Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGXu5jL1S+CFEruBOaN_yJa7cY+a9gr8cBQgFcYowW=gT5VfSA@mail.gmail.com>
Date: Mon, 26 Mar 2018 10:41:09 -0700
From: Kees Cook <keescook@...omium.org>
To: Dave Martin <Dave.Martin@....com>
Cc: Mark Rutland <Mark.Rutland@....com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, 
	Catalin Marinas <Catalin.Marinas@....com>, Will Deacon <Will.Deacon@....com>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>
Subject: Re: [PATCH 33/38] arm64: Implement thread_struct whitelist for
 hardened usercopy

On Mon, Mar 26, 2018 at 9:22 AM, Dave Martin <Dave.Martin@....com> wrote:
> [Dropped most of the original Cc list, since most people are unlikely to
> care about this thread archaeology.]
>
> On Mon, Jan 15, 2018 at 12:06:17PM -0800, Kees Cook wrote:
>> On Mon, Jan 15, 2018 at 4:24 AM, Dave P Martin <Dave.Martin@....com> wrote:
>> > On Thu, Jan 11, 2018 at 02:03:05AM +0000, Kees Cook wrote:
>> >> This whitelists the FPU register state portion of the thread_struct for
>> >> copying to userspace, instead of the default entire structure.
>> >>
>> >> Cc: Catalin Marinas <catalin.marinas@....com>
>> >> Cc: Will Deacon <will.deacon@....com>
>> >> Cc: Christian Borntraeger <borntraeger@...ibm.com>
>> >> Cc: Ingo Molnar <mingo@...nel.org>
>> >> Cc: James Morse <james.morse@....com>
>> >> Cc: "Peter Zijlstra (Intel)" <peterz@...radead.org>
>> >> Cc: Dave Martin <Dave.Martin@....com>
>> >> Cc: zijun_hu <zijun_hu@....com>
>> >> Cc: linux-arm-kernel@...ts.infradead.org
>> >> Signed-off-by: Kees Cook <keescook@...omium.org>
>> >> ---
>> >>  arch/arm64/Kconfig                 | 1 +
>> >>  arch/arm64/include/asm/processor.h | 8 ++++++++
>> >>  2 files changed, 9 insertions(+)
>> >>
>> >> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>> >> index a93339f5178f..c84477e6a884 100644
>> >> --- a/arch/arm64/Kconfig
>> >> +++ b/arch/arm64/Kconfig
>> >> @@ -90,6 +90,7 @@ config ARM64
>> >>       select HAVE_ARCH_MMAP_RND_BITS
>> >>       select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT
>> >>       select HAVE_ARCH_SECCOMP_FILTER
>> >> +     select HAVE_ARCH_THREAD_STRUCT_WHITELIST
>> >>       select HAVE_ARCH_TRACEHOOK
>> >>       select HAVE_ARCH_TRANSPARENT_HUGEPAGE
>> >>       select HAVE_ARCH_VMAP_STACK
>> >> diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
>> >> index 023cacb946c3..e58a5864ec89 100644
>> >> --- a/arch/arm64/include/asm/processor.h
>> >> +++ b/arch/arm64/include/asm/processor.h
>> >> @@ -113,6 +113,14 @@ struct thread_struct {
>> >>       struct debug_info       debug;          /* debugging */
>> >>  };
>> >>
>> >> +/* Whitelist the fpsimd_state for copying to userspace. */
>> >> +static inline void arch_thread_struct_whitelist(unsigned long *offset,
>> >> +                                             unsigned long *size)
>> >> +{
>> >> +     *offset = offsetof(struct thread_struct, fpsimd_state);
>> >> +     *size = sizeof(struct fpsimd_state);
>> >
>> > This should be fpsimd_state.user_fpsimd (fpsimd_state.cpu is important
>> > for correctly context switching and not supposed to be user-accessible.
>> > A user copy that encompasses that is definitely a bug).
>>
>> So, I actually spent some more time looking at this due to the
>> comments from rmk on arm32, and I don't think any whitelist is needed
>> here at all. (i.e. it can be *offset = *size = 0) This is because all
>> the usercopying I could find uses static sizes or bounce buffers, both
>> of which bypass the dynamic-size hardened usercopy checks.
>>
>> I've been running some arm64 builds now with this change, and I
>> haven't tripped over any problems yet...
>
> Hmmm, it looks like we may be hitting this with user_regset_copyout()
> when reading the fp regs via ptrace.  This is maybe not surprising,

Did you get one of the WARNs for it?

> since the size comes from userspace for PTRACE_{GET,SET}REGSET.
> Also, while we copy into a bounce buffer for SETREGSET here, we do copy
> straight out of task_struct for GETREGSET here.

Hm, yeah,

> This suggests we should have:
>
>         *offset = offsetof(struct thread_struct, fpsimd_state);
>         *size = sizeof(struct user_fpsimd_state);

This is what I had originally for arm64, but when I tried exercising
this code more recently, it didn't need the whitelist. It really looks
like I forgot what I had tested the first time, though. :P

> Thoughts?

Seems like it would be tripped by:

static int __fpr_get(struct task_struct *target,
                     const struct user_regset *regset,
                     unsigned int pos, unsigned int count,
                     void *kbuf, void __user *ubuf, unsigned int start_pos)
{
        struct user_fpsimd_state *uregs;

        sve_sync_to_fpsimd(target);

        uregs = &target->thread.fpsimd_state.user_fpsimd;

        return user_regset_copyout(&pos, &count, &kbuf, &ubuf, uregs,
                                   start_pos, start_pos + sizeof(*uregs));
}

And similarly __fpr_set(), compat_vfp_get(), compat_vfp_set(),
sve_get(), and sve_set(), ?

> I'm making some assumptions about how the usercopy hardening works.

I think you're right -- I just tricked myself after looking at arm32.

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.