From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Thomas Garnier" <thgarnie@google.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"David Howells" <dhowells@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Dave Hansen" <dave.hansen@intel.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Rik van Riel" <riel@redhat.com>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Brian Gerst" <brgerst@gmail.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Russell King" <linux@armlinux.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Mark Rutland" <mark.rutland@arm.com>,
"James Morse" <james.morse@arm.com>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"Linux API" <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: [kernel-hardening] Re: [PATCH] lkdtm: add bad USER_DS test
Date: Fri, 24 Mar 2017 09:14:50 +0100 [thread overview]
Message-ID: <20170324081450.GA5891@osiris> (raw)
In-Reply-To: <20170323203419.GA62859@beast>
On Thu, Mar 23, 2017 at 01:34:19PM -0700, Kees Cook wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return
> still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
...
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> + /*
> + * Test that USER_DS has been set correctly on exiting a syscall.
> + * Since setting this higher than USER_DS (TASK_SIZE) would introduce
> + * an exploitable condition, we lower it instead, since that should
> + * not create as large a problem on an unprotected system.
> + */
> + mm_segment_t lowfs;
> +#ifdef MAKE_MM_SEG
> + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE);
> +#else
> + lowfs = TASK_SIZE - PAGE_SIZE;
> +#endif
> +
> + pr_info("setting bad task size limit\n");
> + set_fs(lowfs);
> +}
This won't work on architectures where the set_fs() argument does not
contain an address but an address space identifier. This is true e.g. for
s390 and as far as I know also for sparc.
On s390 we have complete distinct address spaces for kernel and user space
that each start at address zero.
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Thomas Garnier" <thgarnie@google.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"David Howells" <dhowells@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Dave Hansen" <dave.hansen@intel.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Rik van Riel" <riel@redhat.com>,
"Josh Poimboeuf" <jpoimboe@redhat.com>
Subject: Re: [PATCH] lkdtm: add bad USER_DS test
Date: Fri, 24 Mar 2017 09:14:50 +0100 [thread overview]
Message-ID: <20170324081450.GA5891@osiris> (raw)
In-Reply-To: <20170323203419.GA62859@beast>
On Thu, Mar 23, 2017 at 01:34:19PM -0700, Kees Cook wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return
> still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
...
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> + /*
> + * Test that USER_DS has been set correctly on exiting a syscall.
> + * Since setting this higher than USER_DS (TASK_SIZE) would introduce
> + * an exploitable condition, we lower it instead, since that should
> + * not create as large a problem on an unprotected system.
> + */
> + mm_segment_t lowfs;
> +#ifdef MAKE_MM_SEG
> + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE);
> +#else
> + lowfs = TASK_SIZE - PAGE_SIZE;
> +#endif
> +
> + pr_info("setting bad task size limit\n");
> + set_fs(lowfs);
> +}
This won't work on architectures where the set_fs() argument does not
contain an address but an address space identifier. This is true e.g. for
s390 and as far as I know also for sparc.
On s390 we have complete distinct address spaces for kernel and user space
that each start at address zero.
WARNING: multiple messages have this Message-ID (diff)
From: heiko.carstens@de.ibm.com (Heiko Carstens)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] lkdtm: add bad USER_DS test
Date: Fri, 24 Mar 2017 09:14:50 +0100 [thread overview]
Message-ID: <20170324081450.GA5891@osiris> (raw)
In-Reply-To: <20170323203419.GA62859@beast>
On Thu, Mar 23, 2017 at 01:34:19PM -0700, Kees Cook wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return
> still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
...
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> + /*
> + * Test that USER_DS has been set correctly on exiting a syscall.
> + * Since setting this higher than USER_DS (TASK_SIZE) would introduce
> + * an exploitable condition, we lower it instead, since that should
> + * not create as large a problem on an unprotected system.
> + */
> + mm_segment_t lowfs;
> +#ifdef MAKE_MM_SEG
> + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE);
> +#else
> + lowfs = TASK_SIZE - PAGE_SIZE;
> +#endif
> +
> + pr_info("setting bad task size limit\n");
> + set_fs(lowfs);
> +}
This won't work on architectures where the set_fs() argument does not
contain an address but an address space identifier. This is true e.g. for
s390 and as far as I know also for sparc.
On s390 we have complete distinct address spaces for kernel and user space
that each start at address zero.
WARNING: multiple messages have this Message-ID (diff)
From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Kees Cook <keescook@chromium.org>
Cc: "Thomas Garnier" <thgarnie@google.com>,
"Martin Schwidefsky" <schwidefsky@de.ibm.com>,
"David Howells" <dhowells@redhat.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Dave Hansen" <dave.hansen@intel.com>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Thomas Gleixner" <tglx@linutronix.de>,
"René Nyffenegger" <mail@renenyffenegger.ch>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Paul E . McKenney" <paulmck@linux.vnet.ibm.com>,
"Ingo Molnar" <mingo@kernel.org>,
"Oleg Nesterov" <oleg@redhat.com>,
"Pavel Tikhomirov" <ptikhomirov@virtuozzo.com>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Ingo Molnar" <mingo@redhat.com>,
"H . Peter Anvin" <hpa@zytor.com>,
"Andy Lutomirski" <luto@kernel.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Rik van Riel" <riel@redhat.com>,
"Josh Poimboeuf" <jpoimboe@redhat.com>,
"Borislav Petkov" <bp@alien8.de>,
"Brian Gerst" <brgerst@gmail.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Russell King" <linux@armlinux.org.uk>,
"Will Deacon" <will.deacon@arm.com>,
"Catalin Marinas" <catalin.marinas@arm.com>,
"Mark Rutland" <mark.rutland@arm.com>,
"James Morse" <james.morse@arm.com>,
"linux-s390@vger.kernel.org" <linux-s390@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"Linux API" <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH] lkdtm: add bad USER_DS test
Date: Fri, 24 Mar 2017 09:14:50 +0100 [thread overview]
Message-ID: <20170324081450.GA5891@osiris> (raw)
In-Reply-To: <20170323203419.GA62859@beast>
On Thu, Mar 23, 2017 at 01:34:19PM -0700, Kees Cook wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return
> still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
...
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> + /*
> + * Test that USER_DS has been set correctly on exiting a syscall.
> + * Since setting this higher than USER_DS (TASK_SIZE) would introduce
> + * an exploitable condition, we lower it instead, since that should
> + * not create as large a problem on an unprotected system.
> + */
> + mm_segment_t lowfs;
> +#ifdef MAKE_MM_SEG
> + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE);
> +#else
> + lowfs = TASK_SIZE - PAGE_SIZE;
> +#endif
> +
> + pr_info("setting bad task size limit\n");
> + set_fs(lowfs);
> +}
This won't work on architectures where the set_fs() argument does not
contain an address but an address space identifier. This is true e.g. for
s390 and as far as I know also for sparc.
On s390 we have complete distinct address spaces for kernel and user space
that each start at address zero.
next prev parent reply other threads:[~2017-03-24 8:14 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-23 20:34 [kernel-hardening] [PATCH] lkdtm: add bad USER_DS test Kees Cook
2017-03-23 20:34 ` Kees Cook
2017-03-23 20:34 ` Kees Cook
2017-03-23 20:34 ` Kees Cook
2017-03-24 8:14 ` Heiko Carstens [this message]
2017-03-24 8:14 ` Heiko Carstens
2017-03-24 8:14 ` Heiko Carstens
2017-03-24 8:14 ` Heiko Carstens
2017-03-24 15:17 ` [kernel-hardening] " Thomas Garnier
2017-03-24 15:17 ` Thomas Garnier
2017-03-24 15:17 ` Thomas Garnier
2017-03-24 15:17 ` Thomas Garnier
2017-03-24 15:24 ` [kernel-hardening] " Christian Borntraeger
2017-03-24 15:24 ` Christian Borntraeger
2017-03-24 15:24 ` Christian Borntraeger
2017-03-24 15:24 ` Christian Borntraeger
2017-03-24 16:11 ` [kernel-hardening] " Thomas Garnier
2017-03-24 16:11 ` Thomas Garnier
2017-03-24 16:11 ` Thomas Garnier
2017-03-24 16:11 ` Thomas Garnier
2017-03-24 17:46 ` [kernel-hardening] " Kees Cook
2017-03-24 17:46 ` Kees Cook
2017-03-24 17:46 ` Kees Cook
2017-03-24 17:46 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170324081450.GA5891@osiris \
--to=heiko.carstens@de.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=borntraeger@de.ibm.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@intel.com \
--cc=dhowells@redhat.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=luto@kernel.org \
--cc=mail@renenyffenegger.ch \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=oleg@redhat.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=pbonzini@redhat.com \
--cc=ptikhomirov@virtuozzo.com \
--cc=riel@redhat.com \
--cc=schwidefsky@de.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.