| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20240218073501.54555-1-guixiongwei@gmail.com>
Date: Sun, 18 Feb 2024 15:35:01 +0800
From: Guixiong Wei <guixiongwei@...il.com>
To: gregkh@...uxfoundation.org,
jgross@...e.com,
boris.ostrovsky@...cle.com
Cc: linux-kernel@...r.kernel.org,
Guixiong Wei <weiguixiong@...edance.com>
Subject: [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access
From: Guixiong Wei <weiguixiong@...edance.com>
Restrict non-privileged user access to /sys/kernel/notes to
avoid security attack.
The non-privileged users have read access to notes. The notes
expose the load address of startup_xen. This address could be
used to bypass KASLR.
For example, the startup_xen is built at 0xffffffff82465180 and
commit_creds is built at 0xffffffff810ad570 which could read from
the /boot/System.map. And the loaded address of startup_xen is
0xffffffffbc265180 which read from /sys/kernel/notes. So the loaded
address of commit_creds is 0xffffffffbc265180 - (0xffffffff82465180
- 0xffffffff810ad570) = 0xffffffffbaead570.
Signed-off-by: Guixiong Wei <weiguixiong@...edance.com>
---
kernel/ksysfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
index b1292a57c2a5..09bc0730239b 100644
--- a/kernel/ksysfs.c
+++ b/kernel/ksysfs.c
@@ -199,7 +199,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
static struct bin_attribute notes_attr __ro_after_init = {
.attr = {
.name = "notes",
- .mode = S_IRUGO,
+ .mode = S_IRUSR,
},
.read = ¬es_read,
};
--
2.24.3 (Apple Git-128)
Powered by blists - more mailing lists