lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190228145450.289603901@infradead.org>
Date:   Thu, 28 Feb 2019 15:54:50 +0100
From:   Peter Zijlstra <peterz@...radead.org>
To:     torvalds@...ux-foundation.org, tglx@...utronix.de, hpa@...or.com,
        julien.thierry@....com, will.deacon@....com, luto@...capital.net,
        mingo@...nel.org, catalin.marinas@....com, james.morse@....com,
        valentin.schneider@....com, brgerst@...il.com, jpoimboe@...hat.com,
        luto@...nel.org, bp@...en8.de, dvlasenk@...hat.com
Cc:     linux-kernel@...r.kernel.org, peterz@...radead.org
Subject: [PATCH 0/8] objtool: UACCESS validation v2

Teach objtool to validate the UACCESS (SMAP, PAN) rules with are currently
unenforced and (therefore obviously) violated.

UACCESS sections should be small; we want to limit the amount of code that can
touch userspace. Furthermore, UACCESS state isn't scheduled, this means that
anything that directly calls into the scheduler will result in random code
running with UACCESS enabled and possibly getting back into the UACCESS region
with UACCESS disabled and causing faults.

Forbid any CALL/RET while UACCESS is enabled; but provide an annotation to mark
(a very limited) set of functions as UACCESS-safe (eg. the planned:
unsafe_copy_{to,from}_user()).

This set now compiles x86_64-allmodconfig _almost_ clean:

  arch/x86/lib/usercopy_64.o: warning: objtool: .altinstr_replacement+0x30: redundant UACCESS disable
  drivers/xen/privcmd.o: warning: objtool: privcmd_ioctl()+0x1c0: call to {dynamic}() with UACCESS enabled
  drivers/xen/privcmd.o: warning: objtool: privcmd_ioctl()+0x8f8: call to hypercall_page() with UACCESS enabled

Also; I found the UACCESS_SAFE() annotation as presented in these patches to be
inadequate; so I might go back to the STH_STRTAB variant for this.
Alternatively, we can simply keep the hard-coded list we have now. There really
should not be many more function on there.

*compile tested only*, esp. the KASAN changes have not been verified to
actually *work*.

---
 arch/x86/ia32/ia32_signal.c                |  29 +++--
 arch/x86/include/asm/bug.h                 |  28 ++--
 arch/x86/include/asm/kasan.h               |  15 +++
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   3 +-
 include/asm-generic/bug.h                  |   1 +
 include/linux/frame.h                      |  23 ++++
 include/linux/kasan.h                      |  12 +-
 lib/bug.c                                  |   9 +-
 mm/kasan/generic.c                         |   4 +-
 mm/kasan/kasan.h                           |   2 +-
 mm/kasan/report.c                          |   2 +-
 tools/objtool/arch.h                       |   6 +-
 tools/objtool/arch/x86/decode.c            |  22 +++-
 tools/objtool/check.c                      | 197 +++++++++++++++++++++++------
 tools/objtool/check.h                      |   3 +-
 tools/objtool/elf.c                        |  15 ++-
 tools/objtool/elf.h                        |   3 +-
 17 files changed, 290 insertions(+), 84 deletions(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ