Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAJcbSZG90Ya7GafnNGsNYvPM1J-wfVARjM6MunjE6Q_wdX99-Q@mail.gmail.com>
Date: Fri, 24 Mar 2017 09:11:33 -0700
From: Thomas Garnier <thgarnie@...gle.com>
To: Christian Borntraeger <borntraeger@...ibm.com>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>, Kees Cook <keescook@...omium.org>, 
	Martin Schwidefsky <schwidefsky@...ibm.com>, David Howells <dhowells@...hat.com>, 
	Arnd Bergmann <arnd@...db.de>, Dave Hansen <dave.hansen@...el.com>, Al Viro <viro@...iv.linux.org.uk>, 
	Thomas Gleixner <tglx@...utronix.de>, René Nyffenegger <mail@...enyffenegger.ch>, 
	Andrew Morton <akpm@...ux-foundation.org>, 
	"Paul E . McKenney" <paulmck@...ux.vnet.ibm.com>, Ingo Molnar <mingo@...nel.org>, 
	Oleg Nesterov <oleg@...hat.com>, Pavel Tikhomirov <ptikhomirov@...tuozzo.com>, 
	Stephen Smalley <sds@...ho.nsa.gov>, Ingo Molnar <mingo@...hat.com>, "H . Peter Anvin" <hpa@...or.com>, 
	Andy Lutomirski <luto@...nel.org>, Paolo Bonzini <pbonzini@...hat.com>, Rik van Riel <riel@...hat.com>, 
	Josh Poimboeuf <jpoimboe@...hat.com>, Borislav Petkov <bp@...en8.de>, Brian Gerst <brgerst@...il.com>, 
	"Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Russell King <linux@...linux.org.uk>, 
	Will Deacon <will.deacon@....com>, Catalin Marinas <catalin.marinas@....com>, 
	Mark Rutland <mark.rutland@....com>, James Morse <james.morse@....com>, 
	"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	Linux API <linux-api@...r.kernel.org>, "x86@...nel.org" <x86@...nel.org>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH] lkdtm: add bad USER_DS test

On Fri, Mar 24, 2017 at 8:24 AM, Christian Borntraeger
<borntraeger@...ibm.com> wrote:
> On 03/24/2017 04:17 PM, Thomas Garnier wrote:
>> On Fri, Mar 24, 2017 at 1:14 AM, Heiko Carstens
>> <heiko.carstens@...ibm.com> wrote:
>>> On Thu, Mar 23, 2017 at 01:34:19PM -0700, Kees Cook wrote:
>>>> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return
>>>> still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks.
>>>>
>>>> Signed-off-by: Kees Cook <keescook@...omium.org>
>>>
>>> ...
>>>
>>>> +void lkdtm_CORRUPT_USER_DS(void)
>>>> +{
>>>> +     /*
>>>> +      * Test that USER_DS has been set correctly on exiting a syscall.
>>>> +      * Since setting this higher than USER_DS (TASK_SIZE) would introduce
>>>> +      * an exploitable condition, we lower it instead, since that should
>>>> +      * not create as large a problem on an unprotected system.
>>>> +      */
>>>> +     mm_segment_t lowfs;
>>>> +#ifdef MAKE_MM_SEG
>>>> +     lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE);
>>>> +#else
>>>> +     lowfs = TASK_SIZE - PAGE_SIZE;
>>>> +#endif
>>>> +
>>>> +     pr_info("setting bad task size limit\n");
>>>> +     set_fs(lowfs);
>>>> +}
>>>
>>> This won't work on architectures where the set_fs() argument does not
>>> contain an address but an address space identifier. This is true e.g. for
>>> s390 and as far as I know also for sparc.
>>> On s390 we have complete distinct address spaces for kernel and user space
>>> that each start at address zero.
>>>
>>
>> The patch that enforce USER_DS is disabled on s390 anyway. I guess, we
>> can just do a set_fs(KERNEL_DS) for the others.
>
> that would enable the test, but it would also mean that lkdtm can be used by
> a program to escalate its rights. I think that is the reason why Kees did this
> lowfs things.
>

I see, I need to look at how lkdtm works exactly.

-- 
Thomas

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.