Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp665548ybt; Wed, 24 Jun 2020 08:19:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZlO/cQaLQd/qWBpBOy6Ega8RGC4UovvBpa3VUspAPZrFESZUzJzgMnEU0C2lp0KTyU2uQ X-Received: by 2002:a05:6402:741:: with SMTP id p1mr2325126edy.222.1593011982252; Wed, 24 Jun 2020 08:19:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593011982; cv=none; d=google.com; s=arc-20160816; b=pEAnUuiG7OhIMjJWhgfH0NB9O4Sd+c1gKqlEtQk/uX0oMzJBwk9EVHkwcQZhuw1lsx J7qSFOZLbP2JvTTwPBuafV8HNX8tXeJjkV26BCZUwSCPjMUZP+pyXZTKP2GJpcOQw8fS HHs7uSDbOI1euvHWoHf9w7XZqAHWdUkf8GljL0kDguC55CZhUY04tuvrAMvuXaRp+z2q YeHpcar+//cGub2FLiBdI7cgKoTB1hBrPmbd3CAD7Zwc8txclK67+5HVxlXiAtImR5db stZ/Ln2auP5CVKyKxkfnVeYS1Q2kCVGZP5LymbazINLkZmrzp7fgaEPTT8G4UkpuhS1r O8Sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=RgJ5KQQgdze1Er7yT6oG3OjYmr8lm8UCuoB+oNW30KA=; b=xeLx2gcZAjuidkrOuDN1Hl3DsZ0UQ9PegaV6HUn7jn53wiQLfgn6f07+rlXEcORNVQ Lp+cq3sWDzuamf+8IAnHCGa2KKpc3JcSew/hmRuRhn3HxOwcZPclBMRNpOrgZMSYNd/y CcZ5484yjVAsYoJWMgaUQ384tGwwoQg1s0FxEUegDOkXxXX13aQpgpAk5gdnk5zq/XhP K1obcVuGGiw0cpU6AZZWvVSdV8flFYFg9DozP32RZAt0UCy97KlFH4LQvJMcnuKXvvQP TCEFvCQuFgNtZYrAtS8Pa+hvYaUkdmpaeXCIEf5enzJztp7W7kSGLiAhkxjx5+5bpDmI X6Qg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CH4kMR5I; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id lf3si12678956ejb.350.2020.06.24.08.19.18; Wed, 24 Jun 2020 08:19:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=CH4kMR5I; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404410AbgFXPSQ (ORCPT + 99 others); Wed, 24 Jun 2020 11:18:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58166 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390817AbgFXPSP (ORCPT ); Wed, 24 Jun 2020 11:18:15 -0400 Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9945FC061573 for ; Wed, 24 Jun 2020 08:18:15 -0700 (PDT) Received: by mail-pl1-x643.google.com with SMTP id g17so1163166plq.12 for ; Wed, 24 Jun 2020 08:18:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=RgJ5KQQgdze1Er7yT6oG3OjYmr8lm8UCuoB+oNW30KA=; b=CH4kMR5Icue6l7XK6pIFfSYjVQ5WkzRDoGH+TWwCrL7w2COxwqeOUoBa/4iQarmDBH iAo8lBWn1tCcw6vScNAuFoZi/1CBw/St5Xwp2qD0ZWwbUCAQr4ESbIJZKurIxMd47X38 zfnwiJ49xx7O1RVasJK7rT7e7T9+JmOGX/PGQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=RgJ5KQQgdze1Er7yT6oG3OjYmr8lm8UCuoB+oNW30KA=; b=Ki8TMshjFRVHiIW3Go5dtMCPEK7LLpkeSPFDeCVBbaI7utsSINWki3eXKekggRcjZl 9BxWgSo/JaT44b3HBol5UTFq8JuHjRJULXLJr2WKqfM8cPRnuSJ/RosdQ3xlH4Y58/4+ vq311KDSJkOVqv9V4GAefY+DRnqcDRdgrZghMIM2FRj6v6xKmQNBe9RMDAJvAVksGXfx Xl+4FwtksSA142EDVcnOQorEceQ4h/4rOjKHDyEkvkRaGmmahu3moTrnpEGiPWhefil4 Pbc63LnkNoxJBDxXtsPfXsTxE35fkEo7x9EnF7uAINn/loY4pAoYKDC2CjSH0TwJMKqL E3uQ== X-Gm-Message-State: AOAM53137tGhFK/ujP0938WdoImOje0ZwU9INS996IFEmFp+KT+iHfyn AIvGtA2Ro0nbfB4UKIcNSunMLA== X-Received: by 2002:a17:902:b906:: with SMTP id bf6mr8910774plb.323.1593011895106; Wed, 24 Jun 2020 08:18:15 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l14sm5904807pjh.50.2020.06.24.08.18.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jun 2020 08:18:14 -0700 (PDT) Date: Wed, 24 Jun 2020 08:18:13 -0700 From: Kees Cook To: Jann Horn Cc: Kristen Carlson Accardi , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Arjan van de Ven , the arch/x86 maintainers , kernel list , Kernel Hardening , Rick Edgecombe , Tony Luck Subject: Re: [PATCH v3 09/10] kallsyms: Hide layout Message-ID: <202006240815.45AAD55@keescook> References: <20200623172327.5701-1-kristen@linux.intel.com> <20200623172327.5701-10-kristen@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 24, 2020 at 12:21:16PM +0200, Jann Horn wrote: > On Tue, Jun 23, 2020 at 7:26 PM Kristen Carlson Accardi > wrote: > > This patch makes /proc/kallsyms display alphabetically by symbol > > name rather than sorted by address in order to hide the newly > > randomized address layout. > [...] > > +static int sorted_show(struct seq_file *m, void *p) > > +{ > > + struct list_head *list = m->private; > > + struct kallsyms_iter_list *iter; > > + int rc; > > + > > + if (list_empty(list)) > > + return 0; > > + > > + iter = list_first_entry(list, struct kallsyms_iter_list, next); > > + > > + m->private = iter; > > + rc = s_show(m, p); > > + m->private = list; > > + > > + list_del(&iter->next); > > + kfree(iter); > > Does anything like this kfree() happen if someone only reads the start > of kallsyms and then closes the file? IOW, does "while true; do head > -n1 /proc/kallsyms; done" leak memory? Oop, nice catch. It seems the list would need to be walked on s_stop. > > > + return rc; > > +} > [...] > > +static int kallsyms_list_cmp(void *priv, struct list_head *a, > > + struct list_head *b) > > +{ > > + struct kallsyms_iter_list *iter_a, *iter_b; > > + > > + iter_a = list_entry(a, struct kallsyms_iter_list, next); > > + iter_b = list_entry(b, struct kallsyms_iter_list, next); > > + > > + return strcmp(iter_a->iter.name, iter_b->iter.name); > > +} > > This sorts only by name, but kallsyms prints more information (module > names and types). This means that if there are elements whose names > are the same, but whose module names or types are different, then some > amount of information will still be leaked by the ordering of elements > with the same name. In practice, since list_sort() is stable, this > means you can see the ordering of many modules, and you can see the > ordering of symbols with same name but different visibility (e.g. "t > user_read" from security/selinux/ss/policydb.c vs "T user_read" from > security/keys/user_defined.c, and a couple other similar cases). i.e. sub-sort by visibility? > > [...] > > +#if defined(CONFIG_FG_KASLR) > > +/* > > + * When fine grained kaslr is enabled, we need to > > + * print out the symbols sorted by name rather than by > > + * by address, because this reveals the randomization order. > > + */ > > +static int kallsyms_open(struct inode *inode, struct file *file) > > +{ > > + int ret; > > + struct list_head *list; > > + > > + list = __seq_open_private(file, &kallsyms_sorted_op, sizeof(*list)); > > + if (!list) > > + return -ENOMEM; > > + > > + INIT_LIST_HEAD(list); > > + > > + ret = kallsyms_on_each_symbol(get_all_symbol_name, list); > > + if (ret != 0) > > + return ret; > > + > > + list_sort(NULL, list, kallsyms_list_cmp); > > This permits running an algorithm (essentially mergesort) with > secret-dependent branches and memory addresses on essentially secret > data, triggerable and arbitrarily repeatable (although with partly > different addresses on each run) by the attacker, and probably a > fairly low throughput (comparisons go through indirect function calls, > which are slowed down by retpolines, and linked list iteration implies > slow pointer chases). Those are fairly favorable conditions for > typical side-channel attacks. > > Do you have estimates of how hard it would be to leverage such side > channels to recover function ordering (both on old hardware that only > has microcode fixes for Spectre and such, and on newer hardware with > enhanced IBRS and such)? I wonder, instead, if sorting should be just done once per module load/unload? That would make the performance and memory management easier too. -- Kees Cook