If someone calls set_fs(KERNEL_DS), then they are responsible for making sure that whatever addresses are accessed are safe. If they get it wrong on a kernel address, OOPS. If they get it wrong on a user address, warn.
This will make it harder to exploit bugs in which user code controls a pointer accessed with KERNEL_DS: an attacker will OOPS if they access an unmapped page, and they'll therefore need luck or a kASLR bypass in addition. To keep probe_kernel_read(), probe_kernel_write(), and probe_kernel_address() working, skip this check if pagefault_disabled(). Signed-off-by: Andy Lutomirski <[email protected]> --- arch/x86/mm/extable.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c index 818cc7ffef79..4bf3ab2b8be1 100644 --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -60,6 +60,37 @@ static bool uaccess_fault_okay(int trapnr, unsigned long error_code, return false; } + /* + * If fs == KERNEL_DS, then all uaccess should be directed to + * known-good kernel addresses. + * + * We still need to support probe_kernel_read and + * probe_kernel_address, which disable page faults. This could be + * tightened up a bit if we explicitly annotated probe_kernel_read(), + * probe_kernel_write() and probe_kernel_address(), perhaps by + * introducing PROBE_KERNEL_DS. + */ + if (unlikely(!is_user_ds && !pagefault_disabled())) { + if (extra < TASK_SIZE_MAX) { + /* + * Accessing user address under KERNEL_DS. This is a + * bug and should be fixed, but OOPSing is not helpful + * for exploit mitigation. + */ + WARN_ONCE(1, "BUG: uaccess fault at 0x%lx with KERNEL_DS\n", + extra); + } else { + /* + * If a bug that allows user-controlled KERNEL_DS + * access exists, this will prevent it from being used + * to trivially bypass kASLR. + */ + pr_crit("BUG: uaccess fault at 0x%lx with KERNEL_DS\n", + extra); + return false; + } + } + return true; } -- 2.5.5
