Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <be2440e4f5fd1c8cf30c8f636492aa18@airmail.cc>
Date: Thu, 15 Jun 2017 16:47:32 +0000
From: aconcernedfossdev@...mail.cc
To: Salvatore Mesoraca <s.mesoraca16@...il.com>
Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org,
 kernel-hardening@...ts.openwall.com, Brad Spengler <spender@...ecurity.net>,
 PaX Team <pageexec@...email.hu>, Casey Schaufler <casey@...aufler-ca.com>,
 Kees Cook <keescook@...omium.org>, James Morris <james.l.morris@...cle.com>,
 "Serge E. Hallyn" <serge@...lyn.com>, linux-mm@...ck.org, x86@...nel.org,
 Jann Horn <jannh@...gle.com>, Christoph Hellwig <hch@...radead.org>, Thomas
 Gleixner <tglx@...utronix.de>
Subject: Re: [RFC v2 7/9] Trampoline emulation

Thanks for doing this porting work. Look forward to using GRSecurity/PAX 
features on ARM eventually. ARM's taking over as we know. x86 is almost 
done.

On 2017-06-15 16:42, Salvatore Mesoraca wrote:
> Some programs need to generate part of their code at runtime. Luckily
> enough, in some cases they only generate well-known code sequences (the
> "trampolines") that can be easily recognized and emulated by the 
> kernel.
> This way WX Protection can still be active, so a potential attacker 
> won't
> be able to generate arbitrary sequences of code, but just those that 
> are
> explicitly allowed. This is not ideal, but it's still better than 
> having WX
> Protection completely disabled.
> In particular S.A.R.A. is able to recognize trampolines used by GCC for
> nested C functions and libffi's trampolines.
> This feature is implemented only on x86_32 and x86_64.
> The assembly sequences used here were originally obtained from PaX 
> source
> code.
> 
> Signed-off-by: Salvatore Mesoraca <s.mesoraca16@...il.com>
> ---
>  security/sara/Kconfig               |  17 ++++
>  security/sara/include/trampolines.h | 171 
> ++++++++++++++++++++++++++++++++++++
>  security/sara/wxprot.c              | 140 
> +++++++++++++++++++++++++++++
>  3 files changed, 328 insertions(+)
>  create mode 100644 security/sara/include/trampolines.h
> 
> diff --git a/security/sara/Kconfig b/security/sara/Kconfig
> index 6c74069..f406805 100644
> --- a/security/sara/Kconfig
> +++ b/security/sara/Kconfig
> @@ -96,6 +96,23 @@ choice
>  		  Documentation/security/SARA.rst.
>  endchoice
> 
> +config SECURITY_SARA_WXPROT_EMUTRAMP
> +	bool "Enable emulation for some types of trampolines"
> +	depends on SECURITY_SARA_WXPROT
> +	depends on X86
> +	default y
> +	help
> +	  Some programs and libraries need to execute special small code
> +	  snippets from non-executable memory pages.
> +	  Most notable examples are the GCC and libffi trampolines.
> +	  This features make it possible to execute those trampolines even
> +	  if they reside in non-executable memory pages.
> +	  This features need to be enabled on a per-executable basis
> +	  via user-space utilities.
> +	  See Documentation/security/SARA.rst. for further information.
> +
> +	  If unsure, answer y.
> +
>  config SECURITY_SARA_WXPROT_DISABLED
>  	bool "WX protection will be disabled at boot."
>  	depends on SECURITY_SARA_WXPROT
> diff --git a/security/sara/include/trampolines.h
> b/security/sara/include/trampolines.h
> new file mode 100644
> index 0000000..eab0a85
> --- /dev/null
> +++ b/security/sara/include/trampolines.h
> @@ -0,0 +1,171 @@
> +/*
> + * S.A.R.A. Linux Security Module
> + *
> + * Copyright (C) 2017 Salvatore Mesoraca <s.mesoraca16@...il.com>
> + *
> + * This program is free software; you can redistribute it and/or 
> modify
> + * it under the terms of the GNU General Public License version 2, as
> + * published by the Free Software Foundation.
> + *
> + * Assembly sequences used here were copied from
> + * PaX patch by PaX Team <pageexec@...email.hu>
> + *
> + */
> +
> +#ifndef __SARA_TRAMPOLINES_H
> +#define __SARA_TRAMPOLINES_H
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +
> +
> +/* x86_32 */
> +
> +
> +struct libffi_trampoline_x86_32 {
> +	unsigned char mov;
> +	unsigned int addr1;
> +	unsigned char jmp;
> +	unsigned int addr2;
> +} __packed;
> +
> +struct gcc_trampoline_x86_32_type1 {
> +	unsigned char mov1;
> +	unsigned int addr1;
> +	unsigned char mov2;
> +	unsigned int addr2;
> +	unsigned short jmp;
> +} __packed;
> +
> +struct gcc_trampoline_x86_32_type2 {
> +	unsigned char mov;
> +	unsigned int addr1;
> +	unsigned char jmp;
> +	unsigned int addr2;
> +} __packed;
> +
> +union trampolines_x86_32 {
> +	struct libffi_trampoline_x86_32 lf;
> +	struct gcc_trampoline_x86_32_type1 g1;
> +	struct gcc_trampoline_x86_32_type2 g2;
> +};
> +
> +#define is_valid_libffi_trampoline_x86_32(UNION)	\
> +	(UNION.lf.mov == 0xB8 &&			\
> +	UNION.lf.jmp == 0xE9)
> +
> +#define emulate_libffi_trampoline_x86_32(UNION, REGS) do {	\
> +	(REGS)->ax = UNION.lf.addr1;				\
> +	(REGS)->ip = (unsigned int) ((REGS)->ip +		\
> +				     UNION.lf.addr2 +		\
> +				     sizeof(UNION.lf));		\
> +} while (0)
> +
> +#define is_valid_gcc_trampoline_x86_32_type1(UNION, REGS)	\
> +	(UNION.g1.mov1 == 0xB9 &&				\
> +	UNION.g1.mov2 == 0xB8 &&				\
> +	UNION.g1.jmp == 0xE0FF &&				\
> +	REGS->ip > REGS->sp)
> +
> +#define emulate_gcc_trampoline_x86_32_type1(UNION, REGS) do {	\
> +	(REGS)->cx = UNION.g1.addr1;				\
> +	(REGS)->ax = UNION.g1.addr2;				\
> +	(REGS)->ip = UNION.g1.addr2;				\
> +} while (0)
> +
> +#define is_valid_gcc_trampoline_x86_32_type2(UNION, REGS)	\
> +	(UNION.g2.mov == 0xB9 &&				\
> +	UNION.g2.jmp == 0xE9 &&					\
> +	REGS->ip > REGS->sp)
> +
> +#define emulate_gcc_trampoline_x86_32_type2(UNION, REGS) do {	\
> +	(REGS)->cx = UNION.g2.addr1;				\
> +	(REGS)->ip = (unsigned int) ((REGS)->ip +		\
> +				     UNION.g2.addr2 +		\
> +				     sizeof(UNION.g2));		\
> +} while (0)
> +
> +
> +
> +#ifdef CONFIG_X86_64
> +
> +struct libffi_trampoline_x86_64 {
> +	unsigned short mov1;
> +	unsigned long addr1;
> +	unsigned short mov2;
> +	unsigned long addr2;
> +	unsigned char stcclc;
> +	unsigned short jmp1;
> +	unsigned char jmp2;
> +} __packed;
> +
> +struct gcc_trampoline_x86_64_type1 {
> +	unsigned short mov1;
> +	unsigned long addr1;
> +	unsigned short mov2;
> +	unsigned long addr2;
> +	unsigned short jmp1;
> +	unsigned char jmp2;
> +} __packed;
> +
> +struct gcc_trampoline_x86_64_type2 {
> +	unsigned short mov1;
> +	unsigned int addr1;
> +	unsigned short mov2;
> +	unsigned long addr2;
> +	unsigned short jmp1;
> +	unsigned char jmp2;
> +} __packed;
> +
> +union trampolines_x86_64 {
> +	struct libffi_trampoline_x86_64 lf;
> +	struct gcc_trampoline_x86_64_type1 g1;
> +	struct gcc_trampoline_x86_64_type2 g2;
> +};
> +
> +#define is_valid_libffi_trampoline_x86_64(UNION)	\
> +	(UNION.lf.mov1 == 0xBB49 &&			\
> +	UNION.lf.mov2 == 0xBA49 &&			\
> +	(UNION.lf.stcclc == 0xF8 ||			\
> +	 UNION.lf.stcclc == 0xF9) &&			\
> +	UNION.lf.jmp1 == 0xFF49 &&			\
> +	UNION.lf.jmp2 == 0xE3)
> +
> +#define emulate_libffi_trampoline_x86_64(UNION, REGS) do {	\
> +	(REGS)->r11 = UNION.lf.addr1;				\
> +	(REGS)->r10 = UNION.lf.addr2;				\
> +	(REGS)->ip = UNION.lf.addr1;				\
> +	if (UNION.lf.stcclc == 0xF8)				\
> +		(REGS)->flags &= ~X86_EFLAGS_CF;		\
> +	else							\
> +		(REGS)->flags |= X86_EFLAGS_CF;			\
> +} while (0)
> +
> +#define is_valid_gcc_trampoline_x86_64_type1(UNION, REGS)	\
> +	(UNION.g1.mov1 == 0xBB49 &&				\
> +	UNION.g1.mov2 == 0xBA49 &&				\
> +	UNION.g1.jmp1 == 0xFF49 &&				\
> +	UNION.g1.jmp2 == 0xE3 &&				\
> +	REGS->ip > REGS->sp)
> +
> +#define emulate_gcc_trampoline_x86_64_type1(UNION, REGS) do {	\
> +	(REGS)->r11 = UNION.g1.addr1;				\
> +	(REGS)->r10 = UNION.g1.addr2;				\
> +	(REGS)->ip = UNION.g1.addr1;				\
> +} while (0)
> +
> +#define is_valid_gcc_trampoline_x86_64_type2(UNION, REGS)	\
> +	(UNION.g2.mov1 == 0xBB41 &&				\
> +	UNION.g2.mov2 == 0xBA49 &&				\
> +	UNION.g2.jmp1 == 0xFF49 &&				\
> +	UNION.g2.jmp2 == 0xE3 &&				\
> +	REGS->ip > REGS->sp)
> +
> +#define emulate_gcc_trampoline_x86_64_type2(UNION, REGS) do {	\
> +	(REGS)->r11 = UNION.g2.addr1;				\
> +	(REGS)->r10 = UNION.g2.addr2;				\
> +	(REGS)->ip = UNION.g2.addr1;				\
> +} while (0)
> +
> +#endif /* CONFIG_X86_64 */
> +
> +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */
> +#endif /* __SARA_TRAMPOLINES_H */
> diff --git a/security/sara/wxprot.c b/security/sara/wxprot.c
> index f9233a5..38c86be 100644
> --- a/security/sara/wxprot.c
> +++ b/security/sara/wxprot.c
> @@ -22,6 +22,11 @@
>  #include <linux/ratelimit.h>
>  #include <linux/spinlock.h>
> 
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +#include <linux/uaccess.h>
> +#include "include/trampolines.h"
> +#endif
> +
>  #include "include/sara.h"
>  #include "include/sara_data.h"
>  #include "include/utils.h"
> @@ -37,6 +42,7 @@
>  #define SARA_WXP_COMPLAIN	0x0010
>  #define SARA_WXP_VERBOSE	0x0020
>  #define SARA_WXP_MMAP		0x0040
> +#define SARA_WXP_EMUTRAMP	0x0100
>  #define SARA_WXP_TRANSFER	0x0200
>  #define SARA_WXP_NONE		0x0000
>  #define SARA_WXP_MPROTECT	(SARA_WXP_HEAP	| \
> @@ -47,7 +53,12 @@
>  				SARA_WXP_WXORX		| \
>  				SARA_WXP_COMPLAIN	| \
>  				SARA_WXP_VERBOSE)
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +#define SARA_WXP_ALL		(__SARA_WXP_ALL		| \
> +				SARA_WXP_EMUTRAMP)
> +#else /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */
>  #define SARA_WXP_ALL		__SARA_WXP_ALL
> +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */
> 
>  struct wxprot_rule {
>  	char *path;
> @@ -72,7 +83,11 @@ struct wxprot_config_container {
>  static u16 default_flags __ro_after_init =
>  				CONFIG_SECURITY_SARA_WXPROT_DEFAULT_FLAGS;
> 
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +static const bool wxprot_emutramp = true;
> +#else
>  static const bool wxprot_emutramp;
> +#endif
> 
>  static void pr_wxp(char *msg)
>  {
> @@ -97,6 +112,9 @@ static bool are_flags_valid(u16 flags)
>  				SARA_WXP_WXORX |
>  				SARA_WXP_MMAP))))
>  		return false;
> +	if (unlikely(flags & SARA_WXP_EMUTRAMP &&
> +		     ((flags & SARA_WXP_MPROTECT) != SARA_WXP_MPROTECT)))
> +		return false;
>  	return true;
>  }
> 
> @@ -366,10 +384,132 @@ static int sara_file_mprotect(struct 
> vm_area_struct *vma,
>  	return 0;
>  }
> 
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +#define PF_PROT		(1 << 0)
> +#define PF_USER		(1 << 2)
> +#define PF_INSTR	(1 << 4)
> +static int sara_pagefault_handler_x86_32(struct pt_regs *regs);
> +static int sara_pagefault_handler_x86_64(struct pt_regs *regs);
> +static int sara_pagefault_handler_x86(struct pt_regs *regs,
> +					unsigned long error_code,
> +					unsigned long address)
> +{
> +	int ret = 0;
> +
> +	if (!sara_enabled || !wxprot_enabled ||
> +	    !(error_code & PF_USER) ||
> +	    !(error_code & PF_INSTR) ||
> +	    !(error_code & PF_PROT) ||
> +	    !(get_current_sara_wxp_flags() & SARA_WXP_EMUTRAMP))
> +		return 0;
> +
> +	local_irq_enable();
> +	might_sleep();
> +	might_fault();
> +
> +#ifdef	CONFIG_X86_32
> +	ret = sara_pagefault_handler_x86_32(regs);
> +#else
> +	if (regs->cs == __USER32_CS ||
> +	    regs->cs & (1<<2)) {
> +		if (!(address >> 32))	/* K8 erratum #100 */
> +			ret = sara_pagefault_handler_x86_32(regs);
> +	} else
> +		ret = sara_pagefault_handler_x86_64(regs);
> +#endif
> +
> +	return ret;
> +}
> +
> +static int sara_pagefault_handler_x86_32(struct pt_regs *regs)
> +{
> +	int ret;
> +	void __user *ip = (void __user *) regs->ip;
> +	union trampolines_x86_32 t;
> +
> +	BUILD_BUG_ON(sizeof(t.lf) > sizeof(t.g1));
> +	BUILD_BUG_ON(sizeof(t.g2) > sizeof(t.lf));
> +
> +	ret = copy_from_user(&t, ip, sizeof(t.g1));
> +	if (ret)
> +		ret = copy_from_user(&t, ip, sizeof(t.lf));
> +	if (ret)
> +		ret = copy_from_user(&t, ip, sizeof(t.g2));
> +	if (ret)
> +		return 0;
> +
> +	if (is_valid_gcc_trampoline_x86_32_type1(t, regs)) {
> +		pr_debug("Trampoline: gcc1 x86_32.\n");
> +		emulate_gcc_trampoline_x86_32_type1(t, regs);
> +		return 1;
> +	} else if (is_valid_libffi_trampoline_x86_32(t)) {
> +		pr_debug("Trampoline: libffi x86_32.\n");
> +		emulate_libffi_trampoline_x86_32(t, regs);
> +		return 1;
> +	} else if (is_valid_gcc_trampoline_x86_32_type2(t, regs)) {
> +		pr_debug("Trampoline: gcc2 x86_32.\n");
> +		emulate_gcc_trampoline_x86_32_type2(t, regs);
> +		return 1;
> +	}
> +
> +	pr_debug("Not a trampoline (x86_32).\n");
> +
> +	return 0;
> +}
> +
> +#ifdef CONFIG_X86_64
> +static int sara_pagefault_handler_x86_64(struct pt_regs *regs)
> +{
> +	int ret;
> +	void __user *ip = (void __user *) regs->ip;
> +	union trampolines_x86_64 t;
> +
> +	BUILD_BUG_ON(sizeof(t.g1) > sizeof(t.lf));
> +	BUILD_BUG_ON(sizeof(t.g2) > sizeof(t.g1));
> +
> +	ret = copy_from_user(&t, ip, sizeof(t.lf));
> +	if (ret)
> +		ret = copy_from_user(&t, ip, sizeof(t.g1));
> +	if (ret)
> +		ret = copy_from_user(&t, ip, sizeof(t.g2));
> +	if (ret)
> +		return 0;
> +
> +	if (is_valid_libffi_trampoline_x86_64(t)) {
> +		pr_debug("Trampoline: libffi x86_64.\n");
> +		emulate_libffi_trampoline_x86_64(t, regs);
> +		return 1;
> +	} else if (is_valid_gcc_trampoline_x86_64_type1(t, regs)) {
> +		pr_debug("Trampoline: gcc1 x86_64.\n");
> +		emulate_gcc_trampoline_x86_64_type1(t, regs);
> +		return 1;
> +	} else if (is_valid_gcc_trampoline_x86_64_type2(t, regs)) {
> +		pr_debug("Trampoline: gcc2 x86_64.\n");
> +		emulate_gcc_trampoline_x86_64_type2(t, regs);
> +		return 1;
> +	}
> +
> +	pr_debug("Not a trampoline (x86_64).\n");
> +
> +	return 0;
> +
> +}
> +#else /* CONFIG_X86_64 */
> +static inline int sara_pagefault_handler_x86_64(struct pt_regs *regs)
> +{
> +	return 0;
> +}
> +#endif /* CONFIG_X86_64 */
> +
> +#endif /* CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP */
> +
>  static struct security_hook_list wxprot_hooks[] __ro_after_init = {
>  	LSM_HOOK_INIT(bprm_set_creds, sara_bprm_set_creds),
>  	LSM_HOOK_INIT(check_vmflags, sara_check_vmflags),
>  	LSM_HOOK_INIT(file_mprotect, sara_file_mprotect),
> +#ifdef CONFIG_SECURITY_SARA_WXPROT_EMUTRAMP
> +	LSM_HOOK_INIT(pagefault_handler_x86, sara_pagefault_handler_x86),
> +#endif
>  };
> 
>  struct binary_config_header {

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.