lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Nov 2020 19:10:20 -0800 From: Lokesh Gidra <lokeshgidra@...gle.com> To: Kees Cook <keescook@...omium.org>, Jonathan Corbet <corbet@....net>, Peter Xu <peterx@...hat.com>, Andrea Arcangeli <aarcange@...hat.com>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Andrew Morton <akpm@...ux-foundation.org> Cc: Alexander Viro <viro@...iv.linux.org.uk>, Stephen Smalley <stephen.smalley.work@...il.com>, Eric Biggers <ebiggers@...nel.org>, Daniel Colascione <dancol@...col.org>, "Joel Fernandes (Google)" <joel@...lfernandes.org>, Linux FS Devel <linux-fsdevel@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org>, linux-doc@...r.kernel.org, Kalesh Singh <kaleshsingh@...gle.com>, Calin Juravle <calin@...gle.com>, Suren Baghdasaryan <surenb@...gle.com>, Jeffrey Vander Stoep <jeffv@...gle.com>, "Cc: Android Kernel" <kernel-team@...roid.com>, Mike Rapoport <rppt@...ux.vnet.ibm.com>, Shaohua Li <shli@...com>, Jerome Glisse <jglisse@...hat.com>, Mauro Carvalho Chehab <mchehab+huawei@...nel.org>, Johannes Weiner <hannes@...xchg.org>, Mel Gorman <mgorman@...hsingularity.net>, Nitin Gupta <nigupta@...dia.com>, Vlastimil Babka <vbabka@...e.cz>, Iurii Zaikin <yzaikin@...gle.com>, Luis Chamberlain <mcgrof@...nel.org>, "open list:MEMORY MANAGEMENT" <linux-mm@...ck.org> Subject: Re: [PATCH v6 2/2] Add user-mode only option to unprivileged_userfaultfd sysctl knob On Thu, Nov 19, 2020 at 7:04 PM Lokesh Gidra <lokeshgidra@...gle.com> wrote: > > With this change, when the knob is set to 0, it allows unprivileged > users to call userfaultfd, like when it is set to 1, but with the > restriction that page faults from only user-mode can be handled. > In this mode, an unprivileged user (without SYS_CAP_PTRACE capability) > must pass UFFD_USER_MODE_ONLY to userfaultd or the API will fail with > EPERM. > > This enables administrators to reduce the likelihood that an attacker > with access to userfaultfd can delay faulting kernel code to widen > timing windows for other exploits. > > The default value of this knob is changed to 0. This is required for > correct functioning of pipe mutex. However, this will fail postcopy > live migration, which will be unnoticeable to the VM guests. To avoid > this, set 'vm.userfault = 1' in /sys/sysctl.conf. > > The main reason this change is desirable as in the short term is that > the Android userland will behave as with the sysctl set to zero. So > without this commit, any Linux binary using userfaultfd to manage its > memory would behave differently if run within the Android userland. > For more details, refer to Andrea's reply [1]. > > [1] https://lore.kernel.org/lkml/20200904033438.GI9411@redhat.com/ > > Signed-off-by: Lokesh Gidra <lokeshgidra@...gle.com> > Reviewed-by: Andrea Arcangeli <aarcange@...hat.com> > --- > Documentation/admin-guide/sysctl/vm.rst | 15 ++++++++++----- > fs/userfaultfd.c | 10 ++++++++-- > 2 files changed, 18 insertions(+), 7 deletions(-) > > diff --git a/Documentation/admin-guide/sysctl/vm.rst b/Documentation/admin-guide/sysctl/vm.rst > index f455fa00c00f..d06a98b2a4e7 100644 > --- a/Documentation/admin-guide/sysctl/vm.rst > +++ b/Documentation/admin-guide/sysctl/vm.rst > @@ -873,12 +873,17 @@ file-backed pages is less than the high watermark in a zone. > unprivileged_userfaultfd > ======================== > > -This flag controls whether unprivileged users can use the userfaultfd > -system calls. Set this to 1 to allow unprivileged users to use the > -userfaultfd system calls, or set this to 0 to restrict userfaultfd to only > -privileged users (with SYS_CAP_PTRACE capability). > +This flag controls the mode in which unprivileged users can use the > +userfaultfd system calls. Set this to 0 to restrict unprivileged users > +to handle page faults in user mode only. In this case, users without > +SYS_CAP_PTRACE must pass UFFD_USER_MODE_ONLY in order for userfaultfd to > +succeed. Prohibiting use of userfaultfd for handling faults from kernel > +mode may make certain vulnerabilities more difficult to exploit. > > -The default value is 1. > +Set this to 1 to allow unprivileged users to use the userfaultfd system > +calls without any restrictions. > + > +The default value is 0. > > > user_reserve_kbytes > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 605599fde015..894cc28142e7 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -28,7 +28,7 @@ > #include <linux/security.h> > #include <linux/hugetlb.h> > > -int sysctl_unprivileged_userfaultfd __read_mostly = 1; > +int sysctl_unprivileged_userfaultfd __read_mostly; > > static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; > > @@ -1966,8 +1966,14 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) > struct userfaultfd_ctx *ctx; > int fd; > > - if (!sysctl_unprivileged_userfaultfd && !capable(CAP_SYS_PTRACE)) > + if (!sysctl_unprivileged_userfaultfd && > + (flags & UFFD_USER_MODE_ONLY) == 0 && > + !capable(CAP_SYS_PTRACE)) { > + printk_once(KERN_WARNING "uffd: Set unprivileged_userfaultfd " > + "sysctl knob to 1 if kernel faults must be handled " > + "without obtaining CAP_SYS_PTRACE capability\n"); > return -EPERM; > + } > > BUG_ON(!current->mm); > > -- > 2.29.0.rc1.297.gfa9743e501-goog > Adding linux-mm@...ck.org list
Powered by blists - more mailing lists