Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp454865ybt; Wed, 24 Jun 2020 03:26:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzloozoBZ01KOtWM46uAY+APEJinesdFFnV3MkxAm6qDS4Iw/lVPGWCZ77QiNUxX3C7A992 X-Received: by 2002:a17:906:af48:: with SMTP id ly8mr24041957ejb.28.1592994390353; Wed, 24 Jun 2020 03:26:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592994390; cv=none; d=google.com; s=arc-20160816; b=sSkRej27PMeI5X1dYwkfV7GM4DPhtjdkcJiIEqUJM/aaVdw4aJ56Q+RvIiT8kxKWpK Lt/4C/w1TSYGo46d7yXTANppfTwrczld570Qf15sLrM1/KYubrA2MskzUZyPaemu8jvz xjrxd9rYvf189PRI96BLCqhQU9M1Qcs9OHea1p099Q4SCrFvJhwOvHOAjq1cdOnHJeYN G4nSNd4c4yp4Wuenkrcs3O9SM6s10aW7GZvBQ8ZZsS3VrGWZR4t5IMmZSTAZkJg1RljU KVJcRAFE7ZjbTeaopZAXF1+vFNLJZ6DKe18weHkptMx6EURlZr/i8Gmdwkj1xTxCkxOH HlUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=; b=ehYiJjqRf0jlxbxdIfdH2xRVMGve+p87hqb6wzYzp6pPNt+sy888dfkv3ErAr3LdUL a+pXggxFp1chIb9tR2EgJNyrJZjZRci659wG3lNy5mc91FO9ZhsHIc6H1Os9BoB/oQiB t6T94JGlLoQcMhC4XEfup2AMM76FR60WKbufuh3bO64vi9yOB4H/ziKPmEZGnFAj3/HA xhwG9t7OoslMXWSRQHW45dpNjKGQR7rM45qpKlXwWJGbFRaPQOO+vRF6Fzb3EcpO3Z3U oqXcxjzfJpkBSk0Y0sO6yJWmht+lXRo48tjtw5xYyL1PbD1biaZ8rTntAQb68qop/sYN aP1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fT5Adym4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g3si4779710edn.594.2020.06.24.03.26.01; Wed, 24 Jun 2020 03:26:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=fT5Adym4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390403AbgFXKWV (ORCPT + 99 others); Wed, 24 Jun 2020 06:22:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40556 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388095AbgFXKVq (ORCPT ); Wed, 24 Jun 2020 06:21:46 -0400 Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A0C8C061755 for ; Wed, 24 Jun 2020 03:21:45 -0700 (PDT) Received: by mail-lf1-x143.google.com with SMTP id g139so977205lfd.10 for ; Wed, 24 Jun 2020 03:21:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=; b=fT5Adym4xre69hOkcVWPGI4K1xA/LgbxNJYucoLJp78P0bNwaSq9tbwa8twh5QJx88 FVard2FW47Q1I1KdgC7dGoFz4/7aq2G895BIzUH5jr3tYkKIAFo+8ZTiaU2kHLGtMl75 t8dH/gVMs72ZlIXNlHGB7y/GT7pXj7cyiVHxsaFtG+CS4SEqdK/GiOvOp6WStU/D/WSR vLa+xetM7xGI4flQbZ8jQfoRSrBcKPyuO4fBvfcmZ2kOeYihytPbpOLQyX76Sw6cEuui zL55c/QwhiJID/eKFm58Qgxbj2u2Ay3v6cZUq7I+UMJS7MUFnHhPTbE2YXih18owzmiN 41pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=; b=bPuzCwBx9kcJu24+7MdjipfoiJ7v9ebXw63HDnXxd3MX7uAvB0occE/xSG9UIhZXxf KInwnnqRykjA5sPMFUCu5OvK3GgI5mxWeU+PhyJJFB2U+/CX4BgiibTSXfxYFHQmt/oN ODjjg4Dm2EHzc9F3R5fGO6EskPybbQLEzIF1P2T6dToWPw71OeoCL0zpTT7fVYoMWJbl dv/v2xXhxvATpwKQRHLabiY+IGiY1hemMxRGkdpSAbWF5fM/aXo7eC71LRPNcGOrVIVs aIBkzbyih3lGnpvwn4zU50Yj9g9zM7qqmzHVcu9GDt9UYuLV4LVjP9xxQ3ZdOjOzDhSy z0oA== X-Gm-Message-State: AOAM533XJOAxOLdQwsB2I7dop2+Thz1c6BxmEmtpk1EdBmQ4yyJpwpbx GD1WNVRix/IfvTBFlZAU0mea4YFp8sAnT6XypgBONA== X-Received: by 2002:a19:4143:: with SMTP id o64mr14976844lfa.157.1592994103571; Wed, 24 Jun 2020 03:21:43 -0700 (PDT) MIME-Version: 1.0 References: <20200623172327.5701-1-kristen@linux.intel.com> <20200623172327.5701-10-kristen@linux.intel.com> In-Reply-To: <20200623172327.5701-10-kristen@linux.intel.com> From: Jann Horn Date: Wed, 24 Jun 2020 12:21:16 +0200 Message-ID: Subject: Re: [PATCH v3 09/10] kallsyms: Hide layout To: Kristen Carlson Accardi Cc: Kees Cook , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Arjan van de Ven , "the arch/x86 maintainers" , kernel list , Kernel Hardening , Rick Edgecombe , Tony Luck Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 23, 2020 at 7:26 PM Kristen Carlson Accardi wrote: > This patch makes /proc/kallsyms display alphabetically by symbol > name rather than sorted by address in order to hide the newly > randomized address layout. [...] > +static int sorted_show(struct seq_file *m, void *p) > +{ > + struct list_head *list = m->private; > + struct kallsyms_iter_list *iter; > + int rc; > + > + if (list_empty(list)) > + return 0; > + > + iter = list_first_entry(list, struct kallsyms_iter_list, next); > + > + m->private = iter; > + rc = s_show(m, p); > + m->private = list; > + > + list_del(&iter->next); > + kfree(iter); Does anything like this kfree() happen if someone only reads the start of kallsyms and then closes the file? IOW, does "while true; do head -n1 /proc/kallsyms; done" leak memory? > + return rc; > +} [...] > +static int kallsyms_list_cmp(void *priv, struct list_head *a, > + struct list_head *b) > +{ > + struct kallsyms_iter_list *iter_a, *iter_b; > + > + iter_a = list_entry(a, struct kallsyms_iter_list, next); > + iter_b = list_entry(b, struct kallsyms_iter_list, next); > + > + return strcmp(iter_a->iter.name, iter_b->iter.name); > +} This sorts only by name, but kallsyms prints more information (module names and types). This means that if there are elements whose names are the same, but whose module names or types are different, then some amount of information will still be leaked by the ordering of elements with the same name. In practice, since list_sort() is stable, this means you can see the ordering of many modules, and you can see the ordering of symbols with same name but different visibility (e.g. "t user_read" from security/selinux/ss/policydb.c vs "T user_read" from security/keys/user_defined.c, and a couple other similar cases). [...] > +#if defined(CONFIG_FG_KASLR) > +/* > + * When fine grained kaslr is enabled, we need to > + * print out the symbols sorted by name rather than by > + * by address, because this reveals the randomization order. > + */ > +static int kallsyms_open(struct inode *inode, struct file *file) > +{ > + int ret; > + struct list_head *list; > + > + list = __seq_open_private(file, &kallsyms_sorted_op, sizeof(*list)); > + if (!list) > + return -ENOMEM; > + > + INIT_LIST_HEAD(list); > + > + ret = kallsyms_on_each_symbol(get_all_symbol_name, list); > + if (ret != 0) > + return ret; > + > + list_sort(NULL, list, kallsyms_list_cmp); This permits running an algorithm (essentially mergesort) with secret-dependent branches and memory addresses on essentially secret data, triggerable and arbitrarily repeatable (although with partly different addresses on each run) by the attacker, and probably a fairly low throughput (comparisons go through indirect function calls, which are slowed down by retpolines, and linked list iteration implies slow pointer chases). Those are fairly favorable conditions for typical side-channel attacks. Do you have estimates of how hard it would be to leverage such side channels to recover function ordering (both on old hardware that only has microcode fixes for Spectre and such, and on newer hardware with enhanced IBRS and such)? > + return 0; > +}