From: Nicolas Schichan <nschichan@freebox.fr>
To: Kees Cook <keescook@chromium.org>
Cc: Will Drewry <wad@chromium.org>,
Mircea Gherzan <mgherzan@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Eric Paris <eparis@redhat.com>,
James Morris <james.l.morris@oracle.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH RFC 1/3] seccomp: add generic code for jitted seccomp filters.
Date: Fri, 15 Mar 2013 20:10:42 +0100 [thread overview]
Message-ID: <51437232.8000509@freebox.fr> (raw)
In-Reply-To: <CAGXu5jLMPFoeAD5uXaMf-CS9yz_8_1zRJEkzxT7R6U4HruJSjQ@mail.gmail.com>
On 03/15/2013 07:45 PM, Kees Cook wrote:
> On Fri, Mar 15, 2013 at 11:28 AM, Nicolas Schichan <nschichan@freebox.fr> wrote:
>> +/**
>> + * struct seccomp_filter - container for seccomp BPF programs
>> + *
>> + * @usage: reference count to manage the object lifetime.
>> + * get/put helpers should be used when accessing an instance
>> + * outside of a lifetime-guarded section. In general, this
>> + * is only needed for handling filters shared across tasks.
>> + * @prev: points to a previously installed, or inherited, filter
>> + * @len: the number of instructions in the program
>> + * @insns: the BPF program instructions to evaluate
>
> This should be updated to include the new bpf_func field.
Sure, I'll fix this in a re-spin of the patch serie.
> Regardless, it'd be better to not expose this structure to userspace.
Yes, I did not realise that this header was exported to userspace. Do you know
any place not exported to userspace where the structure definition would be
appropriate ?
>> @@ -213,7 +185,7 @@ static u32 seccomp_run_filters(int syscall)
>> * value always takes priority (ignoring the DATA).
>> */
>> for (f = current->seccomp.filter; f; f = f->prev) {
>> - u32 cur_ret = sk_run_filter(NULL, f->insns);
>> + u32 cur_ret = f->bpf_func(NULL, f->insns);
>
> This will make bpf_func a rather attractive target inside the kernel.
> I wonder if there could be ways to harden it against potential attack.
I'm not sure I follow, but is it because any user can install a SECCOMP filter
which will trigger JIT code generation with potential JIT spraying attack
payload ?
In that case, the same problem exists with struct sk_filter->bpf_func, as
SO_ATTACH_FILTER, with BPT JIT enabled, does not require any particular
privilege AFAICS.
Regarding JIT spraying, I believe ARM is actually worse than x86 in that
regard, since the values appearing in the literal pool can be quite easily
controlled by an attacker.
Thanks for the review.
Regards,
--
Nicolas Schichan
Freebox SAS
next prev parent reply other threads:[~2013-03-15 19:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1363372123-8861-1-git-send-email-nschichan@freebox.fr>
2013-03-15 18:28 ` [PATCH RFC 1/3] seccomp: add generic code for jitted seccomp filters Nicolas Schichan
2013-03-15 18:39 ` Nicolas Schichan
2013-03-15 18:45 ` Kees Cook
2013-03-15 19:10 ` Nicolas Schichan [this message]
2013-03-15 19:22 ` Kees Cook
2013-03-15 19:53 ` Nicolas Schichan
2013-03-15 20:45 ` Eric Paris
2013-03-15 18:28 ` [PATCH RFC 2/3] ARM: net: bpf_jit: make code generation less dependent on struct sk_filter Nicolas Schichan
2013-03-15 18:28 ` [PATCH RFC 3/3] ARM: net: bpf_jit: add support for jitted seccomp filters Nicolas Schichan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51437232.8000509@freebox.fr \
--to=nschichan@freebox.fr \
--cc=akpm@linux-foundation.org \
--cc=eparis@redhat.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mgherzan@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox