From patchwork Fri Jul 8 09:22:28 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 646367 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3rm8BV2ZB5z9sdn for ; Fri, 8 Jul 2016 19:21:38 +1000 (AEST) Received: from ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3rm8BV1jJPzDqx0 for ; Fri, 8 Jul 2016 19:21:38 +1000 (AEST) X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.135]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3rm89J18DkzDqm9 for ; Fri, 8 Jul 2016 19:20:35 +1000 (AEST) Received: from wuerfel.localnet ([78.42.132.4]) by mrelayeu.kundenserver.de (mreue001) with ESMTPSA (Nemesis) id 0M4eth-1bV8lK0sSz-00z1qF; Fri, 08 Jul 2016 11:19:15 +0200 From: Arnd Bergmann To: Kees Cook Subject: Re: [PATCH 1/9] mm: Hardened usercopy Date: Fri, 08 Jul 2016 11:22:28 +0200 Message-ID: <9920033.q6Ud9av8s4@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-22-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: References: <1467843928-29351-1-git-send-email-keescook@chromium.org> <3418914.byvl8Wuxlf@wuerfel> MIME-Version: 1.0 X-Provags-ID: V03:K0:Eqe8bjIhN1fBoZN0j7so6IjDwsFvKa8Enzt1v2VjBA966KE9PaF o9BdFLXDBqZdsc2lbKZYZ7FL6rjI8EDjSRhxcQB0lcG1TJoheNJFDDP4R67x/ciYOJ5lTx+ xSb0S8sfiKHDUMI2VVdM4Q0P0/J8gycbMOBXx/GRjXCJOAVKCPb5zQ2W2+2KgQVTZlrna+b GH5nv+wqzm0+iLqCa4bxw== X-UI-Out-Filterresults: notjunk:1; V01:K0:cqLCIoPHz3Q=:CxbpgDkLDbKT2VR7pNStZ8 VmSmZOxLVAkoMV5wBB4u0s0dYV0C2LYkmP7NmYAeCXRLQ44EkJcuE5GAJ96XFa764pocKomU1 7GIvdbRWKGYXEm9Fj3WYBGJ7bJnFByQG53qmfacMAK3gvWnRInW+kb4cVpd6ajAiHGiUGJx1l 43NNz5Pk8md/bvFnFIA0IdEZJe3hJrSIsDzvs/Qm5+pXls5O2kxW++Bj52fA2ftsMCYokk9Rz 5zNO7KWaKeMV/PhSp//hv+MDQTKZog8Cl+Gz7y2MJfFxtwX/7tANTKlyTM/4T74Rk/Kbe3Niu jD51iH+CsmUCJFo7IJIYwYlx1/HhWQ1FZ2Xc9fKhSgtpjX7kiu1CkCQmWDLjpI0Z6clQWTNdA uN34gxTTLXyywfAmlddcT4wvVwkZUKS0OJUHo6wzoVhd9Eahvg16RfdtIT/fbclX526x5bQ+7 G6hAzaOAdpS4Pm1/Tbdxtql+/9hiGMSdWAmnFYkyrIymx+nV7xZX/9rx8kAPtBEIKfzbgbwFL PADr9i5MF9g9DP9ly2RT9NRs0Q5ixhzrl+dF7H6HjQvc3gCwiJ+J369hgirxPbgED2nr/h094 DBvm2wXootswGGAdLFx9jECIKSeJQvgMxQhVWp9Q+TeCpFGH0vnvD/a0F5X1ijGgYcaa1dfCV krnqHdr6DOELA3WEQFoN3JO4+Vh8P4m9a2XxlJVwOc0qvH2ILMxrYdSrxvR/rD7CUJSSHP9Ve v6R8gBLnB2m7TS5d X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jan Kara , "kernel-hardening@lists.openwall.com" , Catalin Marinas , Will Deacon , Linux-MM , sparclinux , linux-ia64@vger.kernel.org, Christoph Lameter , Andrea Arcangeli , "x86@kernel.org" , Russell King , Dmitry Vyukov , David Rientjes , PaX Team , Mathias Krause , linux-arch , Rik van Riel , Brad Spengler , Andy Lutomirski , Andrew Morton , "linux-arm-kernel@lists.infradead.org" , Laura Abbott , Tony Luck , Ard Biesheuvel , LKML , Fenghua Yu , Pekka Enberg , Casey Schaufler , Joonsoo Kim , "linuxppc-dev@lists.ozlabs.org" , "David S. Miller" Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Thursday, July 7, 2016 1:37:43 PM CEST Kees Cook wrote: > > > >> + /* Allow kernel bss region (if not marked as Reserved). */ > >> + if (ptr >= (const void *)__bss_start && > >> + end <= (const void *)__bss_stop) > >> + return NULL; > > > > accesses to .data/.rodata/.bss are probably not performance critical, > > so we could go further here and check the kallsyms table to ensure > > that we are not spanning multiple symbols here. > > Oh, interesting! Yeah, would you be willing to put together that patch > and test it? Not at the moment, sorry. I've given it a closer look and unfortunately realized that kallsyms today only covers .text and .init.text, so it's currently useless because those sections are already disallowed. We could extend kallsyms to also cover all other sections, but doing that right will likely cause a number of problems (most likely kallsyms size mismatch) that will have to be debugged first.\ I think it's doable but time-consuming. The check function should actually be trivial: static bool usercopy_spans_multiple_symbols(void *ptr, size_t len) { unsigned long size, offset; if (kallsyms_lookup_size_offset((unsigned long)ptr, &size, &offset)) return 0; /* no symbol found or kallsyms disabled */ if (size - offset <= len) return 0; /* range is within one symbol */ return 1; } This part would also be trivial: but I fear that if you actually try that, things start falling apart in a big way, so I didn't try ;-) > I wonder if there are any cases where there are > legitimate usercopys across multiple symbols. The only possible use case I can think of is for reading out the entire kernel memory from /dev/kmem, but your other checks in here already define that as illegitimate. On that subject, we probably want to make CONFIG_DEVKMEM mutually exclusive with CONFIG_HARDENED_USERCOPY. Arnd diff --git a/scripts/kallsyms.c b/scripts/kallsyms.c index 1f22a186c18c..e0f37212e2a9 100644 --- a/scripts/kallsyms.c +++ b/scripts/kallsyms.c @@ -50,6 +50,11 @@ static struct addr_range text_ranges[] = { { "_sinittext", "_einittext" }, { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */ { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */ +#ifdef CONFIG_HARDENED_USERCOPY + { "_sdata", "_edata" }, + { "__bss_start", "__bss_stop" }, + { "__start_rodata", "__end_rodata" }, +#endif }; #define text_range_text (&text_ranges[0]) #define text_range_inittext (&text_ranges[1])