Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp454865ybt;
        Wed, 24 Jun 2020 03:26:30 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzloozoBZ01KOtWM46uAY+APEJinesdFFnV3MkxAm6qDS4Iw/lVPGWCZ77QiNUxX3C7A992
X-Received: by 2002:a17:906:af48:: with SMTP id ly8mr24041957ejb.28.1592994390353;
        Wed, 24 Jun 2020 03:26:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592994390; cv=none;
        d=google.com; s=arc-20160816;
        b=sSkRej27PMeI5X1dYwkfV7GM4DPhtjdkcJiIEqUJM/aaVdw4aJ56Q+RvIiT8kxKWpK
         Lt/4C/w1TSYGo46d7yXTANppfTwrczld570Qf15sLrM1/KYubrA2MskzUZyPaemu8jvz
         xjrxd9rYvf189PRI96BLCqhQU9M1Qcs9OHea1p099Q4SCrFvJhwOvHOAjq1cdOnHJeYN
         G4nSNd4c4yp4Wuenkrcs3O9SM6s10aW7GZvBQ8ZZsS3VrGWZR4t5IMmZSTAZkJg1RljU
         KVJcRAFE7ZjbTeaopZAXF1+vFNLJZ6DKe18weHkptMx6EURlZr/i8Gmdwkj1xTxCkxOH
         HlUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=;
        b=ehYiJjqRf0jlxbxdIfdH2xRVMGve+p87hqb6wzYzp6pPNt+sy888dfkv3ErAr3LdUL
         a+pXggxFp1chIb9tR2EgJNyrJZjZRci659wG3lNy5mc91FO9ZhsHIc6H1Os9BoB/oQiB
         t6T94JGlLoQcMhC4XEfup2AMM76FR60WKbufuh3bO64vi9yOB4H/ziKPmEZGnFAj3/HA
         xhwG9t7OoslMXWSRQHW45dpNjKGQR7rM45qpKlXwWJGbFRaPQOO+vRF6Fzb3EcpO3Z3U
         oqXcxjzfJpkBSk0Y0sO6yJWmht+lXRo48tjtw5xYyL1PbD1biaZ8rTntAQb68qop/sYN
         aP1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fT5Adym4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g3si4779710edn.594.2020.06.24.03.26.01;
        Wed, 24 Jun 2020 03:26:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=fT5Adym4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390403AbgFXKWV (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Wed, 24 Jun 2020 06:22:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40556 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388095AbgFXKVq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Jun 2020 06:21:46 -0400
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A0C8C061755
        for <linux-kernel@vger.kernel.org>; Wed, 24 Jun 2020 03:21:45 -0700 (PDT)
Received: by mail-lf1-x143.google.com with SMTP id g139so977205lfd.10
        for <linux-kernel@vger.kernel.org>; Wed, 24 Jun 2020 03:21:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=;
        b=fT5Adym4xre69hOkcVWPGI4K1xA/LgbxNJYucoLJp78P0bNwaSq9tbwa8twh5QJx88
         FVard2FW47Q1I1KdgC7dGoFz4/7aq2G895BIzUH5jr3tYkKIAFo+8ZTiaU2kHLGtMl75
         t8dH/gVMs72ZlIXNlHGB7y/GT7pXj7cyiVHxsaFtG+CS4SEqdK/GiOvOp6WStU/D/WSR
         vLa+xetM7xGI4flQbZ8jQfoRSrBcKPyuO4fBvfcmZ2kOeYihytPbpOLQyX76Sw6cEuui
         zL55c/QwhiJID/eKFm58Qgxbj2u2Ay3v6cZUq7I+UMJS7MUFnHhPTbE2YXih18owzmiN
         41pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=5fI5JvNK3dCwQIzTsRN6p2beN2NJgsVUVMhaeGY2KsU=;
        b=bPuzCwBx9kcJu24+7MdjipfoiJ7v9ebXw63HDnXxd3MX7uAvB0occE/xSG9UIhZXxf
         KInwnnqRykjA5sPMFUCu5OvK3GgI5mxWeU+PhyJJFB2U+/CX4BgiibTSXfxYFHQmt/oN
         ODjjg4Dm2EHzc9F3R5fGO6EskPybbQLEzIF1P2T6dToWPw71OeoCL0zpTT7fVYoMWJbl
         dv/v2xXhxvATpwKQRHLabiY+IGiY1hemMxRGkdpSAbWF5fM/aXo7eC71LRPNcGOrVIVs
         aIBkzbyih3lGnpvwn4zU50Yj9g9zM7qqmzHVcu9GDt9UYuLV4LVjP9xxQ3ZdOjOzDhSy
         z0oA==
X-Gm-Message-State: AOAM533XJOAxOLdQwsB2I7dop2+Thz1c6BxmEmtpk1EdBmQ4yyJpwpbx
        GD1WNVRix/IfvTBFlZAU0mea4YFp8sAnT6XypgBONA==
X-Received: by 2002:a19:4143:: with SMTP id o64mr14976844lfa.157.1592994103571;
 Wed, 24 Jun 2020 03:21:43 -0700 (PDT)
MIME-Version: 1.0
References: <20200623172327.5701-1-kristen@linux.intel.com> <20200623172327.5701-10-kristen@linux.intel.com>
In-Reply-To: <20200623172327.5701-10-kristen@linux.intel.com>
From:   Jann Horn <jannh@google.com>
Date:   Wed, 24 Jun 2020 12:21:16 +0200
Message-ID: <CAG48ez3YHoPOTZvabsNUcr=GP-rX+OXhNT54KcZT9eSQ28Fb8Q@mail.gmail.com>
Subject: Re: [PATCH v3 09/10] kallsyms: Hide layout
To:     Kristen Carlson Accardi <kristen@linux.intel.com>
Cc:     Kees Cook <keescook@chromium.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        Arjan van de Ven <arjan@linux.intel.com>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Rick Edgecombe <rick.p.edgecombe@intel.com>,
        Tony Luck <tony.luck@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jun 23, 2020 at 7:26 PM Kristen Carlson Accardi
<kristen@linux.intel.com> wrote:
> This patch makes /proc/kallsyms display alphabetically by symbol
> name rather than sorted by address in order to hide the newly
> randomized address layout.
[...]
> +static int sorted_show(struct seq_file *m, void *p)
> +{
> +       struct list_head *list = m->private;
> +       struct kallsyms_iter_list *iter;
> +       int rc;
> +
> +       if (list_empty(list))
> +               return 0;
> +
> +       iter = list_first_entry(list, struct kallsyms_iter_list, next);
> +
> +       m->private = iter;
> +       rc = s_show(m, p);
> +       m->private = list;
> +
> +       list_del(&iter->next);
> +       kfree(iter);

Does anything like this kfree() happen if someone only reads the start
of kallsyms and then closes the file? IOW, does "while true; do head
-n1 /proc/kallsyms; done" leak memory?

> +       return rc;
> +}
[...]
> +static int kallsyms_list_cmp(void *priv, struct list_head *a,
> +                            struct list_head *b)
> +{
> +       struct kallsyms_iter_list *iter_a, *iter_b;
> +
> +       iter_a = list_entry(a, struct kallsyms_iter_list, next);
> +       iter_b = list_entry(b, struct kallsyms_iter_list, next);
> +
> +       return strcmp(iter_a->iter.name, iter_b->iter.name);
> +}

This sorts only by name, but kallsyms prints more information (module
names and types). This means that if there are elements whose names
are the same, but whose module names or types are different, then some
amount of information will still be leaked by the ordering of elements
with the same name. In practice, since list_sort() is stable, this
means you can see the ordering of many modules, and you can see the
ordering of symbols with same name but different visibility (e.g. "t
user_read" from security/selinux/ss/policydb.c vs "T user_read" from
security/keys/user_defined.c, and a couple other similar cases).

[...]
> +#if defined(CONFIG_FG_KASLR)
> +/*
> + * When fine grained kaslr is enabled, we need to
> + * print out the symbols sorted by name rather than by
> + * by address, because this reveals the randomization order.
> + */
> +static int kallsyms_open(struct inode *inode, struct file *file)
> +{
> +       int ret;
> +       struct list_head *list;
> +
> +       list = __seq_open_private(file, &kallsyms_sorted_op, sizeof(*list));
> +       if (!list)
> +               return -ENOMEM;
> +
> +       INIT_LIST_HEAD(list);
> +
> +       ret = kallsyms_on_each_symbol(get_all_symbol_name, list);
> +       if (ret != 0)
> +               return ret;
> +
> +       list_sort(NULL, list, kallsyms_list_cmp);

This permits running an algorithm (essentially mergesort) with
secret-dependent branches and memory addresses on essentially secret
data, triggerable and arbitrarily repeatable (although with partly
different addresses on each run) by the attacker, and probably a
fairly low throughput (comparisons go through indirect function calls,
which are slowed down by retpolines, and linked list iteration implies
slow pointer chases). Those are fairly favorable conditions for
typical side-channel attacks.

Do you have estimates of how hard it would be to leverage such side
channels to recover function ordering (both on old hardware that only
has microcode fixes for Spectre and such, and on newer hardware with
enhanced IBRS and such)?

> +       return 0;
> +}