Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4544463img; Tue, 26 Mar 2019 11:29:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqw60kyn3J02ftH4o3i9rsfNLCSYPqR4qGJz644FtAeqkofu/FTKmAmCMAbgR1aPAjDDp1He X-Received: by 2002:a17:902:2963:: with SMTP id g90mr32976567plb.182.1553624987591; Tue, 26 Mar 2019 11:29:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553624987; cv=none; d=google.com; s=arc-20160816; b=sSgItNlGgbRQC1CHJCcTuP+g0M+K9a8Qce8LP9izR5nFlp9HDabQYpLXz2Qx5jhy6H S9oWoDJtBQgAMAeNmLmKYcKV1Xsyorwx25ARc+R+G5freJ5xkfjYAd3U3EVrq/uE27ZJ GDrgi0LO/ThtkKLtjL+FFx5jsiH70HpiUS268xzkcxatlG/y7xm2NsBGw6ZLGqPqS2QK P89DVJxYScnqsrGAFfcv6lUb+WBxwhegKy0BDoYgqRnKZgQKMcQdFfAsRYK8CK71VI+7 rFHKphnXCRgJAYDFdAt7Ml2MzRSmw2MGt8/fU9ERfQ7oMTErHaMsXjnRaK3+V6Qmopvs W5Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:references :mime-version:message-id:in-reply-to:date:dkim-signature; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=I6JcT0sYahiIWEOPZzCg0nv3eR3MDK3MokFg+uiusv9la6DNUwZKnGKFccoUSBpHlI L9JdPos/ZhRM1qvPXHTidJ70JvqduxwdRqa8sHTs+BX7HPIjEdGx1gqHctT2omQJnu8U 943jIpU9sOyAG+SZggt0xxlkZ5vxz2lHrcsZRmlMf55cNGo4XtjbXBGpaH9N2DKRDeOb Vsr3t5dh9qCpP4zMiwKZglk9yRM8jZ0FbNF/deUzUShmlYXom/Ve3WARCMm7FTmQK1Q/ rf2C5S0tGYIFjJmHNt0iEz/3SiOI2lpEVqqz7sLnukk+sfL5hTLxysPRNFrOlgb9vin8 7pGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QSA3jV9B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m10si4041896pgi.417.2019.03.26.11.29.32; Tue, 26 Mar 2019 11:29:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=QSA3jV9B; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732742AbfCZS22 (ORCPT + 99 others); Tue, 26 Mar 2019 14:28:28 -0400 Received: from mail-yw1-f74.google.com ([209.85.161.74]:37389 "EHLO mail-yw1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732726AbfCZS20 (ORCPT ); Tue, 26 Mar 2019 14:28:26 -0400 Received: by mail-yw1-f74.google.com with SMTP id x185so19969069ywd.4 for ; Tue, 26 Mar 2019 11:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=QSA3jV9BWatdGl7hVSyhHwxLAxTneVkVg14uAJ/VF/6Frih2P7oXfTEv9kMP9G6XvB HEOGTc5uUxEQVWGmCh16CeR2IwnyK1KEWe+pwfhYfgXyj7bxXTdw9tKhsEjRGPG6ArGf qjggUxIgwpRtfAPv2l9cbaEcSWEgwDoxZkkEkMYKJh+bakWOkmpkPFLrGS1LnsvYGQuo Wh2GSZNqJwd+KUkfQlegDvzkqx/b3gLT9LlY1/YbcrJdfresNx4cOhRBgKV40TW1CyVL y8hFknGmWJARHvfiwFgL/XqzMwUY7qIZmWfCXy3Y6k4nk5qc1EVpbSGWzm9iUJ2bhVMd QkwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=XYPTV88x6bsM2+0bDxThxX+PqaKMYNT/2nzbQ6HoL14=; b=azma4+XaGVZbU+es5nEzMKAY/0wN41+ooo8J8qolXH9nZdQIGymWWbuHXqXK9ZbHDP 0pqnsuyz0l7fsmC8+FP8xfw1XAH4BiXJ7rIoKQ4i6BWX5Io78XlOxMrABc6Ef3d98YM+ PiENffw+1sGlIur7+kaZ/zWv+H9cWP3dH2T6fEU8DeVFtPwid76wdeAJXvUvDqHZ+k/r qM3kv1chvbsNV8+7x58mwmgUaXisTnhiwiGy8OllyCsCFAVW+0aef5EoqSoPK2MthNR4 r7hgeNTN9Z6SnfIko/4RQloQONM6RfFdbyD899M/MHQZ+iEyMmmYe6HYyzd9RJp1krXz Uutw== X-Gm-Message-State: APjAAAX7fewpqZowlYcY5kl53U0A/pEP+cshLPHhs+Zhw/yY0vJYW7dZ sjUwFoiZZYl9S71BKC03ocN89k8T6+FJf1Ggq07YXA== X-Received: by 2002:a25:1d04:: with SMTP id d4mr2412901ybd.517.1553624905627; Tue, 26 Mar 2019 11:28:25 -0700 (PDT) Date: Tue, 26 Mar 2019 11:27:28 -0700 In-Reply-To: <20190326182742.16950-1-matthewgarrett@google.com> Message-Id: <20190326182742.16950-13-matthewgarrett@google.com> Mime-Version: 1.0 References: <20190326182742.16950-1-matthewgarrett@google.com> X-Mailer: git-send-email 2.21.0.392.gf8f6787159e-goog Subject: [PATCH V31 12/25] x86/msr: Restrict MSR access when the kernel is locked down From: Matthew Garrett To: jmorris@namei.org Cc: linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-api@vger.kernel.org, luto@kernel.org, Matthew Garrett , Matthew Garrett , Kees Cook , Thomas Gleixner , x86@kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Matthew Garrett Writing to MSRs should not be allowed if the kernel is locked down, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Signed-off-by: Matthew Garrett Signed-off-by: David Howells Acked-by: Kees Cook Reviewed-by: Thomas Gleixner cc: x86@kernel.org --- arch/x86/kernel/msr.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 4588414e2561..731be1be52b6 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -84,6 +84,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, int err = 0; ssize_t bytes = 0; + if (kernel_is_locked_down("Direct MSR access", LOCKDOWN_INTEGRITY)) + return -EPERM; + if (count % 8) return -EINVAL; /* Invalid chunk size */ @@ -135,6 +138,11 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) err = -EFAULT; break; } + if (kernel_is_locked_down("Direct MSR access", + LOCKDOWN_INTEGRITY)) { + err = -EPERM; + break; + } err = wrmsr_safe_regs_on_cpu(cpu, regs); if (err) break; -- 2.21.0.392.gf8f6787159e-goog