[PATCH 7/7] x86/uaccess: OOPS or warn on a fault with KERNEL_DS and !pagefault_disabled()
From: Andy Lutomirski
Date: Tue May 24 2016 - 18:49:05 EST
If someone calls set_fs(KERNEL_DS), then they are responsible for
making sure that whatever addresses are accessed are safe. If they
get it wrong on a kernel address, OOPS. If they get it wrong on a user
address, warn.
This will make it harder to exploit bugs in which user code controls
a pointer accessed with KERNEL_DS: an attacker will OOPS if they
access an unmapped page, and they'll therefore need luck or a kASLR
bypass in addition.
To keep probe_kernel_read(), probe_kernel_write(), and
probe_kernel_address() working, skip this check if
pagefault_disabled().
Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxx>
---
arch/x86/mm/extable.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
index 818cc7ffef79..4bf3ab2b8be1 100644
--- a/arch/x86/mm/extable.c
+++ b/arch/x86/mm/extable.c
@@ -60,6 +60,37 @@ static bool uaccess_fault_okay(int trapnr, unsigned long error_code,
return false;
}
+ /*
+ * If fs == KERNEL_DS, then all uaccess should be directed to
+ * known-good kernel addresses.
+ *
+ * We still need to support probe_kernel_read and
+ * probe_kernel_address, which disable page faults. This could be
+ * tightened up a bit if we explicitly annotated probe_kernel_read(),
+ * probe_kernel_write() and probe_kernel_address(), perhaps by
+ * introducing PROBE_KERNEL_DS.
+ */
+ if (unlikely(!is_user_ds && !pagefault_disabled())) {
+ if (extra < TASK_SIZE_MAX) {
+ /*
+ * Accessing user address under KERNEL_DS. This is a
+ * bug and should be fixed, but OOPSing is not helpful
+ * for exploit mitigation.
+ */
+ WARN_ONCE(1, "BUG: uaccess fault at 0x%lx with KERNEL_DS\n",
+ extra);
+ } else {
+ /*
+ * If a bug that allows user-controlled KERNEL_DS
+ * access exists, this will prevent it from being used
+ * to trivially bypass kASLR.
+ */
+ pr_crit("BUG: uaccess fault at 0x%lx with KERNEL_DS\n",
+ extra);
+ return false;
+ }
+ }
+
return true;
}
--
2.5.5