| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 May 2020 12:52:17 +0200
From: "Rafael J. Wysocki" <rafael@...nel.org>
To: Domenico Andreoli <domenico.andreoli@...ux.com>,
"Darrick J. Wong" <darrick.wong@...cle.com>
Cc: Pavel Machek <pavel@....cz>, Christoph Hellwig <hch@....de>,
Al Viro <viro@...iv.linux.org.uk>, "Ted Ts'o" <tytso@....edu>,
Len Brown <len.brown@...el.com>,
Linux PM <linux-pm@...r.kernel.org>,
Linux Memory Management List <linux-mm@...ck.org>,
linux-xfs@...r.kernel.org, linux-fsdevel@...r.kernel.org,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2] PM: hibernate: restrict writes to the resume device
On Tue, May 19, 2020 at 8:14 PM Domenico Andreoli
<domenico.andreoli@...ux.com> wrote:
>
> From: Domenico Andreoli <domenico.andreoli@...ux.com>
>
> Hibernation via snapshot device requires write permission to the swap
> block device, the one that more often (but not necessarily) is used to
> store the hibernation image.
>
> With this patch, such permissions are granted iff:
>
> 1) snapshot device config option is enabled
> 2) swap partition is used as resume device
>
> In other circumstances the swap device is not writable from userspace.
>
> In order to achieve this, every write attempt to a swap device is
> checked against the device configured as part of the uswsusp API [0]
> using a pointer to the inode struct in memory. If the swap device being
> written was not configured for resuming, the write request is denied.
>
> NOTE: this implementation works only for swap block devices, where the
> inode configured by swapon (which sets S_SWAPFILE) is the same used
> by SNAPSHOT_SET_SWAP_AREA.
>
> In case of swap file, SNAPSHOT_SET_SWAP_AREA indeed receives the inode
> of the block device containing the filesystem where the swap file is
> located (+ offset in it) which is never passed to swapon and then has
> not set S_SWAPFILE.
>
> As result, the swap file itself (as a file) has never an option to be
> written from userspace. Instead it remains writable if accessed directly
> from the containing block device, which is always writeable from root.
>
> [0] Documentation/power/userland-swsusp.rst
>
> v2:
> - rename is_hibernate_snapshot_dev() to is_hibernate_resume_dev()
> - fix description so to correctly refer to the resume device
>
> Signed-off-by: Domenico Andreoli <domenico.andreoli@...ux.com>
> Cc: "Rafael J. Wysocki" <rjw@...ysocki.net>
> Cc: Pavel Machek <pavel@....cz>
> Cc: Darrick J. Wong <darrick.wong@...cle.com>
> Cc: Christoph Hellwig <hch@....de>
> Cc: viro@...iv.linux.org.uk
> Cc: tytso@....edu
> Cc: len.brown@...el.com
> Cc: linux-pm@...r.kernel.org
> Cc: linux-mm@...ck.org
> Cc: linux-xfs@...r.kernel.org
> Cc: linux-fsdevel@...r.kernel.org
> Cc: linux-kernel@...r.kernel.org
>
> ---
> fs/block_dev.c | 3 +--
> include/linux/suspend.h | 6 ++++++
> kernel/power/user.c | 14 +++++++++++++-
> 3 files changed, 20 insertions(+), 3 deletions(-)
>
> Index: b/include/linux/suspend.h
> ===================================================================
> --- a/include/linux/suspend.h
> +++ b/include/linux/suspend.h
> @@ -466,6 +466,12 @@ static inline bool system_entering_hiber
> static inline bool hibernation_available(void) { return false; }
> #endif /* CONFIG_HIBERNATION */
>
> +#ifdef CONFIG_HIBERNATION_SNAPSHOT_DEV
> +int is_hibernate_resume_dev(const struct inode *);
> +#else
> +static inline int is_hibernate_resume_dev(const struct inode *i) { return 0; }
> +#endif
> +
> /* Hibernation and suspend events */
> #define PM_HIBERNATION_PREPARE 0x0001 /* Going to hibernate */
> #define PM_POST_HIBERNATION 0x0002 /* Hibernation finished */
> Index: b/kernel/power/user.c
> ===================================================================
> --- a/kernel/power/user.c
> +++ b/kernel/power/user.c
> @@ -35,8 +35,14 @@ static struct snapshot_data {
> bool ready;
> bool platform_support;
> bool free_bitmaps;
> + struct inode *bd_inode;
> } snapshot_state;
>
> +int is_hibernate_resume_dev(const struct inode *bd_inode)
> +{
> + return hibernation_available() && snapshot_state.bd_inode == bd_inode;
> +}
> +
> static int snapshot_open(struct inode *inode, struct file *filp)
> {
> struct snapshot_data *data;
> @@ -95,6 +101,7 @@ static int snapshot_open(struct inode *i
> data->frozen = false;
> data->ready = false;
> data->platform_support = false;
> + data->bd_inode = NULL;
>
> Unlock:
> unlock_system_sleep();
> @@ -110,6 +117,7 @@ static int snapshot_release(struct inode
>
> swsusp_free();
> data = filp->private_data;
> + data->bd_inode = NULL;
> free_all_swap_pages(data->swap);
> if (data->frozen) {
> pm_restore_gfp_mask();
> @@ -202,6 +210,7 @@ struct compat_resume_swap_area {
> static int snapshot_set_swap_area(struct snapshot_data *data,
> void __user *argp)
> {
> + struct block_device *bdev;
> sector_t offset;
> dev_t swdev;
>
> @@ -232,9 +241,12 @@ static int snapshot_set_swap_area(struct
> data->swap = -1;
> return -EINVAL;
> }
> - data->swap = swap_type_of(swdev, offset, NULL);
> + data->swap = swap_type_of(swdev, offset, &bdev);
> if (data->swap < 0)
> return -ENODEV;
> +
> + data->bd_inode = bdev->bd_inode;
> + bdput(bdev);
> return 0;
> }
>
> Index: b/fs/block_dev.c
> ===================================================================
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -2023,8 +2023,7 @@ ssize_t blkdev_write_iter(struct kiocb *
> if (bdev_read_only(I_BDEV(bd_inode)))
> return -EPERM;
>
> - /* uswsusp needs write permission to the swap */
> - if (IS_SWAPFILE(bd_inode) && !hibernation_available())
> + if (IS_SWAPFILE(bd_inode) && !is_hibernate_resume_dev(bd_inode))
> return -ETXTBSY;
>
> if (!iov_iter_count(from))
>
> --
The patch looks OK to me.
Darrick, what do you think?
Powered by blists - more mailing lists