From: Greg KH <greg@kroah.com>
To: Daniel Thompson <daniel.thompson@linaro.org>
Cc: stable@vger.kernel.org, Jason Wessel <jason.wessel@windriver.com>,
Douglas Anderson <dianders@chromium.org>,
Stephen Brennan <stephen.s.brennan@oracle.com>,
Konrad Wilk <konrad.wilk@oracle.com>
Subject: Re: [PATCH v5.4] lockdown: also lock down previous kgdb use
Date: Wed, 25 May 2022 15:51:13 +0200 [thread overview]
Message-ID: <Yo40UeUyNGxMuV18@kroah.com> (raw)
In-Reply-To: <20220525133107.204183-1-daniel.thompson@linaro.org>
On Wed, May 25, 2022 at 02:31:07PM +0100, Daniel Thompson wrote:
> commit eadb2f47a3ced5c64b23b90fd2a3463f63726066 upstream.
>
> KGDB and KDB allow read and write access to kernel memory, and thus
> should be restricted during lockdown. An attacker with access to a
> serial port (for example, via a hypervisor console, which some cloud
> vendors provide over the network) could trigger the debugger so it is
> important that the debugger respect the lockdown mode when/if it is
> triggered.
>
> Fix this by integrating lockdown into kdb's existing permissions
> mechanism. Unfortunately kgdb does not have any permissions mechanism
> (although it certainly could be added later) so, for now, kgdb is simply
> and brutally disabled by immediately exiting the gdb stub without taking
> any action.
>
> For lockdowns established early in the boot (e.g. the normal case) then
> this should be fine but on systems where kgdb has set breakpoints before
> the lockdown is enacted than "bad things" will happen.
>
> CVE: CVE-2022-21499
> Co-developed-by: Stephen Brennan <stephen.s.brennan@oracle.com>
> Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
> Reviewed-by: Douglas Anderson <dianders@chromium.org>
> Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> ---
>
> Notes:
> Original patch did not backport cleanly. This backport is fixed up,
> compile tested (on arm64) and side-by-side compared against the
> original.
>
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2022-05-25 14:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-25 13:31 [PATCH v5.4] lockdown: also lock down previous kgdb use Daniel Thompson
2022-05-25 13:51 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yo40UeUyNGxMuV18@kroah.com \
--to=greg@kroah.com \
--cc=daniel.thompson@linaro.org \
--cc=dianders@chromium.org \
--cc=jason.wessel@windriver.com \
--cc=konrad.wilk@oracle.com \
--cc=stable@vger.kernel.org \
--cc=stephen.s.brennan@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.