| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <607562bf50ddc81ebd404e8dc1710e5221f80342.1739894594.git.dvyukov@google.com> Date: Tue, 18 Feb 2025 17:04:34 +0100 From: Dmitry Vyukov <dvyukov@...gle.com> To: krisman@...labora.com, tglx@...utronix.de, luto@...nel.org, peterz@...radead.org, keescook@...omium.org, gregory.price@...verge.com Cc: Dmitry Vyukov <dvyukov@...gle.com>, Marco Elver <elver@...gle.com>, linux-kernel@...r.kernel.org Subject: [PATCH 1/3] syscall_user_dispatch: Allow allowed range wrap-around There are two possible scenarios for syscall filtering: - having a trusted/allowed range of PCs, and intercepting everything else - or the opposite: a single untrusted/intercepted range and allowing everything else The current implementation only allows the former use case due to allowed range wrap-around check. Allow the latter use case as well by removing the wrap-around check. The latter use case is relevant for any kind of sandboxing scenario, or monitoring behavior of a single library. If a program wants to intercept syscalls for PC range [START, END) then it needs to call: prctl(..., END, -(END-START), ...); which sets a wrap-around range that excludes everything besides [START, END). Signed-off-by: Dmitry Vyukov <dvyukov@...gle.com> Cc: Gabriel Krisman Bertazi <krisman@...labora.com> Cc: Thomas Gleixner <tglx@...utronix.de> Cc: Andy Lutomirski <luto@...nel.org> Cc: Peter Zijlstra (Intel) <peterz@...radead.org> Cc: Kees Cook <keescook@...omium.org> Cc: Gregory Price <gregory.price@...verge.com> Cc: Marco Elver <elver@...gle.com> Cc: linux-kernel@...r.kernel.org --- kernel/entry/syscall_user_dispatch.c | 9 +++------ kernel/sys.c | 6 ++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/kernel/entry/syscall_user_dispatch.c b/kernel/entry/syscall_user_dispatch.c index 5340c5aa89e7d..a0659f0515404 100644 --- a/kernel/entry/syscall_user_dispatch.c +++ b/kernel/entry/syscall_user_dispatch.c @@ -37,6 +37,7 @@ bool syscall_user_dispatch(struct pt_regs *regs) struct syscall_user_dispatch *sd = ¤t->syscall_dispatch; char state; + /* Note: this check form allows for range wrap-around. */ if (likely(instruction_pointer(regs) - sd->offset < sd->len)) return false; @@ -80,13 +81,9 @@ static int task_set_syscall_user_dispatch(struct task_struct *task, unsigned lon break; case PR_SYS_DISPATCH_ON: /* - * Validate the direct dispatcher region just for basic - * sanity against overflow and a 0-sized dispatcher - * region. If the user is able to submit a syscall from - * an address, that address is obviously valid. + * Note: we don't check and allow arbitrary values for + * offset/len in particular to allow range wrap-around. */ - if (offset && offset + len <= offset) - return -EINVAL; /* * access_ok() will clear memory tags for tagged addresses diff --git a/kernel/sys.c b/kernel/sys.c index cb366ff8703af..666322026ad72 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2735,6 +2735,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, error = (current->flags & PR_IO_FLUSHER) == PR_IO_FLUSHER; break; case PR_SET_SYSCALL_USER_DISPATCH: + /* + * Sign-extend len for 32-bit processes to allow region + * wrap-around. + */ + if (in_compat_syscall()) + arg4 = (long)(s32)arg4; error = set_syscall_user_dispatch(arg2, arg3, arg4, (char __user *) arg5); break; -- 2.48.1.601.g30ceb7b040-goog
Powered by blists - more mailing lists