lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <906901ED-DAE3-4A36-A3E4-16DF6F251C48@kernel.org>
Date:   Fri, 10 Mar 2023 07:47:12 -0800
From:   Kees Cook <kees@...nel.org>
To:     Ornaghi Davide <davide.ornaghi@...re.it>,
        "keescook@...omium.org" <keescook@...omium.org>,
        "paulmck@...nel.org" <paulmck@...nel.org>,
        "nsaenzju@...hat.com" <nsaenzju@...hat.com>,
        "peterz@...radead.org" <peterz@...radead.org>,
        "bigeasy@...utronix.de" <bigeasy@...utronix.de>,
        "frederic@...nel.org" <frederic@...nel.org>,
        "linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

On March 9, 2023 1:00:20 PM PST, Ornaghi Davide <davide.ornaghi@...re.it> wrote:
>Per-system-call kernel-stack randomization was introduced to
>prevent attackers from predicting the addresses of certain data
>structures on the stack upon sequential syscalls.
>
>However, when entering soft interrupt context, a new stack is allocated
>via vmalloc at a location that stays constant for each cpu until reboot.
>
>Recent security vulnerabilities such as CVE-2023-0179 showed how an
>infoleak under the softirq context could allow the attacker to locate
>kernel data structures like nftables registers, where a malicious payload
>could be stored.
>
>Instead of keeping a constant address, reuse kstack_offset to also
>randomize the soft interrupt stack on every __do_softirq entry.
>
>This basic patch version has the drawback of using the same base
>address for all pending softirqs, including softirqd ones, but has low
>impacts on performance.
>Alternatively, the stack offset could be updated for every softirq
>action, which I suspect might cause some performance issues.
>
>Signed-off-by: Davide Ornaghi <davide.ornaghi@...re.it>

This seems like a good place to start. Thanks!

Reviewed-by: Kees Cook <keescook@...omium.org>

One thought is that without a reselection of the offset after this use, the offset will be shared by the next syscall too. If softirq timing is controllable by an attacker, this might allow for some exposure?

-Kees

>---
> kernel/softirq.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/kernel/softirq.c b/kernel/softirq.c
>index c8a6913c067d..8c3eb2fffe39 100644
>--- a/kernel/softirq.c
>+++ b/kernel/softirq.c
>@@ -27,6 +27,7 @@
> #include <linux/tick.h>
> #include <linux/irq.h>
> #include <linux/wait_bit.h>
>+#include <linux/randomize_kstack.h>
>
> #include <asm/softirq_stack.h>
>
>@@ -535,6 +536,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void)
>  __u32 pending;
>  int softirq_bit;
>
>+ add_random_kstack_offset();
>  /*
>  * Mask out PF_MEMALLOC as the current task context is borrowed for the
>  * softirq. A softirq handled, such as network RX, might set PF_MEMALLOC
>--
>2.34.1
>
>
>Davide Ornaghi
>Offensive Security Specialist & Intrusion Analyst
>
>T. +39 039 28.45.774 +39 039 96.34.717
>Intré Security - a venture of Intré S.r.l.
>www.intre.it
>
>Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell'autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell'art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all'indirizzo privacy@...re.it e distruggere il presente messaggio.
>
>Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@...re.it and delete the email transmission immediately.


-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ