Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp414818pxb; Wed, 13 Jan 2021 06:53:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJxc+YMJ+ns+OAvDfFU+GPjnM1rFV3EHwtzG0R33AywtCFWLGDiTSFhtPdHZ/gQkdC6SOVd+ X-Received: by 2002:a17:906:4694:: with SMTP id a20mr1688021ejr.201.1610549608000; Wed, 13 Jan 2021 06:53:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610549607; cv=none; d=google.com; s=arc-20160816; b=bUKXErejd8SlI3DLL8ggAI61co1BKEYDZItcakC14WPKGr9p7yccRRKez4UvGq7tpz UztSPjnyCapdljPY1356cga5fnvxYwRhqZ8IZqROsVaollKnh1QS8OG+O1QQJ2qpGJfm EX17QYfivQe82if9nEF0W6OrYg+I3ptefyiBqW7S/NA/QxcxTh1X4ISOohZzRWTquvbF xv+/aqfZniUYfw88Nll8yEi4cX9rX0MocV7eUKImU/DBzqQx2xUcUpiZ6GLgWgeQDX4Z 2C5zAmrqUutoZNa5AIt9zDhNneBDbz93aCuSw/tS/nSC7cg/X4TKkU4LD9CaPz71UM+Y sF4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=gOB8J/IEWTzxij/yvzuJ9XXCMjNSWf5FhJPdFoexQDw=; b=PseX8eY/FCvXs5ru2HOdHefKF9VmZ4Tajx9gc2CPQTWVYwv9wJ0kpAPEUql5oehABA P1If6RDZY2xvpYzN5gxwZOYGs5CuGNPPDhgBiNvA2FPGSofVJMDS+yE1dgUF8OJAT6R8 6Y1LMDXGJaBQJQcyeKI7stkrqSqLJEsobg5Q0FHY8i7oVsanxUr0TdqRLE5G8gxAbWDz czpsTAMrfg+jKPkqYd9qjD6dwv0XTFK3zKVzjhYQCv0b+VOqkQnjhF0Yxc8Y3tH2YLFy srn1WUVQsa7N1WAHY478Ke01rX3t1KS/4USgVwW4wjTyYrjLdEcOIEzz38Ed3HJroySe zk1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M4Zfwrgf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e21si1052367edv.260.2021.01.13.06.53.03; Wed, 13 Jan 2021 06:53:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M4Zfwrgf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726534AbhAMOt2 (ORCPT + 99 others); Wed, 13 Jan 2021 09:49:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:49678 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726113AbhAMOt2 (ORCPT ); Wed, 13 Jan 2021 09:49:28 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3F7BF2313C; Wed, 13 Jan 2021 14:48:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1610549326; bh=2otNbm5t7xt3YbxV8p6/1iGGkAtXuJ7ieg1zr6BOh3s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=M4ZfwrgfTYFxxAc4KddnHZhHUxzQxMlE03U8ORnVEy1u5dg/eaRzFQGfoAC4hS6XK nD0gno38GZj1jmvo3xy9G5WanHtUbbXe2gaEjqF75nvlARdOt7QU452r9CYxQV2lmW oD/AimEFcMbzOQFRN0jmsaja64DbYnIZeKguqXpCaEobJ3LhLRT7ByYJotWKbNLfY2 XmWqgc4aOMfaFO3i+5CFcuIrHpu2yGs+6bGs5maNVP9Wk9uBfH2CEXX8zona7Rt8UM HCiIEnq3BcFVRfYM7gGaAyZH6QsDE9Jaxhw6SV6pYQ+Ko1CSWUIIVN18dzHcDReIxL sUPatbD5x7kFQ== Date: Wed, 13 Jan 2021 15:48:42 +0100 From: Jessica Yu To: Frank van der Linden Cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] module: harden ELF info handling Message-ID: <20210113144841.GB17705@linux-8ccs> References: <20210107193001.12039-1-fllinden@amazon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20210107193001.12039-1-fllinden@amazon.com> X-OS: Linux linux-8ccs 4.12.14-lp150.12.28-default x86_64 User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +++ Frank van der Linden [07/01/21 19:30 +0000]: >5fdc7db644 ("module: setup load info before module_sig_check()") >moved the ELF setup, so that it was done before the signature >check. This made the module name available to signature error >messages. > >However, the checks for ELF correctness in setup_load_info >are not sufficient to prevent bad memory references due to >corrupted offset fields, indices, etc. > >So, there's a regression in behavior here: a corrupt and unsigned >(or badly signed) module, which might previously have been rejected >immediately, can now cause an oops/crash. > >Harden ELF handling for module loading by doing the following: > >- Move the signature check back up so that it comes before ELF > initialization. It's best to do the signature check to see > if we can trust the module, before using the ELF structures > inside it. This also makes checks against info->len > more accurate again, as this field will be reduced by the > length of the signature in mod_check_sig(). > > The module name is now once again not available for error > messages during the signature check, but that seems like > a fair tradeoff. > >- Check if sections have offset / size fields that at least don't > exceed the length of the module. > >- Check if sections have section name offsets that don't fall > outside the section name table. > >- Add a few other sanity checks against invalid section indices, > etc. > >This is not an exhaustive consistency check, but the idea is to >at least get through the signature and blacklist checks without >crashing because of corrupted ELF info, and to error out gracefully >for most issues that would have caused problems later on. > >Fixes: 5fdc7db644 ("module: setup load info before module_sig_check()") >Signed-off-by: Frank van der Linden >--- > kernel/module.c | 143 ++++++++++++++++++++++++++++++++++++++++------ > kernel/module_signature.c | 2 +- > kernel/module_signing.c | 2 +- > 3 files changed, 126 insertions(+), 21 deletions(-) > >diff --git a/kernel/module.c b/kernel/module.c >index 4bf30e4b3eaa..34fc6c85eb65 100644 >--- a/kernel/module.c >+++ b/kernel/module.c >@@ -2964,7 +2964,7 @@ static int module_sig_check(struct load_info *info, int flags) > } > > if (is_module_sig_enforced()) { >- pr_notice("%s: loading of %s is rejected\n", info->name, reason); >+ pr_notice("Loading of %s is rejected\n", reason); > return -EKEYREJECTED; > } > >@@ -2977,9 +2977,33 @@ static int module_sig_check(struct load_info *info, int flags) > } > #endif /* !CONFIG_MODULE_SIG */ > >-/* Sanity checks against invalid binaries, wrong arch, weird elf version. */ >-static int elf_header_check(struct load_info *info) >+static int validate_section_offset(struct load_info *info, Elf_Shdr *shdr) > { >+ unsigned long secend; >+ >+ /* >+ * Check for both overflow and offset/size being >+ * too large. >+ */ >+ secend = shdr->sh_offset + shdr->sh_size; >+ if (secend < shdr->sh_offset || secend > info->len) >+ return -ENOEXEC; >+ >+ return 0; >+} >+ >+/* >+ * Sanity checks against invalid binaries, wrong arch, weird elf version. >+ * >+ * Also do basic validity checks against section offsets and sizes, the >+ * section name string table, and the indices used for it (sh_name). >+ */ >+static int elf_validity_check(struct load_info *info) >+{ >+ unsigned int i; >+ Elf_Shdr *shdr, *strhdr; >+ int err; >+ > if (info->len < sizeof(*(info->hdr))) > return -ENOEXEC; > >@@ -2989,11 +3013,78 @@ static int elf_header_check(struct load_info *info) > || info->hdr->e_shentsize != sizeof(Elf_Shdr)) > return -ENOEXEC; > >+ /* >+ * e_shnum is 16 bits, and sizeof(Elf_Shdr) is >+ * known and small. So e_shnum * sizeof(Elf_Shdr) >+ * will not overflow unsigned long on any platform. >+ */ > if (info->hdr->e_shoff >= info->len > || (info->hdr->e_shnum * sizeof(Elf_Shdr) > > info->len - info->hdr->e_shoff)) > return -ENOEXEC; > >+ info->sechdrs = (void *)info->hdr + info->hdr->e_shoff; >+ >+ /* >+ * Verify if the section name table index is valid. >+ */ >+ if (info->hdr->e_shstrndx == SHN_UNDEF >+ || info->hdr->e_shstrndx >= info->hdr->e_shnum) >+ return -ENOEXEC; >+ >+ strhdr = &info->sechdrs[info->hdr->e_shstrndx]; >+ err = validate_section_offset(info, strhdr); >+ if (err < 0) >+ return err; >+ >+ /* >+ * The section name table must be NUL-terminated, as required >+ * by the spec. This makes strcmp and pr_* calls that access >+ * strings in the section safe. >+ */ >+ info->secstrings = (void *)info->hdr + strhdr->sh_offset; >+ if (info->secstrings[strhdr->sh_size - 1] != '\0') >+ return -ENOEXEC; >+ >+ /* >+ * The code assumes that section 0 has a length of zero and >+ * an addr of zero, so check for it. >+ */ >+ if (info->sechdrs[0].sh_type != SHT_NULL >+ || info->sechdrs[0].sh_size != 0 >+ || info->sechdrs[0].sh_addr != 0) >+ return -ENOEXEC; >+ >+ for (i = 1; i < info->hdr->e_shnum; i++) { >+ shdr = &info->sechdrs[i]; >+ switch (shdr->sh_type) { >+ case SHT_NULL: >+ case SHT_NOBITS: >+ continue; >+ case SHT_SYMTAB: >+ if (shdr->sh_link == SHN_UNDEF >+ || shdr->sh_link >= info->hdr->e_shnum) >+ return -ENOEXEC; >+ fallthrough; >+ default: >+ err = validate_section_offset(info, shdr); >+ if (err < 0) { >+ pr_err("Invalid ELF section in module (section %u type %u)\n", >+ i, shdr->sh_type); >+ return err; >+ } >+ >+ if (shdr->sh_flags & SHF_ALLOC) { >+ if (shdr->sh_name >= strhdr->sh_size) { >+ pr_err("Invalid ELF section name in module (section num %u type %u)\n", Small nit: Maybe remove "num", to be consistent with the other pr_err() above. >+ i, shdr->sh_type); >+ return -ENOEXEC; >+ } >+ } >+ break; >+ } >+ } >+ > return 0; > } > >@@ -3095,11 +3186,6 @@ static int rewrite_section_headers(struct load_info *info, int flags) > > for (i = 1; i < info->hdr->e_shnum; i++) { > Elf_Shdr *shdr = &info->sechdrs[i]; >- if (shdr->sh_type != SHT_NOBITS >- && info->len < shdr->sh_offset + shdr->sh_size) { >- pr_err("Module len %lu truncated\n", info->len); >- return -ENOEXEC; >- } > > /* > * Mark all sections sh_addr with their address in the >@@ -3133,11 +3219,6 @@ static int setup_load_info(struct load_info *info, int flags) > { > unsigned int i; > >- /* Set up the convenience variables */ >- info->sechdrs = (void *)info->hdr + info->hdr->e_shoff; >- info->secstrings = (void *)info->hdr >- + info->sechdrs[info->hdr->e_shstrndx].sh_offset; >- > /* Try to find a name early so we can log errors with a module name */ > info->index.info = find_sec(info, ".modinfo"); > if (info->index.info) >@@ -3894,26 +3975,50 @@ static int load_module(struct load_info *info, const char __user *uargs, > long err = 0; > char *after_dashes; > >- err = elf_header_check(info); >+ /* >+ * Do the signature check (if any) first. All that >+ * the signature check needs is info->len, it does >+ * not need any of the section info. That can be >+ * set up later. This will minimize the chances >+ * of a corrupt module causing problems before >+ * we even get to the signature check. >+ * >+ * The check will also adjust info->len by stripping >+ * off the sig length at the end of the module, making >+ * checks against info->len more correct. >+ */ >+ err = module_sig_check(info, flags); >+ if (err) >+ goto free_copy; >+ >+ /* >+ * Do basic sanity checks against the ELF header and >+ * sections. >+ */ >+ err = elf_validity_check(info); > if (err) { >- pr_err("Module has invalid ELF header\n"); >+ pr_err("Module has invalid ELF structures\n"); > goto free_copy; > } > >+ /* >+ * Everything checks out, so set up the section info >+ * in the info structure. >+ */ > err = setup_load_info(info, flags); > if (err) > goto free_copy; > >+ /* >+ * Now that we know we have the correct module name, check >+ * if it's blacklisted. >+ */ > if (blacklisted(info->name)) { > err = -EPERM; > pr_err("Module %s is blacklisted\n", info->name); > goto free_copy; > } > >- err = module_sig_check(info, flags); >- if (err) >- goto free_copy; >- > err = rewrite_section_headers(info, flags); > if (err) > goto free_copy; >diff --git a/kernel/module_signature.c b/kernel/module_signature.c >index 4224a1086b7d..00132d12487c 100644 >--- a/kernel/module_signature.c >+++ b/kernel/module_signature.c >@@ -25,7 +25,7 @@ int mod_check_sig(const struct module_signature *ms, size_t file_len, > return -EBADMSG; > > if (ms->id_type != PKEY_ID_PKCS7) { >- pr_err("%s: Module is not signed with expected PKCS#7 message\n", >+ pr_err("%s: not signed with expected PKCS#7 message\n", > name); > return -ENOPKG; > } >diff --git a/kernel/module_signing.c b/kernel/module_signing.c >index 9d9fc678c91d..9a057c5d1d4d 100644 >--- a/kernel/module_signing.c >+++ b/kernel/module_signing.c >@@ -30,7 +30,7 @@ int mod_verify_sig(const void *mod, struct load_info *info) > > memcpy(&ms, mod + (modlen - sizeof(ms)), sizeof(ms)); > >- ret = mod_check_sig(&ms, modlen, info->name); >+ ret = mod_check_sig(&ms, modlen, info->name ?: "module"); Since info->name is not expected to be valid anymore, as we're back to calling mod_sig_check() first thing, perhaps just stick with "module"? Or was there another reason for checking info->name here? Thanks, Jessica