|
Message-ID: <CAPDLWs_82o5cQ24=pSO6hT8KtQHkNGz5S-gUf5e647QUX+t2QA@mail.gmail.com> Date: Tue, 17 Jan 2017 13:08:14 +0530 From: Kaiwan N Billimoria <kaiwan@...wantech.com> To: kernel-hardening@...ts.openwall.com Cc: Kees Cook <keescook@...omium.org> Subject: Re: New to KSPP, would like to contribute Hi Kees, I've made a start. Hopefully, in the right direction too! So, basically what I've done so far is: - pulled in the linux-next tree, and setup my own branch - taken the grsecurity patch (for 4.8.17) and merged those portions of the code encompassing the CONFIG_PAX_MEMORY_SANITIZE directive - done small fixups where required [More on this: 1. fs/dcache.c kmem_cache_create_usercopy() unavailable (for now at least). Probably part of other grsec infrastructure.. So am just adding the SLAB_NO_SANITIZE flag to the usual kmem_cache_create() call. 2. mm/slab_common.c Compile failure: enum pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST; ?? -above orig statement from the grsec-4.8.17 patch fails compile with: mm/slab_common.c:34:37: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘__read_only’ So I've just removed the "__read_only" attribute for now. What's the actual approach? 3. mm/slub.c Compile failure: #ifdef CONFIG_PAX_MEMORY_SANITIZE &sanitize_attr.attr, * ?? -above statement from the grsec-4.8.17 patch fails compile with: mm/slub.c:5337:3: error: ‘sanitize_attr’ undeclared here (not in a function) &sanitize_attr.attr, Just commented this out for now. ] Below pl find the initial patch reg the work done so far: --- diff --git a/fs/buffer.c b/fs/buffer.c index 28484b3..b524eda 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -3511,7 +3511,7 @@ void __init buffer_init(void) bh_cachep = kmem_cache_create("buffer_head", sizeof(struct buffer_head), 0, (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC| - SLAB_MEM_SPREAD), + SLAB_MEM_SPREAD|SLAB_NO_SANITIZE), NULL); /* diff --git a/fs/dcache.c b/fs/dcache.c index 95d71ed..77abd2f 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -3616,8 +3616,16 @@ void __init vfs_caches_init_early(void) void __init vfs_caches_init(void) { +/** + names_cachep = kmem_cache_create_usercopy("names_cache", PATH_MAX, 0, + SLAB_HWCACHE_ALIGN|SLAB_PANIC| SLAB_NO_SANITIZE, + 0, PATH_MAX, NULL); + kmem_cache_create_usercopy() unavailable for now at least. + So just adding the SLAB_NO_SANITIZE flag to the usual call below.. + */ names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0, - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NO_SANITIZE, NULL); + dcache_init(); inode_init(); diff --git a/include/linux/highmem.h b/include/linux/highmem.h index bb3f329..9daed55 100644 --- a/include/linux/highmem.h +++ b/include/linux/highmem.h @@ -190,6 +190,18 @@ static inline void clear_highpage(struct page *page) kunmap_atomic(kaddr); } +static inline void sanitize_highpage(struct page *page) +{ + void *kaddr; + unsigned long flags; + + local_irq_save(flags); + kaddr = kmap_atomic(page); + clear_page(kaddr); + kunmap_atomic(kaddr); + local_irq_restore(flags); +} + static inline void zero_user_segments(struct page *page, unsigned start1, unsigned end1, unsigned start2, unsigned end2) diff --git a/include/linux/slab.h b/include/linux/slab.h index 4c53635..334bd89 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -23,6 +23,13 @@ #define SLAB_CONSISTENCY_CHECKS 0x00000100UL /* DEBUG: Perform (expensive) checks on alloc/free */ #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */ #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */ + +#ifdef CONFIG_PAX_MEMORY_SANITIZE +#define SLAB_NO_SANITIZE 0x00001000UL /* PaX: Do not sanitize objs on free */ +#else +#define SLAB_NO_SANITIZE 0x00000000UL +#endif + #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */ #define SLAB_CACHE_DMA 0x00004000UL /* Use GFP_DMA memory */ #define SLAB_STORE_USER 0x00010000UL /* DEBUG: Store the last owner for bug hunting */ diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h index 4ad2c5a..a30bbd2 100644 --- a/include/linux/slab_def.h +++ b/include/linux/slab_def.h @@ -60,6 +60,10 @@ struct kmem_cache { atomic_t allocmiss; atomic_t freehit; atomic_t freemiss; +#ifdef CONFIG_PAX_MEMORY_SANITIZE + atomic_unchecked_t sanitized; + atomic_unchecked_t not_sanitized; +#endif #ifdef CONFIG_DEBUG_SLAB_LEAK atomic_t store_user_clean; #endif diff --git a/kernel/fork.c b/kernel/fork.c index 7da33cb..24404a6 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2098,7 +2098,7 @@ void __init proc_caches_init(void) sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK|SLAB_ACCOUNT, NULL); - vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT); + vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_SANITIZE); mmap_init(); nsproxy_cache_init(); } diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug index afcc550..ed3f097 100644 --- a/mm/Kconfig.debug +++ b/mm/Kconfig.debug @@ -10,6 +10,7 @@ config PAGE_EXTENSION config DEBUG_PAGEALLOC bool "Debug page memory allocations" depends on DEBUG_KERNEL + depends on !PAX_MEMORY_SANITIZE depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC depends on !KMEMCHECK select PAGE_EXTENSION diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 21ea508..d7b3d95 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -994,6 +994,10 @@ static __always_inline bool free_pages_prepare(struct page *page, { int bad = 0; +#ifdef CONFIG_PAX_MEMORY_SANITIZE + unsigned long index = 1UL << order; +#endif + VM_BUG_ON_PAGE(PageTail(page), page); trace_mm_page_free(page, order); @@ -1040,6 +1044,12 @@ static __always_inline bool free_pages_prepare(struct page *page, debug_check_no_obj_freed(page_address(page), PAGE_SIZE << order); } + +#ifdef CONFIG_PAX_MEMORY_SANITIZE + for (; index; --index) + sanitize_highpage(page + index - 1); +#endif + arch_free_page(page, order); kernel_poison_pages(page, 1 << order, 0); kernel_map_pages(page, 1 << order, 0); @@ -1696,8 +1706,9 @@ static inline int check_new_page(struct page *page) static inline bool free_pages_prezeroed(bool poisoned) { - return IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && - page_poisoning_enabled() && poisoned; + return IS_ENABLED(CONFIG_PAX_MEMORY_SANITIZE) || + (IS_ENABLED(CONFIG_PAGE_POISONING_ZERO) && page_poisoning_enabled() && poisoned); + } #ifdef CONFIG_DEBUG_VM @@ -1753,11 +1764,13 @@ static void prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags int i; bool poisoned = true; +#ifndef CONFIG_PAX_MEMORY_SANITIZE for (i = 0; i < (1 << order); i++) { struct page *p = page + i; if (poisoned) poisoned &= page_is_poisoned(p); } +#endif post_alloc_hook(page, order, gfp_flags); diff --git a/mm/rmap.c b/mm/rmap.c index 91619fd..c97da9e 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -428,10 +428,10 @@ static void anon_vma_ctor(void *data) void __init anon_vma_init(void) { anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma), - 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_ACCOUNT, + 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_SANITIZE, anon_vma_ctor); anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain, - SLAB_PANIC|SLAB_ACCOUNT); + SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_SANITIZE); } /* diff --git a/mm/slab.c b/mm/slab.c index 4f2ec6b..6dc9f4a 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -3511,6 +3511,20 @@ void ___cache_free(struct kmem_cache *cachep, void *objp, struct array_cache *ac = cpu_cache_get(cachep); check_irq_off(); + +#ifdef CONFIG_PAX_MEMORY_SANITIZE + if (cachep->flags & (SLAB_POISON | SLAB_NO_SANITIZE)) + STATS_INC_NOT_SANITIZED(cachep); + else { + memset(objp, PAX_MEMORY_SANITIZE_VALUE, cachep->object_size); + + if (cachep->ctor) + cachep->ctor(objp); + + STATS_INC_SANITIZED(cachep); + } +#endif + kmemleak_free_recursive(objp, cachep->flags); objp = cache_free_debugcheck(cachep, objp, caller); @@ -4157,6 +4171,14 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep) seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu", allochit, allocmiss, freehit, freemiss); } +#ifdef CONFIG_PAX_MEMORY_SANITIZE + { + unsigned long sanitized = atomic_read_unchecked(&cachep->sanitized); + unsigned long not_sanitized = atomic_read_unchecked(&cachep->not_sanitized); + + seq_printf(m, " : pax %6lu %6lu", sanitized, not_sanitized); + } +#endif #endif } diff --git a/mm/slab.h b/mm/slab.h index de6579d..e982e3b 100644 --- a/mm/slab.h +++ b/mm/slab.h @@ -71,6 +71,35 @@ extern struct list_head slab_caches; /* The slab cache that manages slab cache information */ extern struct kmem_cache *kmem_cache; +#ifdef CONFIG_PAX_MEMORY_SANITIZE +#ifdef CONFIG_X86_64 +#define PAX_MEMORY_SANITIZE_VALUE '\xfe' +#else +#define PAX_MEMORY_SANITIZE_VALUE '\xff' +#endif +enum pax_sanitize_mode { + PAX_SANITIZE_SLAB_OFF = 0, + PAX_SANITIZE_SLAB_FAST, + PAX_SANITIZE_SLAB_FULL, +}; + +extern enum pax_sanitize_mode pax_sanitize_slab; + +static inline unsigned long pax_sanitize_slab_flags(unsigned long flags) +{ + if (pax_sanitize_slab == PAX_SANITIZE_SLAB_OFF || (flags & SLAB_DESTROY_BY_RCU)) + flags |= SLAB_NO_SANITIZE; + else if (pax_sanitize_slab == PAX_SANITIZE_SLAB_FULL) + flags &= ~SLAB_NO_SANITIZE; + return flags; +} +#else +static inline unsigned long pax_sanitize_slab_flags(unsigned long flags) +{ + return flags; +} +#endif + unsigned long calculate_alignment(unsigned long flags, unsigned long align, unsigned long size); @@ -120,7 +149,7 @@ static inline unsigned long kmem_cache_flags(unsigned long object_size, /* Legal flag mask for kmem_cache_create(), for various configurations */ #define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \ - SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS ) + SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS | SLAB_NO_SANITIZE) #if defined(CONFIG_DEBUG_SLAB) #define SLAB_DEBUG_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER) diff --git a/mm/slab_common.c b/mm/slab_common.c index 1dfc209..80bf59e 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -30,6 +30,37 @@ LIST_HEAD(slab_caches); DEFINE_MUTEX(slab_mutex); struct kmem_cache *kmem_cache; +#ifdef CONFIG_PAX_MEMORY_SANITIZE +/** +enum pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST; + +?? -above orig statement from the grsec-4.8.17 patch fails compile with: +mm/slab_common.c:34:37: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘__read_only’ + pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST; +*/ +enum pax_sanitize_mode pax_sanitize_slab = PAX_SANITIZE_SLAB_FAST; +static int __init pax_sanitize_slab_setup(char *str) +{ + if (!str) + return 0; + + if (!strcmp(str, "0") || !strcmp(str, "off")) { + pr_info("PaX slab sanitization: %s\n", "disabled"); + pax_sanitize_slab = PAX_SANITIZE_SLAB_OFF; + } else if (!strcmp(str, "1") || !strcmp(str, "fast")) { + pr_info("PaX slab sanitization: %s\n", "fast"); + pax_sanitize_slab = PAX_SANITIZE_SLAB_FAST; + } else if (!strcmp(str, "full")) { + pr_info("PaX slab sanitization: %s\n", "full"); + pax_sanitize_slab = PAX_SANITIZE_SLAB_FULL; + } else + pr_err("PaX slab sanitization: unsupported option '%s'\n", str); + + return 0; +} +early_param("pax_sanitize_slab", pax_sanitize_slab_setup); +#endif + /* * Set of flags that will prevent slab merging */ @@ -1136,6 +1167,9 @@ static void print_slabinfo_header(struct seq_file *m) #ifdef CONFIG_DEBUG_SLAB seq_puts(m, " : globalstat <listallocs> <maxobjs> <grown> <reaped> <error> <maxfreeable> <nodeallocs> <remotefrees> <alienoverflow>"); seq_puts(m, " : cpustat <allochit> <allocmiss> <freehit> <freemiss>"); +#ifdef CONFIG_PAX_MEMORY_SANITIZE + seq_puts(m, " : pax <sanitized> <not_sanitized>"); +#endif #endif seq_putc(m, '\n'); } diff --git a/mm/slob.c b/mm/slob.c index eac04d43..f455845 100644 --- a/mm/slob.c +++ b/mm/slob.c @@ -365,6 +365,11 @@ static void slob_free(void *block, int size) return; } +#ifdef CONFIG_PAX_MEMORY_SANITIZE + if (pax_sanitize_slab && !(c && (c->flags & SLAB_NO_SANITIZE))) + memset(block, PAX_MEMORY_SANITIZE_VALUE, size); +#endif + if (!slob_page_free(sp)) { /* This slob page is about to become partially free. Easy! */ sp->units = units; diff --git a/mm/slub.c b/mm/slub.c index 067598a..9253eb6 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2911,6 +2911,23 @@ static __always_inline void do_slab_free(struct kmem_cache *s, void *tail_obj = tail ? : head; struct kmem_cache_cpu *c; unsigned long tid; + +#ifdef CONFIG_PAX_MEMORY_SANITIZE + if (!(s->flags & SLAB_NO_SANITIZE)) { + int offset = s->offset ? 0 : sizeof(void *); + void *x = head; + + while (1) { + memset(x + offset, PAX_MEMORY_SANITIZE_VALUE, s->object_size - offset); + if (s->ctor) + s->ctor(x); + if (x == tail_obj) + break; + x = get_freepointer(s, x); + } + } +#endif + redo: /* * Determine the currently cpus per cpu slab. @@ -5316,6 +5333,15 @@ static struct attribute *slab_attrs[] = { #ifdef CONFIG_ZONE_DMA &cache_dma_attr.attr, #endif +/** +#ifdef CONFIG_PAX_MEMORY_SANITIZE + &sanitize_attr.attr, + * ?? -above statement from the grsec-4.8.17 patch fails compile with: + mm/slub.c:5337:3: error: ‘sanitize_attr’ undeclared here (not in a function) + &sanitize_attr.attr, + ... +#endif + */ #ifdef CONFIG_NUMA &remote_node_defrag_ratio_attr.attr, #endif diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 7ad67d7..dde2364 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -3453,12 +3453,14 @@ void __init skb_init(void) skbuff_head_cache = kmem_cache_create("skbuff_head_cache", sizeof(struct sk_buff), 0, - SLAB_HWCACHE_ALIGN|SLAB_PANIC, + SLAB_HWCACHE_ALIGN|SLAB_PANIC| + SLAB_NO_SANITIZE, NULL); skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache", sizeof(struct sk_buff_fclones), 0, - SLAB_HWCACHE_ALIGN|SLAB_PANIC, + SLAB_HWCACHE_ALIGN|SLAB_PANIC| + SLAB_NO_SANITIZE, NULL); } diff --git a/security/Kconfig b/security/Kconfig index 118f454..3ad5110 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -4,6 +4,46 @@ menu "Security options" +menu "Miscellaneous hardening features" + +config PAX_MEMORY_SANITIZE + bool "Sanitize all freed memory" + default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_PRIORITY_SECURITY) + help + By saying Y here the kernel will erase memory pages and slab objects + as soon as they are freed. This in turn reduces the lifetime of data + stored in them, making it less likely that sensitive information such + as passwords, cryptographic secrets, etc stay in memory for too long. + + This is especially useful for programs whose runtime is short, long + lived processes and the kernel itself benefit from this as long as + they ensure timely freeing of memory that may hold sensitive + information. + + A nice side effect of the sanitization of slab objects is the + reduction of possible info leaks caused by padding bytes within the + leaky structures. Use-after-free bugs for structures containing + pointers can also be detected as dereferencing the sanitized pointer + will generate an access violation. + + The tradeoff is performance impact, on a single CPU system kernel + compilation sees a 3% slowdown, other systems and workloads may vary + and you are advised to test this feature on your expected workload + before deploying it. + + The slab sanitization feature excludes a few slab caches per default + for performance reasons. To extend the feature to cover those as + well, pass "pax_sanitize_slab=full" as kernel command line parameter. + + To reduce the performance penalty by sanitizing pages only, albeit + limiting the effectiveness of this feature at the same time, slab + sanitization can be disabled with the kernel command line parameter + "pax_sanitize_slab=off". + + Note that this feature does not protect data stored in live pages, + e.g., process memory swapped to disk may stay there for a long time. +endmenu + source security/keys/Kconfig config SECURITY_DMESG_RESTRICT --- Am pretty sure it's definitely imperfect, just hope it's not horribly wrong! - pl let me know. What should I change, etc... TIA, Regards, Kaiwan. On Thu, Jan 12, 2017 at 3:34 PM, Kaiwan N Billimoria <kaiwan@...wantech.com> wrote: > Thanks Greg. > Will do.. > > > Regards, > Kaiwan. > > Kaiwan N Billimoria > ✉ kaiwan@...wantech.com > ✉ kaiwan.billimoria@...il.com > > kaiwanTECH > http://kaiwantech.in > Do visit our enhanced website. > > 4931, 11th Floor, Highpoint IV, 45 Palace Road, Bangalore 560 001. > +91.9845016788 (M) > TeleFax: +91.80.22389396 | Alt. Tel: +91.80.64500257 > > LinkedIn: https://in.linkedin.com/in/kaiwanbillimoria > > I blog here: > Tech : http://kaiwantech.wordpress.com | > Running : http://kaiwanbill.blogspot.in/ > > "Don't be afraid that your life will end, > be afraid that it will never begin." > > On Thu, Jan 12, 2017 at 1:07 PM, Greg KH <gregkh@...uxfoundation.org> wrote: >> >> On Thu, Jan 12, 2017 at 09:01:05AM +0530, Kaiwan N Billimoria wrote: >> > Okay, thanks, I see it better now :) >> > >> > Forgive my silly qs: >> > so as I understand it, the objective is to start merging in some of the >> > grsec >> > code into mainline, yes? So, which kernel do we work on? the latest rc >> > or do I >> > work on the one where the above patch applies (i.e. 4.8.17)? >> >> You can't go back in time and get stuff merged into an old patch, so >> always work on the latest kernel tree. Use linux-next so you don't end >> up duplicating any effort that people have already done. >> >> I suggest reading Documentation/development_process/ as a summary of how >> all of this works. >> >> thanks, >> >> greg k-h >> >
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.