Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp484790imm; Mon, 2 Jul 2018 15:32:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdW3b33noE+UkLLEO2Xuu8ZQwNysXY3t3AR5VhNZRoT+ve7E9W7TRwmglAPFTycLUn+n0hD X-Received: by 2002:a62:c0c4:: with SMTP id g65-v6mr21446627pfk.72.1530570771605; Mon, 02 Jul 2018 15:32:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530570771; cv=none; d=google.com; s=arc-20160816; b=NF7QyubPfvLvHBw6UOAqHNUUrzBWh5rH6uvvZaWBeMKGvfhlKvjMBQN/JaVSFFhYOi FyzGlIEA+8NQSFIoKNxEXPGAvTjDv2TAvDYoW4dD5SS2jlY7ZzRavYw/BvJLrs/YCqQq n33RicjY4EIMrj278Z8I2VvK1BEAFQEIhT+pj7JofY1Z+Jj71unV/sz0fFBeG9OEnji3 EX/W+IvKuegM0vL5eB7K/gPY1aPLSrQArrRrODC1b+5lGpPPSyvId1IhSo/EfeFZ5kPl rl/TNybARvJIXFDTWCIUuYOvrzSZSUwkOZelCq2wjKfjOVfQZqgjegZ7GDO3W8J2mJuA PG3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter:arc-authentication-results; bh=XXblgOCaLo7dkYli/cqPwWZjRHMctirpyNf354Ul5OA=; b=mDMxNCvZ+P4+B2F6u6Sfw21ubvB5ikNdHCAhAxMc6KVZ5YNc+NwRVAsE/GIhavaPK5 i67mloGNXr77tnmj6qpBGAgrnrGQgNdhymq8Lqr/m1BcR/44/rqkLFKZbA28suOmPXc0 Pfkx8YT4Vx1uRcSBuQNpCqZ7453dpgGGavNSQL+2PkppUmalvpgc3vpkJzFOcHl1mNB0 3RMJX62gWOPYCLoZvqOURYy+k8+7yRIQr1j+ckhfGdyb7922sbVekx3oY8+WM4OBxSlZ LmJANDPHcrMz4l+Wg6wIKsc7C1S+Xpy3JIRhBb5JGFPMqPbH43iCyfZmPQgaG5fvD1Ez RpOg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@efficios.com header.s=default header.b="By/PnF0U"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q26-v6si14945580pge.270.2018.07.02.15.32.37; Mon, 02 Jul 2018 15:32:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@efficios.com header.s=default header.b="By/PnF0U"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=efficios.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932234AbeGBWbv (ORCPT + 99 others); Mon, 2 Jul 2018 18:31:51 -0400 Received: from mail.efficios.com ([167.114.142.138]:46142 "EHLO mail.efficios.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932100AbeGBWbt (ORCPT ); Mon, 2 Jul 2018 18:31:49 -0400 Received: from localhost (ip6-localhost [IPv6:::1]) by mail.efficios.com (Postfix) with ESMTP id 7051F22FEC8; Mon, 2 Jul 2018 18:31:48 -0400 (EDT) Received: from mail.efficios.com ([IPv6:::1]) by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id V-UAy1OfJJI4; Mon, 2 Jul 2018 18:31:47 -0400 (EDT) Received: from localhost (ip6-localhost [IPv6:::1]) by mail.efficios.com (Postfix) with ESMTP id C07AB22FEBF; Mon, 2 Jul 2018 18:31:47 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.efficios.com C07AB22FEBF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=efficios.com; s=default; t=1530570707; bh=XXblgOCaLo7dkYli/cqPwWZjRHMctirpyNf354Ul5OA=; h=From:To:Date:Message-Id; b=By/PnF0Uxc45yihGBCQm9ycK2yU5ioednBlUuiyIwrPZMD8nuA6FteJLHrfbp8gZm NcwbEwGEBIu/vkvJK0F7A6IRGS0c7/SLrt+Uz89zeuic7R32ZvTGAsFEQOUNGL4snb oJdP2IM0hfH6o5fDvDoWUPCeR3pz1MDiFOBWf2W8C0YsVXOdv8WQ4IKzATA+BFtid/ CJTK9oS5tpbkwuEY9RquG0TlUXP6ob7lUwz6jnHLiuS7WYQtuYiYJ9OQZV7fuAddUF 7bGaSFIcO8Gi9ZyFBhYDAGvQXOjMh3nzoNA7JqfGG2gXU8WVFKPWWpumsJ9zMh05rK 9fCmepBL9hCEg== X-Virus-Scanned: amavisd-new at efficios.com Received: from mail.efficios.com ([IPv6:::1]) by localhost (mail02.efficios.com [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id JZMZHp4qZH4o; Mon, 2 Jul 2018 18:31:47 -0400 (EDT) Received: from thinkos.internal.efficios.com (192-222-157-41.qc.cable.ebox.net [192.222.157.41]) by mail.efficios.com (Postfix) with ESMTPSA id 61C2322FEAF; Mon, 2 Jul 2018 18:31:47 -0400 (EDT) From: Mathieu Desnoyers To: Thomas Gleixner Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, Peter Zijlstra , "Paul E . McKenney" , Boqun Feng , Andy Lutomirski , Dave Watson , Paul Turner , Andrew Morton , Russell King , Ingo Molnar , "H . Peter Anvin" , Andi Kleen , Chris Lameter , Ben Maurer , Steven Rostedt , Josh Triplett , Linus Torvalds , Catalin Marinas , Will Deacon , Michael Kerrisk , Joel Fernandes , Mathieu Desnoyers Subject: [RFC PATCH for 4.18] rseq: use __u64 for rseq_cs fields, validate user inputs Date: Mon, 2 Jul 2018 18:31:43 -0400 Message-Id: <20180702223143.4663-1-mathieu.desnoyers@efficios.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Change the rseq ABI so rseq_cs start_ip, post_commit_offset and abort_ip fields are seen as 64-bit fields by both 32-bit and 64-bit kernels rather that ignoring the 32 upper bits on 32-bit kernels. This ensures we have a consistent behavior for a 32-bit binary executed on 32-bit kernels and in compat mode on 64-bit kernels. Validating the value of abort_ip field to be below TASK_SIZE ensures the kernel don't return to an invalid address when returning to userspace after an abort. I don't fully trust each architecture code to consistently deal with invalid return addresses. Validating the value of the start_ip and post_commit_offset fields prevents overflow on arithmetic performed on those values, used to check whether abort_ip is within the rseq critical section. On 32-bit kernels, the rseq->rseq_cs_padding field is never read by the kernel. However, 64-bit kernels dealing with 32-bit compat tasks read the full 64-bit in its entirety, and terminates the offending process with a segmentation fault if the upper 32 bits are set due to failure of copy_from_user(). Ensure that both 32-bit and 64-bit kernels dealing with 32-bit tasks end up terminating offending tasks with a segmentation fault if the upper 32-bit padding bits (rseq->rseq_cs_padding) are set by explicitly ensuring that padding is zero on 32-bit kernels. If validation fails, the process is killed with a segmentation fault. When the signature encountered before abort_ip does not match the expected signature, return -EINVAL rather than -EPERM to be consistent with other input validation return codes from rseq_get_rseq_cs(). Signed-off-by: Mathieu Desnoyers CC: "Paul E. McKenney" CC: Peter Zijlstra CC: Paul Turner CC: Thomas Gleixner CC: Andy Lutomirski CC: Andi Kleen CC: Dave Watson CC: Chris Lameter CC: Ingo Molnar CC: "H. Peter Anvin" CC: Ben Maurer CC: Steven Rostedt CC: Josh Triplett CC: Linus Torvalds CC: Andrew Morton CC: Russell King CC: Catalin Marinas CC: Will Deacon CC: Michael Kerrisk CC: Boqun Feng CC: linux-api@vger.kernel.org --- include/uapi/linux/rseq.h | 6 +++--- kernel/rseq.c | 39 +++++++++++++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 7 deletions(-) diff --git a/include/uapi/linux/rseq.h b/include/uapi/linux/rseq.h index d620fa43756c..519ad6e176d1 100644 --- a/include/uapi/linux/rseq.h +++ b/include/uapi/linux/rseq.h @@ -52,10 +52,10 @@ struct rseq_cs { __u32 version; /* enum rseq_cs_flags */ __u32 flags; - LINUX_FIELD_u32_u64(start_ip); + __u64 start_ip; /* Offset from start_ip. */ - LINUX_FIELD_u32_u64(post_commit_offset); - LINUX_FIELD_u32_u64(abort_ip); + __u64 post_commit_offset; + __u64 abort_ip; } __attribute__((aligned(4 * sizeof(__u64)))); /* diff --git a/kernel/rseq.c b/kernel/rseq.c index 22b6acf1ad63..1d1dd6aa43f8 100644 --- a/kernel/rseq.c +++ b/kernel/rseq.c @@ -112,6 +112,29 @@ static int rseq_reset_rseq_cpu_id(struct task_struct *t) return 0; } +#ifndef __LP64__ +/* + * Check that padding is zero. + */ +static int check_rseq_cs_padding(struct task_struct *t) +{ + u32 pad; + int ret; + + ret = __get_user(pad, &t->rseq->rseq_cs_padding); + if (ret) + return ret; + if (pad) + return -EINVAL; + return 0; +} +#else +static int check_rseq_cs_padding(struct task_struct *t) +{ + return 0; +} +#endif + static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) { struct rseq_cs __user *urseq_cs; @@ -123,6 +146,8 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) ret = __get_user(ptr, &t->rseq->rseq_cs); if (ret) return ret; + if (check_rseq_cs_padding(t)) + return -EINVAL; if (!ptr) { memset(rseq_cs, 0, sizeof(*rseq_cs)); return 0; @@ -130,14 +155,20 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) urseq_cs = (struct rseq_cs __user *)ptr; if (copy_from_user(rseq_cs, urseq_cs, sizeof(*rseq_cs))) return -EFAULT; - if (rseq_cs->version > 0) - return -EINVAL; + if (rseq_cs->start_ip >= TASK_SIZE || + rseq_cs->start_ip + rseq_cs->post_commit_offset >= TASK_SIZE || + rseq_cs->abort_ip >= TASK_SIZE || + rseq_cs->version > 0) + return -EINVAL; + /* Check for overflow. */ + if (rseq_cs->start_ip + rseq_cs->post_commit_offset < rseq_cs->start_ip) + return -EINVAL; /* Ensure that abort_ip is not in the critical section. */ if (rseq_cs->abort_ip - rseq_cs->start_ip < rseq_cs->post_commit_offset) return -EINVAL; - usig = (u32 __user *)(rseq_cs->abort_ip - sizeof(u32)); + usig = (u32 __user *)(unsigned long)(rseq_cs->abort_ip - sizeof(u32)); ret = get_user(sig, usig); if (ret) return ret; @@ -146,7 +177,7 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs) printk_ratelimited(KERN_WARNING "Possible attack attempt. Unexpected rseq signature 0x%x, expecting 0x%x (pid=%d, addr=%p).\n", sig, current->rseq_sig, current->pid, usig); - return -EPERM; + return -EINVAL; } return 0; } -- 2.11.0