Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 12 Aug 2016 19:22:58 +0100
From: Catalin Marinas <catalin.marinas@....com>
To: Kees Cook <keescook@...omium.org>
Cc: James Morse <james.morse@....com>, Julien Grall <julien.grall@....com>,
	Will Deacon <will.deacon@....com>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 0/7] arm64: Privileged Access Never using TTBR0_EL1
 switching

On Fri, Aug 12, 2016 at 11:04:39AM -0700, Kees Cook wrote:
> On Fri, Aug 12, 2016 at 8:27 AM, Catalin Marinas
> <catalin.marinas@....com> wrote:
> > This is the first (public) attempt at emulating PAN by disabling
> > TTBR0_EL1 accesses on arm64. I chose to use a per-CPU saved_ttbr0_el1
> > variable to store the actual TTBR0 as, IMO, it looks better w.r.t. the
> > context switching code, to the detriment of a slightly more complex
> > uaccess_enable() implementation. The alternative was storing the saved
> > TTBR0 in thread_info but with more complex thread switching since TTBR0
> > is normally tied to switch_mm() rather than switch_to(). The latter may
> > also get more complicated if we are to decouple the kernel stack from
> > thread_info at some point (vmalloc'ed stacks).
> >
> > The code requires more testing, especially for combinations where UAO is
> > present but PAN is not.
> >
> > The patches are also available on this branch:
> >
> >   git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux ttbr0-pan
> >
> > Thanks for reviewing/testing.
> 
> So awesome! Thank you for working on this. I still lack real arm64
> hardware to test this on, but the lkdtm test ACCESS_USERSPACE should
> trip this protection (e.g. this "cat" should get killed and the Oops
> appear in dmesg):
> 
> # cat <(echo ACCESS_USERSPACE) > /sys/kernel/debug/provoke-crash/DIRECT

It seems to work ;)

~# echo ACCESS_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
[   51.918454] lkdtm: Performing direct entry ACCESS_USERSPACE
[   51.924018] lkdtm: attempting bad read at 0000ffff8e165000
[   51.929476] Internal error: Accessing user space memory outside uaccess.h routines: 96000004 [#1] PREEMPT SMP
[   51.963729] Hardware name: ARM Juno development board (r0) (DT)
[   51.969586] task: ffff8009763bf080 task.stack: ffff800973870000
[   51.975451] PC is at lkdtm_ACCESS_USERSPACE+0xb0/0x100
[   51.980536] LR is at lkdtm_ACCESS_USERSPACE+0xb0/0x100
[   51.985619] pc : [<ffff000008518638>] lr : [<ffff000008518638>] pstate: 60400145
[   51.992936] sp : ffff800973873cf0
[   51.996212] x29: ffff800973873cf0 x28: ffff800973870000
[   52.001474] x27: ffff000008872000 x26: 0000000000000040
[   52.006737] x25: 0000000000000120 x24: ffff000008d31290
[   52.011998] x23: ffff800973873eb8 x22: 0000000000000011
[   52.017259] x21: ffff800973cea000 x20: ffff000008d31400
[   52.022520] x19: 0000ffff8e165000 x18: 0000000000000006
[   52.027781] x17: 0000ffff8dfe6770 x16: ffff0000081da450
[   52.033043] x15: ffff000008d9bd15 x14: 0000000000000107
[   52.038304] x13: 0000000000000000 x12: 0000000005f5e0ff
[   52.043565] x11: 0000000000000002 x10: 0000000000000108
[   52.048826] x9 : ffff800973873a80 x8 : 6666303030302074
[   52.054087] x7 : 6120646165722064 x6 : 000000000000000a
[   52.059349] x5 : 0000000000000000 x4 : 0000000000000000
[   52.064610] x3 : 0000000000000000 x2 : ffff80097fed7728
[   52.069871] x1 : ffff800973870000 x0 : 000000000000002e
[   52.075131]
[   52.076602] Process bash (pid: 2739, stack limit = 0xffff800973870020)
[   52.083062] Stack: (0xffff800973873cf0 to 0xffff800973874000)
[   52.088748] 3ce0:                                   ffff800973873d20 ffff000008739954
[   52.096500] 3d00: 0000000000000170 00000000000000ba ffff7e0025d09f60 0000000000000000
[   52.104251] 3d20: ffff800973873d30 ffff000008517b00 ffff800973873d70 ffff000008329200
[   52.112002] 3d40: 0000000000000000 ffff8009759dc400 0000000034996408 0000000000000011
[   52.119753] 3d60: ffff800973873eb8 ffff000008d314e8 ffff800973873dc0 ffff0000081d830c
[   52.127504] 3d80: 0000000000000011 ffff8009759dc400 0000000000000000 ffff800973873eb8
[   52.135255] 3da0: 0000000034996408 0000000000000015 0000000000000400 0000000073966780
[   52.143005] 3dc0: ffff800973873e40 ffff0000081d9120 0000000000000011 ffff8009759dc400
[   52.150756] 3de0: ffff800974018900 000000000000000a ffff800973873e10 ffff0000080fd800
[   52.158507] 3e00: ffff80097680e280 0000000000000001 ffff800973873e30 ffff0000081dcde8
[   52.166257] 3e20: 0000000000000011 ffff8009759dc400 ffff800973873e40 ffff0000081d91e0
[   52.174008] 3e40: ffff800973873e80 ffff0000081da494 ffff8009759dc400 ffff8009759dc400
[   52.181759] 3e60: 0000000034996408 0000000000000011 0000000020000000 ffff000008083930
[   52.189509] 3e80: 0000000000000000 ffff000008083930 0000000000000000 0000000034996408
[   52.197260] 3ea0: ffffffffffffffff 0000ffff8e0398b8 0000000000000000 0000000000000000
[   52.205010] 3ec0: 0000000000000001 0000000034996408 0000000000000011 0000000000000000
[   52.212761] 3ee0: 00000000fbad2a85 0001555100045400 0000000034996418 555f535345434341
[   52.220512] 3f00: 0000000000000040 0000ffff8e0c4000 0000fffff925de90 7f7f7f7f7f7f7f7f
[   52.228263] 3f20: 0101010101010101 0000000000000005 ffffffffffffffff 0000000000000078
[   52.236013] 3f40: 0000000000000000 0000ffff8dfe6770 0000000000000003 0000000000000011
[   52.243764] 3f60: 0000000034996408 0000ffff8e0c0488 0000000000000011 00000000004d3af0
[   52.251515] 3f80: 00000000004f6000 00000000004f3000 0000000000000001 0000000034a99ec8
[   52.259265] 3fa0: 0000000034aeefe8 0000fffff925de40 0000ffff8dfe9558 0000fffff925de40
[   52.267016] 3fc0: 0000ffff8e0398b8 0000000020000000 0000000000000001 0000000000000040
[   52.274766] 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   52.282513] Call trace:
[   52.284931] Exception stack(0xffff800973873b20 to 0xffff800973873c50)
[   52.291306] 3b20: 0000ffff8e165000 0001000000000000 ffff800973873cf0 ffff000008518638
[   52.299057] 3b40: ffff000008ceaf20 0000000000000006 0000000000000000 0000000000000000
[   52.306808] 3b60: 000000000000002e ffff000008d9b7d8 0000000000000002 ffff000008d9e128
[   52.314559] 3b80: ffff800973873ba0 ffff000008abd6c8 000000000000002e 0000000100000001
[   52.322310] 3ba0: ffff800973873c40 ffff0000081669d4 0000ffff8e165000 ffff000008d31400
[   52.330060] 3bc0: 000000000000002e ffff800973870000 ffff80097fed7728 0000000000000000
[   52.337812] 3be0: 0000000000000000 0000000000000000 000000000000000a 6120646165722064
[   52.345562] 3c00: 6666303030302074 ffff800973873a80 0000000000000108 0000000000000002
[   52.353313] 3c20: 0000000005f5e0ff 0000000000000000 0000000000000107 ffff000008d9bd15
[   52.361061] 3c40: ffff0000081da450 0000ffff8dfe6770
[   52.365891] [<ffff000008518638>] lkdtm_ACCESS_USERSPACE+0xb0/0x100
[   52.372009] [<ffff000008739954>] lkdtm_do_action+0x1c/0x24
[   52.377438] [<ffff000008517b00>] direct_entry+0xe0/0x160
[   52.382696] [<ffff000008329200>] full_proxy_write+0x58/0x88
[   52.388214] [<ffff0000081d830c>] __vfs_write+0x1c/0x110
[   52.393384] [<ffff0000081d9120>] vfs_write+0xa0/0x1b8
[   52.398383] [<ffff0000081da494>] SyS_write+0x44/0xa0
[   52.403296] [<ffff000008083930>] el0_svc_naked+0x24/0x28
[   52.408555] Code: b0002f60 aa1303e1 9135c000 97f138ce (f9400263)

-- 
Catalin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.