From: Emrah Demir <ed@abdsec.com>
To: linux-kernel@vger.kernel.org
Cc: keescook@chromium.org, dan.j.rosenberg@gmail.com,
kernel-hardening@lists.openwall.com,
torvalds@linux-foundation.org, davej@redhat.com,
Emrah Demir <ed@abdsec.com>
Subject: [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file
Date: Wed, 6 Apr 2016 16:03:02 +0300 [thread overview]
Message-ID: <1459947782-5071-1-git-send-email-ed@abdsec.com> (raw)
From: Emrah Demir <ed@abdsec.com>
Even though KASLR is aiming to mitigate remote attacks, with a simple LFI vulnerability through a web application, local leaks become as important as remote ones.
On the KASLR enabled systems in order to achieve expected protection, some files are needed to edited/modified to prevent leaks.
/proc/iomem file leaks offset of text section. By adding 0x80000000, Attackers can get _text base address. KASLR will be bypassed.
$ cat /proc/iomem | grep 'Kernel code'
38600000-38b7fe92 : Kernel code
$ python -c 'print hex(0x38600000 + 0x80000000)'
0xb8600000
# cat /proc/kallsyms | grep 'T _text'
ffffffffb8600000 T _text
By this patch after insertion resources, start and end address are zeroed. /proc/iomem and /proc/ioports sources, which use request_resource and insert_resource now shown as 0 value.
Signed-off-by: Emrah Demir <ed@abdsec.com>
---
kernel/resource.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/resource.c b/kernel/resource.c
index 2e78ead..5b9937e 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -321,6 +321,8 @@ int request_resource(struct resource *root, struct resource *new)
struct resource *conflict;
conflict = request_resource_conflict(root, new);
+ new->start = 0;
+ new->end = 0;
return conflict ? -EBUSY : 0;
}
@@ -864,6 +866,8 @@ int insert_resource(struct resource *parent, struct resource *new)
struct resource *conflict;
conflict = insert_resource_conflict(parent, new);
+ new->start = 0;
+ new->end = 0;
return conflict ? -EBUSY : 0;
}
EXPORT_SYMBOL_GPL(insert_resource);
--
2.8.0.rc3
next reply other threads:[~2016-04-06 13:58 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-06 13:03 Emrah Demir [this message]
2016-04-06 15:20 ` [PATCH] KERNEL: resource: Fix bug on leakage in /proc/iomem file Linus Torvalds
2016-04-06 17:54 ` Linus Torvalds
2016-04-06 18:05 ` ed
2016-04-06 18:21 ` Kees Cook
2016-04-06 18:31 ` Linus Torvalds
2016-04-06 18:37 ` Kees Cook
2016-04-06 18:43 ` Linus Torvalds
2016-04-06 18:53 ` [kernel-hardening] " Yves-Alexis Perez
2016-04-06 19:02 ` Linus Torvalds
2016-04-06 19:11 ` Yves-Alexis Perez
2016-04-06 19:19 ` Borislav Petkov
2016-04-06 20:49 ` Ingo Molnar
2016-04-06 19:23 ` Bjørn Mork
2016-04-06 18:52 ` Christian Kujau
2016-04-06 18:53 ` Kees Cook
2016-04-06 21:19 ` Linus Torvalds
2016-04-06 21:27 ` Kees Cook
2016-04-06 21:32 ` Linus Torvalds
2016-04-14 4:27 ` Kees Cook
2016-04-14 7:39 ` Emrah Demir
2016-04-06 18:03 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1459947782-5071-1-git-send-email-ed@abdsec.com \
--to=ed@abdsec.com \
--cc=dan.j.rosenberg@gmail.com \
--cc=davej@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox