
kernel/rseq.c | 14 ++++++++++----
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/include/uapi/linux/rseq.h b/include/uapi/linux/rseq.h
index d620fa43756c..519ad6e176d1 100644
--- a/include/uapi/linux/rseq.h
+++ b/include/uapi/linux/rseq.h
@@ -52,10 +52,10 @@ struct rseq_cs {
__u32 version;
/* enum rseq_cs_flags */
__u32 flags;
- LINUX_FIELD_u32_u64(start_ip);
+ __u64 start_ip;
/* Offset from start_ip. */
- LINUX_FIELD_u32_u64(post_commit_offset);
- LINUX_FIELD_u32_u64(abort_ip);
+ __u64 post_commit_offset;
+ __u64 abort_ip;
} __attribute__((aligned(4 * sizeof(__u64))));
/*
diff --git a/kernel/rseq.c b/kernel/rseq.c
index 22b6acf1ad63..16b38c5342f9 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -130,14 +130,20 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
urseq_cs = (struct rseq_cs __user *)ptr;
if (copy_from_user(rseq_cs, urseq_cs, sizeof(*rseq_cs)))
return -EFAULT;
- if (rseq_cs->version > 0)
- return -EINVAL;
+ if (rseq_cs->start_ip >= TASK_SIZE ||
+ rseq_cs->start_ip + rseq_cs->post_commit_offset >= TASK_SIZE ||
+ rseq_cs->abort_ip >= TASK_SIZE ||
+ rseq_cs->version > 0)
+ return -EINVAL;
+ /* Check for overflow. */
+ if (rseq_cs->start_ip + rseq_cs->post_commit_offset < rseq_cs->start_ip)
+ return -EINVAL;
/* Ensure that abort_ip is not in the critical section. */
if (rseq_cs->abort_ip - rseq_cs->start_ip < rseq_cs->post_commit_offset)
return -EINVAL;
- usig = (u32 __user *)(rseq_cs->abort_ip - sizeof(u32));
+ usig = (u32 __user *)(unsigned long)(rseq_cs->abort_ip - sizeof(u32));
ret = get_user(sig, usig);
if (ret)
return ret;
@@ -146,7 +152,7 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
printk_ratelimited(KERN_WARNING
"Possible attack attempt. Unexpected rseq signature 0x%x, expecting 0x%x (pid=%d, addr=%p).\n",
sig, current->rseq_sig, current->pid, usig);
- return -EPERM;
+ return -EINVAL;
}
return 0;
}
Powered by blists - more mailing lists