| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251126134422.44710-1-ellyesparza8@gmail.com>
Date: Wed, 26 Nov 2025 10:44:22 -0300
From: ellyndra <ellyesparza8@...il.com>
To: linux-kernel@...r.kernel.org,
paul@...l-moore.com,
jmorris@...ei.org,
serge@...lyn.com,
mingo@...hat.com,
tglx@...utronix.de,
luto@...nel.org
Cc: ellyndra <elly.esparza@...ypsium.com>,
Elly I Esparza <ellyesparza8@...il.com>
Subject: [PATCH] kprobes: Blacklist risky functions from being probed
From: ellyndra <elly.esparza@...ypsium.com>
Blacklist 'x64_sys_call()' from being kprobed to prevent syscall hooking
techniques that overwrite the content of a 'case' block inside the main
syscall dispatch switch statement.
Also blacklist 'kallsyms_lookup_name()' to prevent a potential bypass
of the blacklist, since this function can be used to discover and target
arbitrary kernel symbols.
Add a Kconfig option under security/ to enable or disable this feature.
Signed-off-by: Elly I Esparza <ellyesparza8@...il.com>
---
---
arch/x86/entry/syscall_64.c | 9 ++++++++-
kernel/kallsyms.c | 3 +++
security/Kconfig | 8 ++++++++
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/entry/syscall_64.c b/arch/x86/entry/syscall_64.c
index b6e68ea98b83..e878fa865532 100644
--- a/arch/x86/entry/syscall_64.c
+++ b/arch/x86/entry/syscall_64.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0-only
/* 64-bit system call dispatch */
+#include <linux/kprobes.h>
#include <linux/linkage.h>
#include <linux/sys.h>
#include <linux/cache.h>
@@ -39,6 +40,9 @@ long x64_sys_call(const struct pt_regs *regs, unsigned int nr)
default: return __x64_sys_ni_syscall(regs);
}
}
+#ifdef CONFIG_SEC_KPROBES
+NOKPROBE_SYMBOL(x64_sys_call)
+#endif
#ifdef CONFIG_X86_X32_ABI
long x32_sys_call(const struct pt_regs *regs, unsigned int nr)
@@ -48,7 +52,10 @@ long x32_sys_call(const struct pt_regs *regs, unsigned int nr)
default: return __x64_sys_ni_syscall(regs);
}
}
-#endif
+#ifdef CONFIG_SEC_KPROBES
+NOKPROBE_SYMBOL(x32_sys_call)
+#endif //CONFIG_SEC_KPROBES
+#endif //CONFIG_X86_X32_ABI
static __always_inline bool do_syscall_x64(struct pt_regs *regs, int nr)
{
diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
index 1e7635864124..4082e98681a4 100644
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -234,6 +234,9 @@ unsigned long kallsyms_lookup_name(const char *name)
return module_kallsyms_lookup_name(name);
}
+#ifdef CONFIG_SEC_KPROBES
+NOKPROBE_SYMBOL(kallsyms_lookup_name)
+#endif
/*
* Iterate over all symbols in vmlinux. For symbols from modules use
diff --git a/security/Kconfig b/security/Kconfig
index 285f284dfcac..a0906a5a7410 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -286,5 +286,13 @@ config LSM
source "security/Kconfig.hardening"
+config SEC_KPROBES
+ bool "Secure kprobe blacklist"
+ depends on KPROBES
+ help
+ Adds functions x64_syscall_table() and kallsyms_lookup_name()
+ to the kprobe blacklist to prevent syscall hooking attacks.
+ If in doubt, say "N".
+
endmenu
--
2.43.0
Powered by blists - more mailing lists