From: Greg KH <gregkh@linuxfoundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: [kernel-hardening] Re: [RFC 4/4] Introduce CONFIG_READONLY_USERMODEHELPER
Date: Wed, 14 Dec 2016 12:57:39 -0800 [thread overview]
Message-ID: <20161214205739.GA16730@kroah.com> (raw)
In-Reply-To: <CAGXu5jK-k=Mbk5RxiYk0r3xAQHkMvVZvYiX9mmHGpK1=hsCvtg@mail.gmail.com>
On Wed, Dec 14, 2016 at 12:31:34PM -0800, Kees Cook wrote:
> On Wed, Dec 14, 2016 at 10:51 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> > If you can write to kernel memory, an "easy" way to get the kernel to
> > run any application is to change the pointer of one of the usermode
> > helper program names. To try to mitigate this, create a new config
> > option, CONFIG_READONLY_USERMODEHELPER.
> >
> > This option only allows "predefined" binaries to be called. A number of
> > drivers and subsystems allow for the name of the binary to be changed,
> > and this config option disables that capability, so be aware of that.
> >
> > Note: Still a proof-of-concept at this point in time, doesn't cover all
> > of the call_usermodehelper() calls just yet, including the "fun" of
> > coredumps, it's still a work in progress.
> >
> > Not-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > arch/x86/kernel/cpu/mcheck/mce.c | 12 ++++++++----
> > drivers/block/drbd/drbd_int.h | 6 +++++-
> > drivers/block/drbd/drbd_main.c | 5 +++++
> > drivers/video/fbdev/uvesafb.c | 19 ++++++++++++++-----
> > fs/nfs/cache_lib.c | 12 ++++++++++--
> > include/linux/reboot.h | 2 ++
> > kernel/ksysfs.c | 6 +++++-
> > kernel/reboot.c | 3 +++
> > kernel/sysctl.c | 4 ++++
> > lib/kobject_uevent.c | 3 +++
> > security/Kconfig | 17 +++++++++++++++++
> > 11 files changed, 76 insertions(+), 13 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
> > index 00ef43233e03..92a2ef8ffe3e 100644
> > --- a/arch/x86/kernel/cpu/mcheck/mce.c
> > +++ b/arch/x86/kernel/cpu/mcheck/mce.c
> > @@ -2337,15 +2337,16 @@ static ssize_t set_bank(struct device *s, struct device_attribute *attr,
> > }
> >
> > static ssize_t
> > -show_trigger(struct device *s, struct device_attribute *attr, char *buf)
> > +trigger_show(struct device *s, struct device_attribute *attr, char *buf)
> > {
> > strcpy(buf, mce_helper);
> > strcat(buf, "\n");
> > return strlen(mce_helper) + 1;
>
> The +1 is wrong, AFAICT. Also, is speed really needed here?
No, this is sysfs files, no speed at all :)
> return scnprintf(buf, PAGE_SIZE, "%s\n", mce_helper);
>
> is more readable...
true, that's nicer, I was trying not to change things that I didn't have
to.
> > -static ssize_t set_trigger(struct device *s, struct device_attribute *attr,
> > - const char *buf, size_t siz)
> > +#ifndef CONFIG_READONLY_USERMODEHELPER
> > +static ssize_t trigger_store(struct device *s, struct device_attribute *attr,
> > + const char *buf, size_t siz)
> > {
> > char *p;
> >
> > @@ -2358,6 +2359,10 @@ static ssize_t set_trigger(struct device *s, struct device_attribute *attr,
> >
> > return strlen(mce_helper) + !!p;
> > }
> > +static DEVICE_ATTR_RW(trigger);
> > +#else
> > +static DEVICE_ATTR_RO(trigger);
> > +#endif
> >
> > static ssize_t set_ignore_ce(struct device *s,
> > struct device_attribute *attr,
> > @@ -2415,7 +2420,6 @@ static ssize_t store_int_with_restart(struct device *s,
> > return ret;
> > }
> >
> > -static DEVICE_ATTR(trigger, 0644, show_trigger, set_trigger);
> > static DEVICE_INT_ATTR(tolerant, 0644, mca_cfg.tolerant);
> > static DEVICE_INT_ATTR(monarch_timeout, 0644, mca_cfg.monarch_timeout);
> > static DEVICE_BOOL_ATTR(dont_log_ce, 0644, mca_cfg.dont_log_ce);
> > diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
> > index a139a34f1f1e..e21ab2bcc482 100644
> > --- a/drivers/block/drbd/drbd_int.h
> > +++ b/drivers/block/drbd/drbd_int.h
> > @@ -75,7 +75,11 @@ extern int fault_rate;
> > extern int fault_devs;
> > #endif
> >
> > -extern char drbd_usermode_helper[];
> > +extern
> > +#ifdef CONFIG_READONLY_USERMODEHELPER
> > + const
> > +#endif
> > + char drbd_usermode_helper[];
>
> This #ifdef; const; #endif is repeated a few times. Perhaps better to
> create a separate macro:
>
> #ifdef CONFIG_READONLY_USERMODEHELPER
> # define __ro_umh const
> #else
> # define __ro_umh /**/
> #endif
>
> ...
>
> extern __ro_umh char drbd_usermode_helper[];
Ah, much cleaner, thanks, I'll go do something like that. After fixing
up the static const crap I got wrong...
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@linuxfoundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: "kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [RFC 4/4] Introduce CONFIG_READONLY_USERMODEHELPER
Date: Wed, 14 Dec 2016 12:57:39 -0800 [thread overview]
Message-ID: <20161214205739.GA16730@kroah.com> (raw)
In-Reply-To: <CAGXu5jK-k=Mbk5RxiYk0r3xAQHkMvVZvYiX9mmHGpK1=hsCvtg@mail.gmail.com>
On Wed, Dec 14, 2016 at 12:31:34PM -0800, Kees Cook wrote:
> On Wed, Dec 14, 2016 at 10:51 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
> > If you can write to kernel memory, an "easy" way to get the kernel to
> > run any application is to change the pointer of one of the usermode
> > helper program names. To try to mitigate this, create a new config
> > option, CONFIG_READONLY_USERMODEHELPER.
> >
> > This option only allows "predefined" binaries to be called. A number of
> > drivers and subsystems allow for the name of the binary to be changed,
> > and this config option disables that capability, so be aware of that.
> >
> > Note: Still a proof-of-concept at this point in time, doesn't cover all
> > of the call_usermodehelper() calls just yet, including the "fun" of
> > coredumps, it's still a work in progress.
> >
> > Not-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > arch/x86/kernel/cpu/mcheck/mce.c | 12 ++++++++----
> > drivers/block/drbd/drbd_int.h | 6 +++++-
> > drivers/block/drbd/drbd_main.c | 5 +++++
> > drivers/video/fbdev/uvesafb.c | 19 ++++++++++++++-----
> > fs/nfs/cache_lib.c | 12 ++++++++++--
> > include/linux/reboot.h | 2 ++
> > kernel/ksysfs.c | 6 +++++-
> > kernel/reboot.c | 3 +++
> > kernel/sysctl.c | 4 ++++
> > lib/kobject_uevent.c | 3 +++
> > security/Kconfig | 17 +++++++++++++++++
> > 11 files changed, 76 insertions(+), 13 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
> > index 00ef43233e03..92a2ef8ffe3e 100644
> > --- a/arch/x86/kernel/cpu/mcheck/mce.c
> > +++ b/arch/x86/kernel/cpu/mcheck/mce.c
> > @@ -2337,15 +2337,16 @@ static ssize_t set_bank(struct device *s, struct device_attribute *attr,
> > }
> >
> > static ssize_t
> > -show_trigger(struct device *s, struct device_attribute *attr, char *buf)
> > +trigger_show(struct device *s, struct device_attribute *attr, char *buf)
> > {
> > strcpy(buf, mce_helper);
> > strcat(buf, "\n");
> > return strlen(mce_helper) + 1;
>
> The +1 is wrong, AFAICT. Also, is speed really needed here?
No, this is sysfs files, no speed at all :)
> return scnprintf(buf, PAGE_SIZE, "%s\n", mce_helper);
>
> is more readable...
true, that's nicer, I was trying not to change things that I didn't have
to.
> > -static ssize_t set_trigger(struct device *s, struct device_attribute *attr,
> > - const char *buf, size_t siz)
> > +#ifndef CONFIG_READONLY_USERMODEHELPER
> > +static ssize_t trigger_store(struct device *s, struct device_attribute *attr,
> > + const char *buf, size_t siz)
> > {
> > char *p;
> >
> > @@ -2358,6 +2359,10 @@ static ssize_t set_trigger(struct device *s, struct device_attribute *attr,
> >
> > return strlen(mce_helper) + !!p;
> > }
> > +static DEVICE_ATTR_RW(trigger);
> > +#else
> > +static DEVICE_ATTR_RO(trigger);
> > +#endif
> >
> > static ssize_t set_ignore_ce(struct device *s,
> > struct device_attribute *attr,
> > @@ -2415,7 +2420,6 @@ static ssize_t store_int_with_restart(struct device *s,
> > return ret;
> > }
> >
> > -static DEVICE_ATTR(trigger, 0644, show_trigger, set_trigger);
> > static DEVICE_INT_ATTR(tolerant, 0644, mca_cfg.tolerant);
> > static DEVICE_INT_ATTR(monarch_timeout, 0644, mca_cfg.monarch_timeout);
> > static DEVICE_BOOL_ATTR(dont_log_ce, 0644, mca_cfg.dont_log_ce);
> > diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
> > index a139a34f1f1e..e21ab2bcc482 100644
> > --- a/drivers/block/drbd/drbd_int.h
> > +++ b/drivers/block/drbd/drbd_int.h
> > @@ -75,7 +75,11 @@ extern int fault_rate;
> > extern int fault_devs;
> > #endif
> >
> > -extern char drbd_usermode_helper[];
> > +extern
> > +#ifdef CONFIG_READONLY_USERMODEHELPER
> > + const
> > +#endif
> > + char drbd_usermode_helper[];
>
> This #ifdef; const; #endif is repeated a few times. Perhaps better to
> create a separate macro:
>
> #ifdef CONFIG_READONLY_USERMODEHELPER
> # define __ro_umh const
> #else
> # define __ro_umh /**/
> #endif
>
> ...
>
> extern __ro_umh char drbd_usermode_helper[];
Ah, much cleaner, thanks, I'll go do something like that. After fixing
up the static const crap I got wrong...
greg k-h
next prev parent reply other threads:[~2016-12-14 20:57 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-14 18:50 [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe" Greg KH
2016-12-14 18:50 ` Greg KH
2016-12-14 18:50 ` [kernel-hardening] [PATCH 1/4] kmod: make usermodehelper path a const string Greg KH
2016-12-14 18:50 ` Greg KH
2016-12-14 18:50 ` [kernel-hardening] [PATCH 2/4] drbd: rename "usermode_helper" to "drbd_usermode_helper" Greg KH
2016-12-14 18:50 ` Greg KH
2016-12-14 18:50 ` [kernel-hardening] [PATCH 3/4] Make static usermode helper binaries constant Greg KH
2016-12-14 18:50 ` Greg KH
2016-12-14 19:11 ` [kernel-hardening] " Greg KH
2016-12-14 20:29 ` Rich Felker
2016-12-14 20:54 ` Greg KH
2016-12-15 17:54 ` Greg KH
2016-12-15 20:51 ` Daniel Micay
2016-12-15 21:18 ` Greg KH
2016-12-16 0:05 ` Daniel Micay
2016-12-16 0:14 ` Daniel Micay
2016-12-14 18:51 ` [kernel-hardening] [RFC 4/4] Introduce CONFIG_READONLY_USERMODEHELPER Greg KH
2016-12-14 18:51 ` Greg KH
2016-12-14 20:31 ` [kernel-hardening] " Kees Cook
2016-12-14 20:31 ` Kees Cook
2016-12-14 20:57 ` Greg KH [this message]
2016-12-14 20:57 ` Greg KH
2016-12-14 19:25 ` [kernel-hardening] [RFC 0/4] make call_usermodehelper a bit more "safe" Mark Rutland
2016-12-14 20:16 ` Kees Cook
2016-12-14 21:28 ` Jason A. Donenfeld
2016-12-14 23:16 ` Greg Kroah-Hartman
2016-12-16 1:02 ` [kernel-hardening] " NeilBrown
2016-12-16 1:02 ` NeilBrown
2016-12-16 12:49 ` [kernel-hardening] " Greg KH
2016-12-16 12:49 ` Greg KH
2016-12-19 13:34 ` [kernel-hardening] " Jiri Kosina
2016-12-19 13:34 ` Jiri Kosina
2016-12-20 9:27 ` [kernel-hardening] " Greg KH
2016-12-20 9:27 ` Greg KH
2016-12-20 10:27 ` [kernel-hardening] " Jiri Kosina
2016-12-20 10:27 ` Jiri Kosina
2016-12-20 10:31 ` [kernel-hardening] " Jiri Kosina
2016-12-20 10:31 ` Jiri Kosina
2016-12-20 10:48 ` [kernel-hardening] " Greg KH
2016-12-20 10:48 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161214205739.GA16730@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.