[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200826013959.1981270-1-lokeshgidra@google.com>
Date: Tue, 25 Aug 2020 18:39:57 -0700
From: Lokesh Gidra <lokeshgidra@...gle.com>
To: Kees Cook <keescook@...omium.org>,
Jonathan Corbet <corbet@....net>, Peter Xu <peterx@...hat.com>,
Andrea Arcangeli <aarcange@...hat.com>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Biggers <ebiggers@...nel.org>,
Lokesh Gidra <lokeshgidra@...gle.com>,
Daniel Colascione <dancol@...col.org>,
"Joel Fernandes (Google)" <joel@...lfernandes.org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-doc@...r.kernel.org, kaleshsingh@...gle.com,
calin@...gle.com, surenb@...gle.com, nnk@...gle.com,
jeffv@...gle.com, kernel-team@...roid.com,
Mike Rapoport <rppt@...ux.vnet.ibm.com>,
Shaohua Li <shli@...com>, Jerome Glisse <jglisse@...hat.com>,
Mauro Carvalho Chehab <mchehab+huawei@...nel.org>,
Johannes Weiner <hannes@...xchg.org>,
Mel Gorman <mgorman@...hsingularity.net>,
Nitin Gupta <nigupta@...dia.com>,
Vlastimil Babka <vbabka@...e.cz>,
Iurii Zaikin <yzaikin@...gle.com>,
Luis Chamberlain <mcgrof@...nel.org>
Subject: [PATCH v3 0/2] Control over userfaultfd kernel-fault handling
This patch series is split from [1]. The other series enables SELinux
support for userfaultfd file descriptors so that its creation and
movement can be controlled.
It has been demonstrated on various occasions that suspending kernel
code execution for an arbitrary amount of time at any access to
userspace memory (copy_from_user()/copy_to_user()/...) can be exploited
to change the intended behavior of the kernel. For instance, handling
page faults in kernel-mode using userfaultfd has been exploited in [2, 3].
Likewise, FUSE, which is similar to userfaultfd in this respect, has been
exploited in [4, 5] for similar outcome.
This small patch series adds a new flag to userfaultfd(2) that allows
callers to give up the ability to handle kernel-mode faults with the
resulting UFFD file object. It then adds a 'user-mode only' option to
the unprivileged_userfaultfd sysctl knob to require unprivileged
callers to use this new flag.
The purpose of this new interface is to decrease the chance of an
unprivileged userfaultfd user taking advantage of userfaultfd to
enhance security vulnerabilities by lengthening the race window in
kernel code.
[1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/
[2] https://duasynt.com/blog/linux-kernel-heap-spray
[3] https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit
[4] https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html
[5] https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Changes since v2:
- Removed 'uffd_flags' and directly used 'UFFD_USER_MODE_ONLY' in
userfaultfd().
Changes since v1:
- Added external references to the threats from allowing unprivileged
users to handle page faults from kernel-mode.
- Removed the new sysctl knob restricting handling of page
faults from kernel-mode, and added an option for the same
in the existing 'unprivileged_userfaultfd' knob.
Lokesh Gidra (2):
Add UFFD_USER_MODE_ONLY
Add user-mode only option to unprivileged_userfaultfd sysctl knob
Documentation/admin-guide/sysctl/vm.rst | 10 +++++++---
fs/userfaultfd.c | 16 +++++++++++++---
include/uapi/linux/userfaultfd.h | 9 +++++++++
kernel/sysctl.c | 2 +-
4 files changed, 30 insertions(+), 7 deletions(-)
--
2.28.0.297.g1956fa8f8d-goog
Powered by blists - more mailing lists