Received: by 10.223.164.221 with SMTP id h29csp353791wrb; Fri, 3 Nov 2017 16:05:36 -0700 (PDT) X-Google-Smtp-Source: ABhQp+TfL5Fey/NU1kogjac7O0tDYXICA8lhpQ3b0D4QTkgpI1clUK8BgHa0RF3RI7pH6lz5/K9X X-Received: by 10.159.207.131 with SMTP id z3mr8176045plo.191.1509750336151; Fri, 03 Nov 2017 16:05:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509750336; cv=none; d=google.com; s=arc-20160816; b=gesFKWL2Jotkxv6jqRjYOTRd+UZ0aYRjUdWDrkqsW9sYmkaekzU26gQ9AijSoEX5sP Nmh+tyQjq8iz0o2zXy1Y/1WsUTuitIkEi+JCD6/Ru+PoDvhUMwGtcbaaMX4oW6l7EnEi b9wEF86NMBUtnufdPy+SDnSrx388lmXvgDS/I45WS8E1Ug2zuH4tWD21zX/BBX4LgS6b WmqRBgMit7MzTDl3XIqYX4k7CIDd7zb95kV+sf6iTYXPs7YD5J81ve2ftlPAn9q82W28 36NOW1fSs8gLTFIKbk1NXQ8R9tXkfHi5E9XkqUbgEF04OHO/+ijlQNNmqD2Ak5kuAnlT vkyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=VOBp6gH+UlFS29mR9UtPyITNYq4q9z8CWZX+F3w3Izw=; b=C72T8xRBakInt89tpm06Ul3ror1JlpHjiiXTACF2cAPpwwkJZ3Nw6g9Vnj4C7ThWMD mExsIsBSwdadLk7YI8+Kzu/AnzoS5I3lqHlRn21Ls32S6bm9obepWkxb+bbEZ8IF6rRX Nl/6Xj/xCpaizkpSaZ16eAWrY5k7HsczAtgkln6J/Wc0lGguflH3NXdCoz2TC0aSvhv6 wj6bsrEctHpuWRzJSSvCO43PUXTp9PNiH9uDsg8k/mHS24D28Yf6ndpM9+WP7djd0YCn ljYIyEjk/pYJ2UiM692ku8qTDKMauYOCz4ZqS+c1Ty3cEFP97Mg4itHBMBVMSMY51kg4 Un4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v1si5663533plb.505.2017.11.03.16.05.24; Fri, 03 Nov 2017 16:05:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756101AbdKCXEj (ORCPT + 92 others); Fri, 3 Nov 2017 19:04:39 -0400 Received: from mail-oi0-f67.google.com ([209.85.218.67]:47055 "EHLO mail-oi0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752446AbdKCXEf (ORCPT ); Fri, 3 Nov 2017 19:04:35 -0400 Received: by mail-oi0-f67.google.com with SMTP id n82so3289080oig.3 for ; Fri, 03 Nov 2017 16:04:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=VOBp6gH+UlFS29mR9UtPyITNYq4q9z8CWZX+F3w3Izw=; b=UbtZJNjP2HWYwKxG/38fQ7kUWu2fq+aqJhGSMgZ2/LYBLNXBm11GLmePlOFPYU1Fak tDOKahiHGkaxLvvTjPSQoeVPBfVu9xz/NIE8bhsq4lhHuvaaEq2Ct9bYOtejTbfz73W7 Ydq5LFsl6lX4pDFhOBHZc8mvj3m3XWBcGDAQTJuRgf1PIyXJlSZlq9YoaNLN2sD4kwer /ciKEH3GN8lQq+dsB1XvplFKCJ9xWJDHk009SAjDSIDwv3zFPf2ouKaTcURAr+e0XK7R Jq/qsFkO4Xu1DQ/YitMFKnhQ/23aayOPrFRLjFADczxp1PlYdD9kM5J8asG4ZEEMDiwQ Ztyw== X-Gm-Message-State: AMCzsaXjJw0F9VYnDGhb0U5o1a+7WWvbH2Op1caKCsocFaN8wliPmr0d LeKTORDOlTpWOfXlRwFBHRZtbhxUo3U= X-Received: by 10.202.75.207 with SMTP id y198mr4731818oia.204.1509750274865; Fri, 03 Nov 2017 16:04:34 -0700 (PDT) Received: from labbott-redhat-machine.redhat.com ([2601:602:9802:a8dc::e174]) by smtp.gmail.com with ESMTPSA id m40sm3383415otb.34.2017.11.03.16.04.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 03 Nov 2017 16:04:33 -0700 (PDT) From: Laura Abbott To: kernel-hardening@lists.openwall.com Cc: Laura Abbott , linux-kernel@vger.kernel.org, Mark Rutland , Kees Cook , x86@kernel.org Subject: [RFC PATCH 2/2] x86: Allow paranoid __{get,put}_user Date: Fri, 3 Nov 2017 16:04:26 -0700 Message-Id: <20171103230426.19114-2-labbott@redhat.com> X-Mailer: git-send-email 2.13.5 In-Reply-To: <20171103230426.19114-1-labbott@redhat.com> References: <20171103230426.19114-1-labbott@redhat.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org __{get,put}_user calls are designed to be fast and have no checks, relying on the caller to have made the appropriate calls previously. It's very easy to forget a check though, leaving the kernel vulnerable to exploits. Add an option to do the checks and kill the kernel if it catches something bad. Signed-off-by: Laura Abbott --- This is the actual implemtation for __{get,put}_user on x86 based on Mark Rutland's work for arm66 lkml.kernel.org/r/<20171026090942.7041-1-mark.rutland@arm.com> x86 turns out to be easier since the safe and unsafe paths are mostly disjoint so we don't have to worry about gcc optimizing out access_ok. I tweaked the Kconfig to someting a bit more generic. The size increase was ~8K in text with a config I tested. --- arch/x86/Kconfig | 3 +++ arch/x86/include/asm/uaccess.h | 11 ++++++++++- security/Kconfig | 11 +++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 2fdb23313dd5..10c6e150a91e 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -261,6 +261,9 @@ config RWSEM_XCHGADD_ALGORITHM config GENERIC_CALIBRATE_DELAY def_bool y +config ARCH_HAS_PARANOID_UACCESS + def_bool y + config ARCH_HAS_CPU_RELAX def_bool y diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h index d23fb5844404..767febe1c720 100644 --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -132,6 +132,13 @@ extern int __get_user_bad(void); #define __inttype(x) \ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + +#define verify_uaccess(dir, ptr) \ +({ \ + if (IS_ENABLED(CONFIG_PARANOID_UACCESS)) \ + BUG_ON(!access_ok(dir, (ptr), sizeof(*(ptr)))); \ +}) + /** * get_user: - Get a simple variable from user space. * @x: Variable to store result. @@ -278,6 +285,7 @@ do { \ typeof(ptr) __pu_ptr = (ptr); \ retval = 0; \ __chk_user_ptr(__pu_ptr); \ + verify_uaccess(VERIFY_WRITE, __pu_ptr); \ switch (size) { \ case 1: \ __put_user_asm(x, __pu_ptr, retval, "b", "b", "iq", \ @@ -293,7 +301,7 @@ do { \ break; \ case 8: \ __put_user_asm_u64((__typeof__(*ptr))(x), __pu_ptr, \ - retval, \ errret); \ + retval, errret); \ break; \ default: \ __put_user_bad(); \ @@ -359,6 +367,7 @@ do { \ typeof(ptr) __gu_ptr = (ptr); \ retval = 0; \ __chk_user_ptr(__gu_ptr); \ + verify_uaccess(VERIFY_READ, __gu_ptr); \ switch (size) { \ case 1: \ __get_user_asm(x, __gu_ptr, retval, "b", "b", "=q", \ diff --git a/security/Kconfig b/security/Kconfig index e8e449444e65..0a9ec1a4e86b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -205,6 +205,17 @@ config STATIC_USERMODEHELPER_PATH If you wish for all usermode helper programs to be disabled, specify an empty string here (i.e. ""). +config PARANOID_UACCESS + bool "Use paranoid uaccess primitives" + depends on ARCH_HAS_PARANOID_UACCESS + help + Forces access_ok() checks in __get_user(), __put_user(), and other + low-level uaccess primitives which usually do not have checks. This + can limit the effect of missing access_ok() checks in higher-level + primitives, with a runtime performance overhead in some cases and a + small code size overhead. + + source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig -- 2.13.5 From 1583339796469537548@xxx Mon Nov 06 17:48:18 +0000 2017 X-GM-THRID: 1583339796469537548 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread