Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Mar 2018 13:32:50 +0100
From: Dave Martin <Dave.Martin@....com>
To: Kees Cook <keescook@...omium.org>
Cc: Mark Rutland <Mark.Rutland@....com>,
	Catalin Marinas <Catalin.Marinas@....com>,
	Will Deacon <Will.Deacon@....com>,
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH 33/38] arm64: Implement thread_struct whitelist for
 hardened usercopy

On Mon, Mar 26, 2018 at 10:41:09AM -0700, Kees Cook wrote:
> On Mon, Mar 26, 2018 at 9:22 AM, Dave Martin <Dave.Martin@....com> wrote:
> > [Dropped most of the original Cc list, since most people are unlikely to
> > care about this thread archaeology.]
> >
> > On Mon, Jan 15, 2018 at 12:06:17PM -0800, Kees Cook wrote:
> >> On Mon, Jan 15, 2018 at 4:24 AM, Dave P Martin <Dave.Martin@....com> wrote:
> >> > On Thu, Jan 11, 2018 at 02:03:05AM +0000, Kees Cook wrote:
> >> >> This whitelists the FPU register state portion of the thread_struct for
> >> >> copying to userspace, instead of the default entire structure.
> >> >>
> >> >> Cc: Catalin Marinas <catalin.marinas@....com>
> >> >> Cc: Will Deacon <will.deacon@....com>
> >> >> Cc: Christian Borntraeger <borntraeger@...ibm.com>
> >> >> Cc: Ingo Molnar <mingo@...nel.org>
> >> >> Cc: James Morse <james.morse@....com>
> >> >> Cc: "Peter Zijlstra (Intel)" <peterz@...radead.org>
> >> >> Cc: Dave Martin <Dave.Martin@....com>
> >> >> Cc: zijun_hu <zijun_hu@....com>
> >> >> Cc: linux-arm-kernel@...ts.infradead.org
> >> >> Signed-off-by: Kees Cook <keescook@...omium.org>
> >> >> ---
> >> >>  arch/arm64/Kconfig                 | 1 +
> >> >>  arch/arm64/include/asm/processor.h | 8 ++++++++
> >> >>  2 files changed, 9 insertions(+)
> >> >>
> >> >> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> >> >> index a93339f5178f..c84477e6a884 100644
> >> >> --- a/arch/arm64/Kconfig
> >> >> +++ b/arch/arm64/Kconfig
> >> >> @@ -90,6 +90,7 @@ config ARM64
> >> >>       select HAVE_ARCH_MMAP_RND_BITS
> >> >>       select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
> >> >>       select HAVE_ARCH_SECCOMP_FILTER
> >> >> +     select HAVE_ARCH_THREAD_STRUCT_WHITELIST
> >> >>       select HAVE_ARCH_TRACEHOOK
> >> >>       select HAVE_ARCH_TRANSPARENT_HUGEPAGE
> >> >>       select HAVE_ARCH_VMAP_STACK
> >> >> diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
> >> >> index 023cacb946c3..e58a5864ec89 100644
> >> >> --- a/arch/arm64/include/asm/processor.h
> >> >> +++ b/arch/arm64/include/asm/processor.h
> >> >> @@ -113,6 +113,14 @@ struct thread_struct {
> >> >>       struct debug_info       debug;          /* debugging */
> >> >>  };
> >> >>
> >> >> +/* Whitelist the fpsimd_state for copying to userspace. */
> >> >> +static inline void arch_thread_struct_whitelist(unsigned long *offset,
> >> >> +                                             unsigned long *size)
> >> >> +{
> >> >> +     *offset = offsetof(struct thread_struct, fpsimd_state);
> >> >> +     *size = sizeof(struct fpsimd_state);
> >> >
> >> > This should be fpsimd_state.user_fpsimd (fpsimd_state.cpu is important
> >> > for correctly context switching and not supposed to be user-accessible.
> >> > A user copy that encompasses that is definitely a bug).
> >>
> >> So, I actually spent some more time looking at this due to the
> >> comments from rmk on arm32, and I don't think any whitelist is needed
> >> here at all. (i.e. it can be *offset = *size = 0) This is because all
> >> the usercopying I could find uses static sizes or bounce buffers, both
> >> of which bypass the dynamic-size hardened usercopy checks.
> >>
> >> I've been running some arm64 builds now with this change, and I
> >> haven't tripped over any problems yet...
> >
> > Hmmm, it looks like we may be hitting this with user_regset_copyout()
> > when reading the fp regs via ptrace.  This is maybe not surprising,
> 
> Did you get one of the WARNs for it?

Mark Rutland got it by running Syzkaller, but it's easily reproducible
with CONFIG_HARDENED_USERCOPY enabled.

> > since the size comes from userspace for PTRACE_{GET,SET}REGSET.
> > Also, while we copy into a bounce buffer for SETREGSET here, we do copy
> > straight out of task_struct for GETREGSET here.
> 
> Hm, yeah,
> 
> > This suggests we should have:
> >
> >         *offset = offsetof(struct thread_struct, fpsimd_state);
> >         *size = sizeof(struct user_fpsimd_state);
> 
> This is what I had originally for arm64, but when I tried exercising
> this code more recently, it didn't need the whitelist. It really looks
> like I forgot what I had tested the first time, though. :P
> 
> > Thoughts?
> 
> Seems like it would be tripped by:
> 
> static int __fpr_get(struct task_struct *target,
>                      const struct user_regset *regset,
>                      unsigned int pos, unsigned int count,
>                      void *kbuf, void __user *ubuf, unsigned int start_pos)
> {
>         struct user_fpsimd_state *uregs;
> 
>         sve_sync_to_fpsimd(target);
> 
>         uregs = &target->thread.fpsimd_state.user_fpsimd;
> 
>         return user_regset_copyout(&pos, &count, &kbuf, &ubuf, uregs,
>                                    start_pos, start_pos + sizeof(*uregs));
> }
> 
> And similarly __fpr_set(), compat_vfp_get(), compat_vfp_set(),
> sve_get(), and sve_set(), ?

All are probably affected except for __fpr_set() which uses a bounce
buffer.  I'm not sure why though: compat_vfp_set() doesn't use a bounce
buffer, though it's not trying to do anything different.

> > I'm making some assumptions about how the usercopy hardening works.
> 
> I think you're right -- I just tricked myself after looking at arm32.

OK, I'll send a patch once we've retested.

Cheers
---Dave

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.