R: [RFC PATCH] Introduce per-interrupt kernel-stack randomization
From: Ornaghi Davide
Date: Sat Mar 11 2023 - 15:25:06 EST
Davide Ornaghi
Offensive Security Specialist & Intrusion Analyst
T. +39 039 28.45.774 +39 039 96.34.717
Intré Security - a venture of Intré S.r.l.
www.intre.it
Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute in questo messaggio sono strettamente riservate e sono esclusivamente indirizzate al destinatario indicato (oppure alla persona responsabile di rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell’autore e, a meno che non sia chiaramente scritto, non rappresentano necessariamente quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo messaggio e' vietata, anche ai sensi dell’art. 616 c.p. italiano. Nel caso in cui aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a mezzo posta elettronica all’indirizzo privacy@xxxxxxxx e distruggere il presente messaggio.
Please note: In reference to Italian law 196/2003 and to the Regulation EU 679/2016 (GDPR), this email transmission including its attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of Intré S.r.l., unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email due to an error, please contact the sender via e-mail to the address privacy@xxxxxxxx and delete the email transmission immediately.
> -----Messaggio originale-----
> Da: Kees Cook <kees@xxxxxxxxxx>
> Inviato: venerdì 10 marzo 2023 16:47
> A: Ornaghi Davide <davide.ornaghi@xxxxxxxx>; keescook@xxxxxxxxxxxx;
> paulmck@xxxxxxxxxx; nsaenzju@xxxxxxxxxx; peterz@xxxxxxxxxxxxx;
> bigeasy@xxxxxxxxxxxxx; frederic@xxxxxxxxxx; linux-hardening@xxxxxxxxxxxxxxx;
> linux-kernel@xxxxxxxxxxxxxxx
> Oggetto: Re: [RFC PATCH] Introduce per-interrupt kernel-stack randomization
>
> On March 9, 2023 1:00:20 PM PST, Ornaghi Davide <davide.ornaghi@xxxxxxxx>
> wrote:
> >Per-system-call kernel-stack randomization was introduced to prevent
> >attackers from predicting the addresses of certain data structures on
> >the stack upon sequential syscalls.
> >
> >However, when entering soft interrupt context, a new stack is allocated
> >via vmalloc at a location that stays constant for each cpu until reboot.
> >
> >Recent security vulnerabilities such as CVE-2023-0179 showed how an
> >infoleak under the softirq context could allow the attacker to locate
> >kernel data structures like nftables registers, where a malicious
> >payload could be stored.
> >
> >Instead of keeping a constant address, reuse kstack_offset to also
> >randomize the soft interrupt stack on every __do_softirq entry.
> >
> >This basic patch version has the drawback of using the same base
> >address for all pending softirqs, including softirqd ones, but has low
> >impacts on performance.
> >Alternatively, the stack offset could be updated for every softirq
> >action, which I suspect might cause some performance issues.
> >
> >Signed-off-by: Davide Ornaghi <davide.ornaghi@xxxxxxxx>
>
> This seems like a good place to start. Thanks!
>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> One thought is that without a reselection of the offset after this use, the offset
> will be shared by the next syscall too. If softirq timing is controllable by an
> attacker, this might allow for some exposure?
That would be a problem indeed, one way to solve it is to keep the softirq offset independent from the syscall one and update it at the end of __do_softirq.
Should we add a new build option or integrate it with CONFIG_RANDOMIZE_KSTACK_OFFSET?
- Davide
>
> -Kees
>
> >---
> > kernel/softirq.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> >diff --git a/kernel/softirq.c b/kernel/softirq.c index
> >c8a6913c067d..8c3eb2fffe39 100644
> >--- a/kernel/softirq.c
> >+++ b/kernel/softirq.c
> >@@ -27,6 +27,7 @@
> > #include <linux/tick.h>
> > #include <linux/irq.h>
> > #include <linux/wait_bit.h>
> >+#include <linux/randomize_kstack.h>
> >
> > #include <asm/softirq_stack.h>
> >
> >@@ -535,6 +536,7 @@ asmlinkage __visible void __softirq_entry
> >__do_softirq(void)
> > __u32 pending;
> > int softirq_bit;
> >
> >+ add_random_kstack_offset();
> > /*
> > * Mask out PF_MEMALLOC as the current task context is borrowed for
> >the
> > * softirq. A softirq handled, such as network RX, might set
> >PF_MEMALLOC
> >--
> >2.34.1
> >
> >
> >Davide Ornaghi
> >Offensive Security Specialist & Intrusion Analyst
> >
> >T. +39 039 28.45.774 +39 039 96.34.717
> >Intré Security - a venture of Intré S.r.l.
> >www.intre.it
> >
> >Nota informativa: In ottemperanza della Legge 196/2003 e al Regolamento
> UE 679/2016 (GDPR) sulla tutela dei dati personali, le informazioni contenute
> in questo messaggio sono strettamente riservate e sono esclusivamente
> indirizzate al destinatario indicato (oppure alla persona responsabile di
> rimetterlo al destinatario). Le idee e opinioni espresse sono quelle dell'autore e,
> a meno che non sia chiaramente scritto, non rappresentano necessariamente
> quelle di Intré S.r.l. Qualsiasi uso, riproduzione o divulgazione di questo
> messaggio e' vietata, anche ai sensi dell'art. 616 c.p. italiano. Nel caso in cui
> aveste ricevuto questa e-mail per errore, vogliate avvertirci al piu' presto a
> mezzo posta elettronica all'indirizzo privacy@xxxxxxxx e distruggere il presente
> messaggio.
> >
> >Please note: In reference to Italian law 196/2003 and to the Regulation EU
> 679/2016 (GDPR), this email transmission including its attachments, is
> intended only for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. Any views or opinions are
> solely those of the author and do not necessarily represent those of Intré S.r.l.,
> unless specifically stated. Any review, retransmission, dissemination or other
> use of, or taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received this
> email due to an error, please contact the sender via e-mail to the address
> privacy@xxxxxxxx and delete the email transmission immediately.
>
>
> --
> Kees Cook