|
Message-ID: <be2440e4f5fd1c8cf30c8f636492aa18@airmail.cc> Date: Thu, 15 Jun 2017 16:47:32 +0000 From: aconcernedfossdev@...mail.cc To: Salvatore Mesoraca <s.mesoraca16@...il.com> Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, kernel-hardening@...ts.openwall.com, Brad Spengler <spender@...ecurity.net>, PaX Team <pageexec@...email.hu>, Casey Schaufler <casey@...aufler-ca.com>, Kees Cook <keescook@...omium.org>, James Morris <james.l.morris@...cle.com>, "Serge E. Hallyn" <serge@...lyn.com>, linux-mm@...ck.org, x86@...nel.org, Jann Horn <jannh@...gle.com>, Christoph Hellwig <hch@...radead.org>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [RFC v2 7/9] Trampoline emulation Thanks for doing this porting work. Look forward to using GRSecurity/PAX features on ARM eventually. ARM's taking over as we know. x86 is almost done. On 2017-06-15 16:42, Salvatore Mesoraca wrote: > Some programs need to generate part of their code at runtime. Luckily > enough, in some cases they only generate well-known code sequences (the > "trampolines") that can be easily recognized and emulated by the > kernel. > This way WX Protection can still be active, so a potential attacker > won't > be able to generate arbitrary sequences of code, but just those that > are > explicitly allowed. This is not ideal, but it's still better than > having WX > Protection completely disabled. > In particular S.A.R.A. is able to recognize trampolines used by GCC for > nested C functions and libffi's trampolines. > This feature is implemented only on x86_32 and x86_64. > The assembly sequences used here were originally obtained from PaX > source > code. > > Signed-off-by: Salvatore Mesoraca <s.mesoraca16@...il.com> > --- > security/sara/Kconfig | 17 ++++ > security/sara/include/trampolines.h | 171 > ++++++++++++++++++++++++++++++++++++ > security/sara/wxprot.c | 140 > +++++++++++++++++++++++++++++ > 3 files changed, 328 insertions(+) > create mode 100644 security/sara/include/trampolines.h > > diff --git a/security/sara/Kconfig b/security/sara/Kconfig > index 6c74069..f406805 100644 > --- a/security/sara/Kconfig > +++ b/security/sara/Kconfig > @@ -96,6 +96,23 @@ choice > Documentation/security/SARA.rst. > endchoice > > +config SECURITY_SARA_WXPROT_EMUTRAMP > + bool "Enable emulation for some types of trampolines" > + depends on SECURITY_SARA_WXPROT > + depends on X86 > + default y > + help > + Some programs and libraries need to execute special small code > + snippets from non-executable memory pages. > + Most notable examples are the GCC and libffi trampolines. > + This features make it possible to execute those trampolines even > + if they reside in non-executable memory pages. > + This features need to be enabled on a per-executable basis > + via user-space utilities. > + See Documentation/security/SARA.rst. for further information. > + > + If unsure, answer y. > + > config SECURITY_SARA_WXPROT_DISABLED > bool "WX protection will be disabled at boot." > depends on SECURITY_SARA_WXPROT > diff --git a/security/sara/include/trampolines.h > b/security/sara/include/trampolines.h > new file mode 100644 > index 0000000..eab0a85 > --- /dev/null > +++ b/security/sara/include/trampolines.h > @@ -0,0 +1,171 @@ > +/* > + * S.A.R.A. Linux Security Module > + * > + * Copyright (C) 2017 Salvatore Mesoraca <s.mesoraca16@...il.com> > + * > + * This program is free software; you can redistribute it and/or > modify > + * it under the terms of the GNU General Public License version 2, as > + * published by the Free Software Foundation. > + * > + * Assembly sequences used here were copied from > + * PaX patch by PaX Team <pageexec@...email.hu> > + * > + */ > + > +#ifndef __SARA_TRAMPOLINES_H > +#define __SARA_TRAMPOLINES_H > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > + > + > +/* x86_32 */ > + > + > +struct libffi_trampoline_x86_32 { > + unsigned char mov; > + unsigned int addr1; > + unsigned char jmp; > + unsigned int addr2; > +} __packed; > + > +struct gcc_trampoline_x86_32_type1 { > + unsigned char mov1; > + unsigned int addr1; > + unsigned char mov2; > + unsigned int addr2; > + unsigned short jmp; > +} __packed; > + > +struct gcc_trampoline_x86_32_type2 { > + unsigned char mov; > + unsigned int addr1; > + unsigned char jmp; > + unsigned int addr2; > +} __packed; > + > +union trampolines_x86_32 { > + struct libffi_trampoline_x86_32 lf; > + struct gcc_trampoline_x86_32_type1 g1; > + struct gcc_trampoline_x86_32_type2 g2; > +}; > + > +#define is_valid_libffi_trampoline_x86_32(UNION) \ > + (UNION.lf.mov == 0xB8 && \ > + UNION.lf.jmp == 0xE9) > + > +#define emulate_libffi_trampoline_x86_32(UNION, REGS) do { \ > + (REGS)->ax = UNION.lf.addr1; \ > + (REGS)->ip = (unsigned int) ((REGS)->ip + \ > + UNION.lf.addr2 + \ > + sizeof(UNION.lf)); \ > +} while (0) > + > +#define is_valid_gcc_trampoline_x86_32_type1(UNION, REGS) \ > + (UNION.g1.mov1 == 0xB9 && \ > + UNION.g1.mov2 == 0xB8 && \ > + UNION.g1.jmp == 0xE0FF && \ > + REGS->ip > REGS->sp) > + > +#define emulate_gcc_trampoline_x86_32_type1(UNION, REGS) do { \ > + (REGS)->cx = UNION.g1.addr1; \ > + (REGS)->ax = UNION.g1.addr2; \ > + (REGS)->ip = UNION.g1.addr2; \ > +} while (0) > + > +#define is_valid_gcc_trampoline_x86_32_type2(UNION, REGS) \ > + (UNION.g2.mov == 0xB9 && \ > + UNION.g2.jmp == 0xE9 && \ > + REGS->ip > REGS->sp) > + > +#define emulate_gcc_trampoline_x86_32_type2(UNION, REGS) do { \ > + (REGS)->cx = UNION.g2.addr1; \ > + (REGS)->ip = (unsigned int) ((REGS)->ip + \ > + UNION.g2.addr2 + \ > + sizeof(UNION.g2)); \ > +} while (0) > + > + > + > +#ifdef CONFIG_X86_64 > + > +struct libffi_trampoline_x86_64 { > + unsigned short mov1; > + unsigned long addr1; > + unsigned short mov2; > + unsigned long addr2; > + unsigned char stcclc; > + unsigned short jmp1; > + unsigned char jmp2; > +} __packed; > + > +struct gcc_trampoline_x86_64_type1 { > + unsigned short mov1; > + unsigned long addr1; > + unsigned short mov2; > + unsigned long addr2; > + unsigned short jmp1; > + unsigned char jmp2; > +} __packed; > + > +struct gcc_trampoline_x86_64_type2 { > + unsigned short mov1; > + unsigned int addr1; > + unsigned short mov2; > + unsigned long addr2; > + unsigned short jmp1; > + unsigned char jmp2; > +} __packed; > + > +union trampolines_x86_64 { > + struct libffi_trampoline_x86_64 lf; > + struct gcc_trampoline_x86_64_type1 g1; > + struct gcc_trampoline_x86_64_type2 g2; > +}; > + > +#define is_valid_libffi_trampoline_x86_64(UNION) \ > + (UNION.lf.mov1 == 0xBB49 && \ > + UNION.lf.mov2 == 0xBA49 && \ > + (UNION.lf.stcclc == 0xF8 || \ > + UNION.lf.stcclc == 0xF9) && \ > + UNION.lf.jmp1 == 0xFF49 && \ > + UNION.lf.jmp2 == 0xE3) > + > +#define emulate_libffi_trampoline_x86_64(UNION, REGS) do { \ > + (REGS)->r11 = UNION.lf.addr1; \ > + (REGS)->r10 = UNION.lf.addr2; \ > + (REGS)->ip = UNION.lf.addr1; \ > + if (UNION.lf.stcclc == 0xF8) \ > + (REGS)->flags &= ~X86_EFLAGS_CF; \ > + else \ > + (REGS)->flags |= X86_EFLAGS_CF; \ > +} while (0) > + > +#define is_valid_gcc_trampoline_x86_64_type1(UNION, REGS) \ > + (UNION.g1.mov1 == 0xBB49 && \ > + UNION.g1.mov2 == 0xBA49 && \ > + UNION.g1.jmp1 == 0xFF49 && \ > + UNION.g1.jmp2 == 0xE3 && \ > + REGS->ip > REGS->sp) > + > +#define emulate_gcc_trampoline_x86_64_type1(UNION, REGS) do { \ > + (REGS)->r11 = UNION.g1.addr1; \ > + (REGS)->r10 = UNION.g1.addr2; \ > + (REGS)->ip = UNION.g1.addr1; \ > +} while (0) > + > +#define is_valid_gcc_trampoline_x86_64_type2(UNION, REGS) \ > + (UNION.g2.mov1 == 0xBB41 && \ > + UNION.g2.mov2 == 0xBA49 && \ > + UNION.g2.jmp1 == 0xFF49 && \ > + UNION.g2.jmp2 == 0xE3 && \ > + REGS->ip > REGS->sp) > + > +#define emulate_gcc_trampoline_x86_64_type2(UNION, REGS) do { \ > + (REGS)->r11 = UNION.g2.addr1; \ > + (REGS)->r10 = UNION.g2.addr2; \ > + (REGS)->ip = UNION.g2.addr1; \ > +} while (0) > + > +#endif /* CONFIG_X86_64 */ > + > +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */ > +#endif /* __SARA_TRAMPOLINES_H */ > diff --git a/security/sara/wxprot.c b/security/sara/wxprot.c > index f9233a5..38c86be 100644 > --- a/security/sara/wxprot.c > +++ b/security/sara/wxprot.c > @@ -22,6 +22,11 @@ > #include <linux/ratelimit.h> > #include <linux/spinlock.h> > > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > +#include <linux/uaccess.h> > +#include "include/trampolines.h" > +#endif > + > #include "include/sara.h" > #include "include/sara_data.h" > #include "include/utils.h" > @@ -37,6 +42,7 @@ > #define SARA_WXP_COMPLAIN 0x0010 > #define SARA_WXP_VERBOSE 0x0020 > #define SARA_WXP_MMAP 0x0040 > +#define SARA_WXP_EMUTRAMP 0x0100 > #define SARA_WXP_TRANSFER 0x0200 > #define SARA_WXP_NONE 0x0000 > #define SARA_WXP_MPROTECT (SARA_WXP_HEAP | \ > @@ -47,7 +53,12 @@ > SARA_WXP_WXORX | \ > SARA_WXP_COMPLAIN | \ > SARA_WXP_VERBOSE) > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > +#define SARA_WXP_ALL (__SARA_WXP_ALL | \ > + SARA_WXP_EMUTRAMP) > +#else /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */ > #define SARA_WXP_ALL __SARA_WXP_ALL > +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */ > > struct wxprot_rule { > char *path; > @@ -72,7 +83,11 @@ struct wxprot_config_container { > static u16 default_flags __ro_after_init = > CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS; > > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > +static const bool wxprot_emutramp = true; > +#else > static const bool wxprot_emutramp; > +#endif > > static void pr_wxp(char *msg) > { > @@ -97,6 +112,9 @@ static bool are_flags_valid(u16 flags) > SARA_WXP_WXORX | > SARA_WXP_MMAP)))) > return false; > + if (unlikely(flags & SARA_WXP_EMUTRAMP && > + ((flags & SARA_WXP_MPROTECT) != SARA_WXP_MPROTECT))) > + return false; > return true; > } > > @@ -366,10 +384,132 @@ static int sara_file_mprotect(struct > vm_area_struct *vma, > return 0; > } > > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > +#define PF_PROT (1 << 0) > +#define PF_USER (1 << 2) > +#define PF_INSTR (1 << 4) > +static int sara_pagefault_handler_x86_32(struct pt_regs *regs); > +static int sara_pagefault_handler_x86_64(struct pt_regs *regs); > +static int sara_pagefault_handler_x86(struct pt_regs *regs, > + unsigned long error_code, > + unsigned long address) > +{ > + int ret = 0; > + > + if (!sara_enabled || !wxprot_enabled || > + !(error_code & PF_USER) || > + !(error_code & PF_INSTR) || > + !(error_code & PF_PROT) || > + !(get_current_sara_wxp_flags() & SARA_WXP_EMUTRAMP)) > + return 0; > + > + local_irq_enable(); > + might_sleep(); > + might_fault(); > + > +#ifdef CONFIG_X86_32 > + ret = sara_pagefault_handler_x86_32(regs); > +#else > + if (regs->cs == __USER32_CS || > + regs->cs & (1<<2)) { > + if (!(address >> 32)) /* K8 erratum #100 */ > + ret = sara_pagefault_handler_x86_32(regs); > + } else > + ret = sara_pagefault_handler_x86_64(regs); > +#endif > + > + return ret; > +} > + > +static int sara_pagefault_handler_x86_32(struct pt_regs *regs) > +{ > + int ret; > + void __user *ip = (void __user *) regs->ip; > + union trampolines_x86_32 t; > + > + BUILD_BUG_ON(sizeof(t.lf) > sizeof(t.g1)); > + BUILD_BUG_ON(sizeof(t.g2) > sizeof(t.lf)); > + > + ret = copy_from_user(&t, ip, sizeof(t.g1)); > + if (ret) > + ret = copy_from_user(&t, ip, sizeof(t.lf)); > + if (ret) > + ret = copy_from_user(&t, ip, sizeof(t.g2)); > + if (ret) > + return 0; > + > + if (is_valid_gcc_trampoline_x86_32_type1(t, regs)) { > + pr_debug("Trampoline: gcc1 x86_32.\n"); > + emulate_gcc_trampoline_x86_32_type1(t, regs); > + return 1; > + } else if (is_valid_libffi_trampoline_x86_32(t)) { > + pr_debug("Trampoline: libffi x86_32.\n"); > + emulate_libffi_trampoline_x86_32(t, regs); > + return 1; > + } else if (is_valid_gcc_trampoline_x86_32_type2(t, regs)) { > + pr_debug("Trampoline: gcc2 x86_32.\n"); > + emulate_gcc_trampoline_x86_32_type2(t, regs); > + return 1; > + } > + > + pr_debug("Not a trampoline (x86_32).\n"); > + > + return 0; > +} > + > +#ifdef CONFIG_X86_64 > +static int sara_pagefault_handler_x86_64(struct pt_regs *regs) > +{ > + int ret; > + void __user *ip = (void __user *) regs->ip; > + union trampolines_x86_64 t; > + > + BUILD_BUG_ON(sizeof(t.g1) > sizeof(t.lf)); > + BUILD_BUG_ON(sizeof(t.g2) > sizeof(t.g1)); > + > + ret = copy_from_user(&t, ip, sizeof(t.lf)); > + if (ret) > + ret = copy_from_user(&t, ip, sizeof(t.g1)); > + if (ret) > + ret = copy_from_user(&t, ip, sizeof(t.g2)); > + if (ret) > + return 0; > + > + if (is_valid_libffi_trampoline_x86_64(t)) { > + pr_debug("Trampoline: libffi x86_64.\n"); > + emulate_libffi_trampoline_x86_64(t, regs); > + return 1; > + } else if (is_valid_gcc_trampoline_x86_64_type1(t, regs)) { > + pr_debug("Trampoline: gcc1 x86_64.\n"); > + emulate_gcc_trampoline_x86_64_type1(t, regs); > + return 1; > + } else if (is_valid_gcc_trampoline_x86_64_type2(t, regs)) { > + pr_debug("Trampoline: gcc2 x86_64.\n"); > + emulate_gcc_trampoline_x86_64_type2(t, regs); > + return 1; > + } > + > + pr_debug("Not a trampoline (x86_64).\n"); > + > + return 0; > + > +} > +#else /* CONFIG_X86_64 */ > +static inline int sara_pagefault_handler_x86_64(struct pt_regs *regs) > +{ > + return 0; > +} > +#endif /* CONFIG_X86_64 */ > + > +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */ > + > static struct security_hook_list wxprot_hooks[] __ro_after_init = { > LSM_HOOK_INIT(bprm_set_creds, sara_bprm_set_creds), > LSM_HOOK_INIT(check_vmflags, sara_check_vmflags), > LSM_HOOK_INIT(file_mprotect, sara_file_mprotect), > +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP > + LSM_HOOK_INIT(pagefault_handler_x86, sara_pagefault_handler_x86), > +#endif > }; > > struct binary_config_header {
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.