Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp226652pxf; Wed, 17 Mar 2021 21:08:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzqVUHfS/a3JkXxe54QKbnQbYi8sBSjvraoadv0Rb6JciyvgJcaECDczEv5h1yzjHvfiAQV X-Received: by 2002:a17:906:4c56:: with SMTP id d22mr40131122ejw.426.1616040520364; Wed, 17 Mar 2021 21:08:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616040520; cv=none; d=google.com; s=arc-20160816; b=x37hv441h9Yvt95+rGQLyrW+svB6ADvTs1WmD2aHrWaSGx5kSXAtTqGyzhvqEK5KA2 GxC85GZwlx6mpgFMh2vcF5Dv8BALhv2m5u/e6cBgsrkhlwdGgJ/BKGlZ+Z61l8UySAsh b779Cjj8w62qBnZ2/r9n6+Giv2unP+KsrUrIssQRuqsyscGlxrwvY97ywe6joDpeCqR8 0GKJwW9LHy6ViGUHWxqqAKxGNk9ix2FN9ONoZVY5kOSokzbH/rdF8TYYaflXi1cP7qgK 6fS1WKjodM30bDM4YwLltn63oy1fHG1FvyZeNp+XeoE3/L5oCE73Bo/oN54eJVf5/r5i hV4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=k6xgS35NAw9ddV6Cg2946wYyG7dyozQ3RFEJ5VWEkSg=; b=L8c5cBd9rz/IHrGJK+ariFRlmcGLQKp3/TUJu3bGk1cZI2K0a6vSoIAL77l+YHdDx6 jjJoWqBa2PF/ilv3f//zF01Op4xeovItcuNvFfzZdlc/VzNamC4VuD6+iTCW/s7OQV8F EuGBGzffFm7kCVwFtw9zn/MBcWWTAN5IhRJxz9Xb+9+4qvBzTKZdNuA0rYBBl6eIfgaE oCtZYcORFX1wak6zQOfqXqLdT7fWNvqz/23gFFbSM+/OPimhg+LH0F8DScV9gdGLvPN1 Prd7Dtkef+fSyFCki6qzLAQ6qsOjI0ByjdgQSn10w4Zg5uxGuai3Zv79/8bos3VK+2GW yjkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FE2EqlDy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ss21si719163ejb.338.2021.03.17.21.08.17; Wed, 17 Mar 2021 21:08:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FE2EqlDy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229699AbhCREEZ (ORCPT + 99 others); Thu, 18 Mar 2021 00:04:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229454AbhCREES (ORCPT ); Thu, 18 Mar 2021 00:04:18 -0400 Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8BD3C06174A for ; Wed, 17 Mar 2021 21:04:17 -0700 (PDT) Received: by mail-pj1-x102d.google.com with SMTP id kr3-20020a17090b4903b02900c096fc01deso2416260pjb.4 for ; Wed, 17 Mar 2021 21:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=k6xgS35NAw9ddV6Cg2946wYyG7dyozQ3RFEJ5VWEkSg=; b=FE2EqlDyohSlsRFmIQXSoIgcOEBN/pzThN8cUoIyESk+QjYoa2xpRG/VpOEwPKoCD5 JNvFMK2A57S3cPAwF8B1Uf1DGZCrafeL8mRhNewTstJ4Ldm5VRQs8tSvUMd4zubMQ+T0 Tvjv01Z9bZjcTsCPxDnX2x0EkNCuzowUOkp5Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=k6xgS35NAw9ddV6Cg2946wYyG7dyozQ3RFEJ5VWEkSg=; b=qRcTRh31wtDsy9LByoIKhJbH/q1G0NpDnuRsWV586/NT1E2t8P9mluLEoHRnwDJP6O UldcrSbjL9QZLUiZxeB+m2U4eva5od7mSboiGoD5xpbLu9rdRw1a28lMvKKSHz4uWeBx dTMD2whbuWwBJgMK9cc432KHYzWUmX+O4BN1ALVWA0rCKogvzo1SEDQ5KiDeR8gB+I4N BhL4/V+Dd5HkYDD51nhFtFaoT/ZBQ1uJjV9N7sDxPf4cZUcl6pLKVhdQczg44/buv8y/ 3el/8VQEvVh2zxAZtu52lZA7Kslc395JzLLjnmYPztttfYfpC/D2ugVz3EId6Kchi0ki F23g== X-Gm-Message-State: AOAM531+phgDLoKocPkLyJv8xUrlcyc+xTQEhPwP10Y+fJT41rnGSqXW UmHXwkxSZ9aUdb/QWaZmp2K33w== X-Received: by 2002:a17:903:188:b029:e6:52f4:1b2d with SMTP id z8-20020a1709030188b02900e652f41b2dmr7757254plg.58.1616040257284; Wed, 17 Mar 2021 21:04:17 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id y9sm529615pgc.9.2021.03.17.21.04.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Mar 2021 21:04:16 -0700 (PDT) Date: Wed, 17 Mar 2021 21:04:15 -0700 From: Kees Cook To: John Wood Cc: Jann Horn , Randy Dunlap , Jonathan Corbet , James Morris , Shuah Khan , "Serge E. Hallyn" , Greg Kroah-Hartman , Andi Kleen , kernel test robot , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH v6 5/8] security/brute: Mitigate a brute force attack Message-ID: <202103172102.03F172613@keescook> References: <20210307113031.11671-1-john.wood@gmx.com> <20210307113031.11671-6-john.wood@gmx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210307113031.11671-6-john.wood@gmx.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 07, 2021 at 12:30:28PM +0100, John Wood wrote: > In order to mitigate a brute force attack all the offending tasks involved > in the attack must be killed. In other words, it is necessary to kill all > the tasks that share the fork and/or exec statistical data related to the > attack. Moreover, if the attack happens through the fork system call, the > processes that have the same group_leader that the current task (the task > that has crashed) must be avoided since they are in the path to be killed. > > When the SIGKILL signal is sent to the offending tasks, the function > "brute_kill_offending_tasks" will be called in a recursive way from the > task_fatal_signal LSM hook due to a small crash period. So, to avoid kill > again the same tasks due to a recursive call of this function, it is > necessary to disable the attack detection for the involved hierarchies. > > To disable the attack detection, set to zero the last crash timestamp and > avoid to compute the application crash period in this case. > > Signed-off-by: John Wood > --- > security/brute/brute.c | 141 ++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 132 insertions(+), 9 deletions(-) > > diff --git a/security/brute/brute.c b/security/brute/brute.c > index 38e5e050964a..36a3286a02dd 100644 > --- a/security/brute/brute.c > +++ b/security/brute/brute.c > @@ -22,6 +22,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -64,7 +65,7 @@ struct brute_cred { > * @lock: Lock to protect the brute_stats structure. > * @refc: Reference counter. > * @faults: Number of crashes. > - * @jiffies: Last crash timestamp. > + * @jiffies: Last crash timestamp. If zero, the attack detection is disabled. > * @period: Crash period's moving average. > * @saved_cred: Saved credentials. > * @network: Network activity flag. > @@ -571,6 +572,125 @@ static inline void print_fork_attack_running(void) > pr_warn("Fork brute force attack detected [%s]\n", current->comm); > } > > +/** > + * brute_disabled() - Test if the brute force attack detection is disabled. > + * @stats: Statistical data shared by all the fork hierarchy processes. > + * > + * The brute force attack detection enabling/disabling is based on the last > + * crash timestamp. A zero timestamp indicates that this feature is disabled. A > + * timestamp greater than zero indicates that the attack detection is enabled. > + * > + * The statistical data shared by all the fork hierarchy processes cannot be > + * NULL. > + * > + * It's mandatory to disable interrupts before acquiring the brute_stats::lock > + * since the task_free hook can be called from an IRQ context during the > + * execution of the task_fatal_signal hook. > + * > + * Context: Must be called with interrupts disabled and brute_stats_ptr_lock > + * held. > + * Return: True if the brute force attack detection is disabled. False > + * otherwise. > + */ > +static bool brute_disabled(struct brute_stats *stats) > +{ > + bool disabled; > + > + spin_lock(&stats->lock); > + disabled = !stats->jiffies; > + spin_unlock(&stats->lock); > + > + return disabled; > +} > + > +/** > + * brute_disable() - Disable the brute force attack detection. > + * @stats: Statistical data shared by all the fork hierarchy processes. > + * > + * To disable the brute force attack detection it is only necessary to set the > + * last crash timestamp to zero. A zero timestamp indicates that this feature is > + * disabled. A timestamp greater than zero indicates that the attack detection > + * is enabled. > + * > + * The statistical data shared by all the fork hierarchy processes cannot be > + * NULL. > + * > + * Context: Must be called with interrupts disabled and brute_stats_ptr_lock > + * and brute_stats::lock held. > + */ > +static inline void brute_disable(struct brute_stats *stats) > +{ > + stats->jiffies = 0; > +} > + > +/** > + * enum brute_attack_type - Brute force attack type. > + * @BRUTE_ATTACK_TYPE_FORK: Attack that happens through the fork system call. > + * @BRUTE_ATTACK_TYPE_EXEC: Attack that happens through the execve system call. > + */ > +enum brute_attack_type { > + BRUTE_ATTACK_TYPE_FORK, > + BRUTE_ATTACK_TYPE_EXEC, > +}; > + > +/** > + * brute_kill_offending_tasks() - Kill the offending tasks. > + * @attack_type: Brute force attack type. > + * @stats: Statistical data shared by all the fork hierarchy processes. > + * > + * When a brute force attack is detected all the offending tasks involved in the > + * attack must be killed. In other words, it is necessary to kill all the tasks > + * that share the same statistical data. Moreover, if the attack happens through > + * the fork system call, the processes that have the same group_leader that the > + * current task must be avoided since they are in the path to be killed. > + * > + * When the SIGKILL signal is sent to the offending tasks, this function will be > + * called again from the task_fatal_signal hook due to a small crash period. So, > + * to avoid kill again the same tasks due to a recursive call of this function, > + * it is necessary to disable the attack detection for this fork hierarchy. Hah. Interesting. I wonder if there is a better way to handle this. Hmm. > + * > + * The statistical data shared by all the fork hierarchy processes cannot be > + * NULL. > + * > + * It's mandatory to disable interrupts before acquiring the brute_stats::lock > + * since the task_free hook can be called from an IRQ context during the > + * execution of the task_fatal_signal hook. > + * > + * Context: Must be called with interrupts disabled and tasklist_lock and > + * brute_stats_ptr_lock held. > + */ > +static void brute_kill_offending_tasks(enum brute_attack_type attack_type, > + struct brute_stats *stats) > +{ > + struct task_struct *p; > + struct brute_stats **p_stats; > + > + spin_lock(&stats->lock); > + > + if (attack_type == BRUTE_ATTACK_TYPE_FORK && > + refcount_read(&stats->refc) == 1) { > + spin_unlock(&stats->lock); > + return; > + } refcount_read() isn't a safe way to check that there is only 1 reference. What's this trying to do? > + > + brute_disable(stats); > + spin_unlock(&stats->lock); > + > + for_each_process(p) { > + if (attack_type == BRUTE_ATTACK_TYPE_FORK && > + p->group_leader == current->group_leader) > + continue; > + > + p_stats = brute_stats_ptr(p); > + if (*p_stats != stats) > + continue; > + > + do_send_sig_info(SIGKILL, SEND_SIG_PRIV, p, PIDTYPE_PID); > + pr_warn_ratelimited("Offending process %d [%s] killed\n", > + p->pid, p->comm); > + } > +} > + > /** > * brute_manage_fork_attack() - Manage a fork brute force attack. > * @stats: Statistical data shared by all the fork hierarchy processes. > @@ -586,8 +706,8 @@ static inline void print_fork_attack_running(void) > * since the task_free hook can be called from an IRQ context during the > * execution of the task_fatal_signal hook. > * > - * Context: Must be called with interrupts disabled and brute_stats_ptr_lock > - * held. > + * Context: Must be called with interrupts disabled and tasklist_lock and > + * brute_stats_ptr_lock held. > * Return: The last crash timestamp before updating it. > */ > static u64 brute_manage_fork_attack(struct brute_stats *stats, u64 now) > @@ -595,8 +715,10 @@ static u64 brute_manage_fork_attack(struct brute_stats *stats, u64 now) > u64 last_fork_crash; > > last_fork_crash = brute_update_crash_period(stats, now); > - if (brute_attack_running(stats)) > + if (brute_attack_running(stats)) { > print_fork_attack_running(); > + brute_kill_offending_tasks(BRUTE_ATTACK_TYPE_FORK, stats); > + } > > return last_fork_crash; > } > @@ -783,8 +905,10 @@ static void brute_manage_exec_attack(struct brute_stats *stats, u64 now, > if (fork_period == exec_period) > return; > > - if (brute_attack_running(exec_stats)) > + if (brute_attack_running(exec_stats)) { > print_exec_attack_running(exec_stats); > + brute_kill_offending_tasks(BRUTE_ATTACK_TYPE_EXEC, exec_stats); > + } > } > > /** > @@ -900,10 +1024,9 @@ static void brute_task_fatal_signal(const kernel_siginfo_t *siginfo) > read_lock(&tasklist_lock); > read_lock_irqsave(&brute_stats_ptr_lock, flags); > > - if (WARN(!*stats, "No statistical data\n")) > - goto unlock; > - > - if (!brute_threat_model_supported(siginfo, *stats)) > + if (WARN(!*stats, "No statistical data\n") || > + brute_disabled(*stats) || > + !brute_threat_model_supported(siginfo, *stats)) > goto unlock; > > last_fork_crash = brute_manage_fork_attack(*stats, now); > -- > 2.25.1 > -- Kees Cook