From patchwork Tue May 17 07:47:50 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rashmica Gupta X-Patchwork-Id: 622946 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [103.22.144.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3r88gQ21wjz9sdn for ; Tue, 17 May 2016 17:52:18 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=PE+Mws/S; dkim-atps=neutral Received: from ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 3r88gQ0zJRzDqCH for ; Tue, 17 May 2016 17:52:18 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=PE+Mws/S; dkim-atps=neutral X-Original-To: linuxppc-dev@lists.ozlabs.org Delivered-To: linuxppc-dev@lists.ozlabs.org Received: from mail-pf0-x242.google.com (mail-pf0-x242.google.com [IPv6:2607:f8b0:400e:c00::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3r88bk2H8YzDqCg for ; Tue, 17 May 2016 17:49:06 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=PE+Mws/S; dkim-atps=neutral Received: by mail-pf0-x242.google.com with SMTP id g132so1068436pfb.3 for ; Tue, 17 May 2016 00:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=dtGAu/uU9wUu/GbNtZFp540O0RhR8xQlBSHQFYBpXa0=; b=PE+Mws/SYPfOmLfnto/34y/xOB5RUrXD4EOuF5gBmG3qIJaS80OMR1OOUna3ceMTEQ JQS8rj5fXBpEEf2T7/dgzFnAg2e/8MpwLAmSjRXZyndXC2mnac6tjG7nxwoiVFwG3TIU 3iGSMVXjzsbXuub5L6VN2HPJ8oEUAaNAmhKICW0Cu46vnyESoiR38ObVZ2wSAzrTZ8P5 pQm/OpMYC249r6InTt+8MEAhA+Upxv6hS2FZMIw1wlY7DhSMHGK9csINTMUxli/YE1Te BQfPDTA/GG2mwQ3jGYtxbsZiSM27yPzx2FaLZ/YwzXWOBzv7S0PSrg+qkfRJcpHB8G8M 4lZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=dtGAu/uU9wUu/GbNtZFp540O0RhR8xQlBSHQFYBpXa0=; b=RcYVz3BuonK7lBM5sMwG6zPxf/N4UGDQ9zNFacvvjp993Qckh/taiqw6kPh8EuMXX6 CFCcowCOecUOzwm60ci5V5SQGKoyzd8fc1ADQMHtQWy0MiTVQhUb8KvF6/7yCELadKyb WiowHKJ/XrIQd2kO8rDsX+vYHU/ExeqQW8MOgXcIqdXye8o3CsbvWZ4oOxoaoYzmTtRw RN/bBxAdRkmv/WiMjlt+iJnEGjR6IOBWJIeKe6KeZkViHf7vx8P9TySabS9jSyWuwsJJ 2g9I08XW+BVT3AWGcTku6qalJN9R2s+x9L6PKjP6Qyo+aLQmfhl3Q0JRHL4rpcaZfOOJ SMKg== X-Gm-Message-State: AOPr4FUGhjhZk2gx/gZgvYY5pqBSD+V3J1zolaqZ8NAsl1p7tabVRuSgbsPkAiqYV1obgw== X-Received: by 10.98.5.196 with SMTP id 187mr52344512pff.103.1463471344514; Tue, 17 May 2016 00:49:04 -0700 (PDT) Received: from circle.ozlabs.ibm.com ([122.99.82.10]) by smtp.gmail.com with ESMTPSA id lq10sm2389585pab.36.2016.05.17.00.49.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 17 May 2016 00:49:04 -0700 (PDT) From: Rashmica Gupta To: linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au Subject: [PATCH 1/2] powerpc/SROP Mitigation: Architecture independent SROP mitigation code Date: Tue, 17 May 2016 17:47:50 +1000 Message-Id: <1463471271-26788-2-git-send-email-rashmicy@gmail.com> X-Mailer: git-send-email 2.5.0 In-Reply-To: <1463471271-26788-1-git-send-email-rashmicy@gmail.com> References: <1463471271-26788-1-git-send-email-rashmicy@gmail.com> X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: sbauer@plzdonthack.me MIME-Version: 1.0 Errors-To: linuxppc-dev-bounces+patchwork-incoming=ozlabs.org@lists.ozlabs.org Sender: "Linuxppc-dev" This is based off Scotty's patch: https://lkml.org/lkml/2016/3/29/792. The only difference being that the sig_cookie is apart of the struct sighand_struct instead of task_struct so the the sig_cookie is shared between threads. Signed-off-by: Rashmica Gupta --- fs/exec.c | 4 ++++ include/linux/sched.h | 1 + include/linux/signal.h | 2 ++ kernel/signal.c | 41 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 48 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index c4010b8207a1..487f3b20b8d8 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -57,6 +57,7 @@ #include #include #include +#include #include #include @@ -1231,6 +1232,9 @@ void setup_new_exec(struct linux_binprm * bprm) /* This is the point of no return */ current->sas_ss_sp = current->sas_ss_size = 0; + get_random_bytes(¤t->sighand->sig_cookie, + sizeof(current->sighand->sig_cookie)); + if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid())) set_dumpable(current->mm, SUID_DUMP_USER); else diff --git a/include/linux/sched.h b/include/linux/sched.h index 52c4847b05e2..aa0f2cd2f46b 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -519,6 +519,7 @@ struct sighand_struct { struct k_sigaction action[_NSIG]; spinlock_t siglock; wait_queue_head_t signalfd_wqh; + unsigned long sig_cookie; }; struct pacct_struct { diff --git a/include/linux/signal.h b/include/linux/signal.h index 92557bbce7e7..fae0618b436f 100644 --- a/include/linux/signal.h +++ b/include/linux/signal.h @@ -280,6 +280,8 @@ extern int get_signal(struct ksignal *ksig); extern void signal_setup_done(int failed, struct ksignal *ksig, int stepping); extern void exit_signals(struct task_struct *tsk); extern void kernel_sigaction(int, __sighandler_t); +extern int set_sigcookie(unsigned long __user *location); +extern int verify_clear_sigcookie(unsigned long __user *sig_cookie_ptr); static inline void allow_signal(int sig) { diff --git a/kernel/signal.c b/kernel/signal.c index aa9bf00749c1..6db671ebf44b 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -2430,6 +2430,47 @@ out: } } +static unsigned long gen_sigcookie(unsigned long __user *location) +{ + + unsigned long sig_cookie; + + sig_cookie = (unsigned long) location ^ current->sighand->sig_cookie; + + return sig_cookie; +} + +int set_sigcookie(unsigned long __user *location) +{ + + unsigned long sig_cookie = gen_sigcookie(location); + + return put_user(sig_cookie, location); +} + +int verify_clear_sigcookie(unsigned long __user *sig_cookie_ptr) +{ + unsigned long user_cookie; + unsigned long calculated_cookie; + + if (get_user(user_cookie, sig_cookie_ptr)) + return 1; + + calculated_cookie = gen_sigcookie(sig_cookie_ptr); + + if (user_cookie != calculated_cookie) { + pr_warn("Signal protector does not match what kernel set it to"\ + ". Possible exploit attempt or buggy program!\n"); + return 1; + + } + + user_cookie = 0; + return put_user(user_cookie, sig_cookie_ptr); +} + +EXPORT_SYMBOL(verify_clear_sigcookie); +EXPORT_SYMBOL(set_sigcookie); EXPORT_SYMBOL(recalc_sigpending); EXPORT_SYMBOL_GPL(dequeue_signal); EXPORT_SYMBOL(flush_signals);