Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization

[Kees Cook]

On March 9, 2023 1:00:20 PM PST, Ornaghi Davide <davide.ornaghi@xxxxxxxx> wrote:
>Per-system-call kernel-stack randomization was introduced to
>prevent attackers from predicting the addresses of certain data
>structures on the stack upon sequential syscalls.
>
>However, when entering soft interrupt context, a new stack is allocated
>via vmalloc at a location that stays constant for each cpu until reboot.
>
>Recent security vulnerabilities such as CVE-2023-0179 showed how an
>infoleak under the softirq context could allow the attacker to locate
>kernel data structures like nftables registers, where a malicious payload
>could be stored.
>
>Instead of keeping a constant address, reuse kstack_offset to also
>randomize the soft interrupt stack on every __do_softirq entry.
>
>This basic patch version has the drawback of using the same base
>address for all pending softirqs, including softirqd ones, but has low
>impacts on performance.
>Alternatively, the stack offset could be updated for every softirq
>action, which I suspect might cause some performance issues.
>
>Signed-off-by: Davide Ornaghi <davide.ornaghi@xxxxxxxx>

This seems like a good place to start. Thanks!

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

One thought is that without a reselection of the offset after this use, the offset will be shared by the next syscall too. If softirq timing is controllable by an attacker, this might allow for some exposure?

-Kees

>---
> kernel/softirq.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/kernel/softirq.c b/kernel/softirq.c
>index c8a6913c067d..8c3eb2fffe39 100644
>--- a/kernel/softirq.c
>+++ b/kernel/softirq.c
>@@ -27,6 +27,7 @@
> #include <linux/tick.h>
> #include <linux/irq.h>
> #include <linux/wait_bit.h>
>+#include <linux/randomize_kstack.h>
>
> #include <asm/softirq_stack.h>
>
>@@ -535,6 +536,7 @@ asmlinkage __visible void __softirq_entry __do_softirq(void)
>  __u32 pending;
>  int softirq_bit;
>
>+ add_random_kstack_offset();
>  /*
>  * Mask out PF_MEMALLOC as the current task context is borrowed for the
>  * softirq. A softirq handled, such as network RX, might set PF_MEMALLOC
>--
>2.34.1
>
>
>Davide Ornaghi
>Offensive Security Specialist & Intrusion Analyst
>
>T. +39 039 28.45.774 +39 039 96.34.717
>Intré Security - a venture of Intré S.r.l.
>www.intre.it
>
>Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell'autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell'art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all'indirizzo privacy@xxxxxxxx e distruggere il presente messaggio.
>
>Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@xxxxxxxx and delete the email transmission immediately.


-- 
Kees Cook