Re: [RESEND RFC] kernel/ksysfs.c: restrict /sys/kernel/notes to root access

[Jürgen Groß]

On 18.02.24 10:04, Kees Cook wrote:
> On Sun, Feb 18, 2024 at 08:47:03AM +0100, Greg KH wrote:
> > On Sun, Feb 18, 2024 at 03:35:01PM +0800, Guixiong Wei wrote:
> > > From: Guixiong Wei <weiguixiong@xxxxxxxxxxxxx>
> > >
> > > Restrict non-privileged user access to /sys/kernel/notes to
> > > avoid security attack.
> > >
> > > The non-privileged users have read access to notes. The notes
> > > expose the load address of startup_xen. This address could be
> > > used to bypass KASLR.
> >
> > How can it be used to bypass it?
> >
> > KASLR is, for local users, pretty much not an issue, as that's not what
> > it protects from, only remote ones.
> >
> > > For example, the startup_xen is built at 0xffffffff82465180 and
> > > commit_creds is built at 0xffffffff810ad570 which could read from
> > > the /boot/System.map. And the loaded address of startup_xen is
> > > 0xffffffffbc265180 which read from /sys/kernel/notes. So the loaded
> > > address of commit_creds is 0xffffffffbc265180 - (0xffffffff82465180
> > >   - 0xffffffff810ad570) = 0xffffffffbaead570.
> >
> > I've cc: the hardening list on this, I'm sure the developers there have
> > opinions about this.
>
> Oh eww, why is Xen spewing addresses into the notes section? (This must
> be how it finds its entry point? But that would be before relocations
> happen...)

Right. Xen is looking into the ELF-file to find the entry point of the
kernel (PV and PVH guest types only).

> But yes, I can confirm that relocations are done against the .notes
> section at boot, so the addresses exposed in .notes is an immediate
> KASLR offset exposure.

Relocations applied to the kernel when it has been started don't need
to cover the notes section as far as Xen is concerned.


Juergen