From: "Jürgen Groß" <jgross@suse.com>
To: Kees Cook <keescook@chromium.org>, Greg KH <gregkh@linuxfoundation.org>
Cc: Guixiong Wei <guixiongwei@gmail.com>,
linux-hardening@vger.kernel.org,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>,
Guixiong Wei <weiguixiong@bytedance.com>,
linux-kernel@vger.kernel.org
Subject: Re: [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access
Date: Mon, 19 Feb 2024 14:07:57 +0100 [thread overview]
Message-ID: <23ecde01-0e9a-4d2f-8194-294174ca7dbc@suse.com> (raw)
In-Reply-To: <202402180028.6DB512C50@keescook>
On 18.02.24 10:04, Kees Cook wrote:
> On Sun, Feb 18, 2024 at 08:47:03AM +0100, Greg KH wrote:
>> On Sun, Feb 18, 2024 at 03:35:01PM +0800, Guixiong Wei wrote:
>>> From: Guixiong Wei <weiguixiong@bytedance.com>
>>>
>>> Restrict non-privileged user access to /sys/kernel/notes to
>>> avoid security attack.
>>>
>>> The non-privileged users have read access to notes. The notes
>>> expose the load address of startup_xen. This address could be
>>> used to bypass KASLR.
>>
>> How can it be used to bypass it?
>>
>> KASLR is, for local users, pretty much not an issue, as that's not what
>> it protects from, only remote ones.
>>
>>> For example, the startup_xen is built at 0xffffffff82465180 and
>>> commit_creds is built at 0xffffffff810ad570 which could read from
>>> the /boot/System.map. And the loaded address of startup_xen is
>>> 0xffffffffbc265180 which read from /sys/kernel/notes. So the loaded
>>> address of commit_creds is 0xffffffffbc265180 - (0xffffffff82465180
>>> - 0xffffffff810ad570) = 0xffffffffbaead570.
>>
>> I've cc: the hardening list on this, I'm sure the developers there have
>> opinions about this.
>
> Oh eww, why is Xen spewing addresses into the notes section? (This must
> be how it finds its entry point? But that would be before relocations
> happen...)
Right. Xen is looking into the ELF-file to find the entry point of the
kernel (PV and PVH guest types only).
>
> But yes, I can confirm that relocations are done against the .notes
> section at boot, so the addresses exposed in .notes is an immediate
> KASLR offset exposure.
Relocations applied to the kernel when it has been started don't need
to cover the notes section as far as Xen is concerned.
Juergen
next prev parent reply other threads:[~2024-02-19 13:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-18 7:35 [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access Guixiong Wei
2024-02-18 7:47 ` Greg KH
2024-02-18 9:04 ` Kees Cook
2024-02-19 11:41 ` Guixiong Wei
2024-02-19 13:07 ` Jürgen Groß [this message]
2024-02-19 13:21 ` Jann Horn
[not found] <CAJe52t-XxSn2rK+wEg1hNAdsPdq+TO-fj3wEYPK_eBH0d-bsSg@mail.gmail.com>
2024-02-18 7:16 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23ecde01-0e9a-4d2f-8194-294174ca7dbc@suse.com \
--to=jgross@suse.com \
--cc=boris.ostrovsky@oracle.com \
--cc=gregkh@linuxfoundation.org \
--cc=guixiongwei@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleksandr_tyshchenko@epam.com \
--cc=sstabellini@kernel.org \
--cc=weiguixiong@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox