| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Nov 2022 18:56:52 +0100
From: Roberto Sassu <roberto.sassu@...weicloud.com>
To: ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
martin.lau@...ux.dev, song@...nel.org, yhs@...com,
john.fastabend@...il.com, kpsingh@...nel.org, sdf@...gle.com,
haoluo@...gle.com, jolsa@...nel.org, revest@...omium.org,
jackmanb@...omium.org, paul@...l-moore.com, jmorris@...ei.org,
serge@...lyn.com
Cc: bpf@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
Roberto Sassu <roberto.sassu@...wei.com>
Subject: [RFC][PATCH 4/4] security: Enforce limitations on return values from LSMs
From: Roberto Sassu <roberto.sassu@...wei.com>
LSMs should not be able to return arbitrary return values, as the callers
of the LSM infrastructure might not be ready to handle unexpected values
(e.g. positive values that are first converted to a pointer with ERR_PTR,
and then evaluated with IS_ERR()).
Modify call_int_hook() to call is_ret_value_allowed(), so that the return
value from each LSM for a given hook is checked. If for the interval the
return value falls into the corresponding flag is not set, change the
return value to the default value, just for the current LSM.
A misbehaving LSM would not have impact on the decision of other LSMs, as
the loop terminates whenever the return value is not zero.
Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com>
---
security/security.c | 34 ++++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/security/security.c b/security/security.c
index 4041d24e3283..cd417a8a0e65 100644
--- a/security/security.c
+++ b/security/security.c
@@ -716,6 +716,35 @@ static int lsm_superblock_alloc(struct super_block *sb)
#include <linux/lsm_hook_defs.h>
#undef LSM_HOOK
+/*
+ * The return value flags of the LSM hook are defined in linux/lsm_hook_defs.h
+ * and can be accessed with:
+ *
+ * LSM_RET_FLAGS(<hook_name>)
+ *
+ * The macros below define static constants for the return value flags of each
+ * LSM hook.
+ */
+#define LSM_RET_FLAGS(NAME) (NAME##_ret_flags)
+#define DECLARE_LSM_RET_FLAGS(RET_FLAGS, NAME) \
+ static const u32 __maybe_unused LSM_RET_FLAGS(NAME) = (RET_FLAGS);
+#define LSM_HOOK(RET, DEFAULT, RET_FLAGS, NAME, ...) \
+ DECLARE_LSM_RET_FLAGS(RET_FLAGS, NAME)
+
+#include <linux/lsm_hook_defs.h>
+#undef LSM_HOOK
+
+static bool is_ret_value_allowed(int ret, u32 ret_flags)
+{
+ if ((ret < 0 && !(ret_flags & LSM_RET_NEG)) ||
+ (ret == 0 && !(ret_flags & LSM_RET_ZERO)) ||
+ (ret == 1 && !(ret_flags & LSM_RET_ONE)) ||
+ (ret > 1 && !(ret_flags & LSM_RET_GT_ONE)))
+ return false;
+
+ return true;
+}
+
/*
* Hook list operation macros.
*
@@ -741,6 +770,11 @@ static int lsm_superblock_alloc(struct super_block *sb)
\
hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
RC = P->hook.FUNC(__VA_ARGS__); \
+ if (!is_ret_value_allowed(RC, LSM_RET_FLAGS(FUNC))) { \
+ WARN_ONCE(1, "Illegal ret %d for " #FUNC " from %s, forcing %d\n", \
+ RC, P->lsm, LSM_RET_DEFAULT(FUNC)); \
+ RC = LSM_RET_DEFAULT(FUNC); \
+ } \
if (RC != 0) \
break; \
} \
--
2.25.1
Powered by blists - more mailing lists