| Message ID | 1360940579-30417-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 02/15/2013 07:02 AM, Luis Henriques wrote: > From: Alan Cox <alan@linux.intel.com> > > CVE-2013-0268 > > BugLink: http://bugs.launchpad.net/bugs/1123049 > > At the moment the MSR driver only relies upon file system > checks. This means that anything as root with any capability set > can write to MSRs. Historically that wasn't very interesting but > on modern processors the MSRs are such that writing to them > provides several ways to execute arbitary code in kernel space. > Sample code and documentation on doing this is circulating and > MSR attacks are used on Windows 64bit rootkits already. > > In the Linux case you still need to be able to open the device > file so the impact is fairly limited and reduces the security of > some capability and security model based systems down towards > that of a generic "root owns the box" setup. > > Therefore they should require CAP_SYS_RAWIO to prevent an > elevation of capabilities. The impact of this is fairly minimal > on most setups because they don't have heavy use of > capabilities. Those using SELinux, SMACK or AppArmor rules might > want to consider if their rulesets on the MSR driver could be > tighter. > > Signed-off-by: Alan Cox <alan@linux.intel.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> > Cc: Horses <stable@kernel.org> > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (cherry picked from commit c903f0456bc69176912dee6dd25c6a66ee1aed00) > > Conflicts: > arch/x86/kernel/msr.c > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > arch/x86/kernel/msr.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c > index 5eaeb5e..63a053b 100644 > --- a/arch/x86/kernel/msr.c > +++ b/arch/x86/kernel/msr.c > @@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file) > struct cpuinfo_x86 *c = &cpu_data(cpu); > int ret = 0; > > + if (!capable(CAP_SYS_RAWIO)) > + return -EPERM; > + > lock_kernel(); > cpu = iminor(file->f_path.dentry->d_inode); >
On 02/15/2013 07:02 AM, Luis Henriques wrote: > From: Alan Cox <alan@linux.intel.com> > > CVE-2013-0268 > > BugLink: http://bugs.launchpad.net/bugs/1123049 > > At the moment the MSR driver only relies upon file system > checks. This means that anything as root with any capability set > can write to MSRs. Historically that wasn't very interesting but > on modern processors the MSRs are such that writing to them > provides several ways to execute arbitary code in kernel space. > Sample code and documentation on doing this is circulating and > MSR attacks are used on Windows 64bit rootkits already. > > In the Linux case you still need to be able to open the device > file so the impact is fairly limited and reduces the security of > some capability and security model based systems down towards > that of a generic "root owns the box" setup. > > Therefore they should require CAP_SYS_RAWIO to prevent an > elevation of capabilities. The impact of this is fairly minimal > on most setups because they don't have heavy use of > capabilities. Those using SELinux, SMACK or AppArmor rules might > want to consider if their rulesets on the MSR driver could be > tighter. > > Signed-off-by: Alan Cox <alan@linux.intel.com> > Cc: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Andrew Morton <akpm@linux-foundation.org> > Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> > Cc: Horses <stable@kernel.org> > Signed-off-by: Ingo Molnar <mingo@kernel.org> > (cherry picked from commit c903f0456bc69176912dee6dd25c6a66ee1aed00) > > Conflicts: > arch/x86/kernel/msr.c > > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > arch/x86/kernel/msr.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c > index 5eaeb5e..63a053b 100644 > --- a/arch/x86/kernel/msr.c > +++ b/arch/x86/kernel/msr.c > @@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file) > struct cpuinfo_x86 *c = &cpu_data(cpu); > int ret = 0; > > + if (!capable(CAP_SYS_RAWIO)) > + return -EPERM; > + > lock_kernel(); > cpu = iminor(file->f_path.dentry->d_inode); > >
diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c index 5eaeb5e..63a053b 100644 --- a/arch/x86/kernel/msr.c +++ b/arch/x86/kernel/msr.c @@ -176,6 +176,9 @@ static int msr_open(struct inode *inode, struct file *file) struct cpuinfo_x86 *c = &cpu_data(cpu); int ret = 0; + if (!capable(CAP_SYS_RAWIO)) + return -EPERM; + lock_kernel(); cpu = iminor(file->f_path.dentry->d_inode);