On Thu, Nov 19, 2020 at 7:04 PM Lokesh Gidra <lokeshgidra@xxxxxxxxxx> wrote: > > This patch series is split from [1]. The other series enables SELinux > support for userfaultfd file descriptors so that its creation and > movement can be controlled. > > It has been demonstrated on various occasions that suspending kernel > code execution for an arbitrary amount of time at any access to > userspace memory (copy_from_user()/copy_to_user()/...) can be exploited > to change the intended behavior of the kernel. For instance, handling > page faults in kernel-mode using userfaultfd has been exploited in [2, 3]. > Likewise, FUSE, which is similar to userfaultfd in this respect, has been > exploited in [4, 5] for similar outcome. > > This small patch series adds a new flag to userfaultfd(2) that allows > callers to give up the ability to handle kernel-mode faults with the > resulting UFFD file object. It then adds a 'user-mode only' option to > the unprivileged_userfaultfd sysctl knob to require unprivileged > callers to use this new flag. > > The purpose of this new interface is to decrease the chance of an > unprivileged userfaultfd user taking advantage of userfaultfd to > enhance security vulnerabilities by lengthening the race window in > kernel code. > > [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@xxxxxxxxxx/ > [2] https://duasynt.com/blog/linux-kernel-heap-spray > [3] https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit > [4] https://googleprojectzero.blogspot.com/2016/06/exploiting-recursion-in-linux-kernel_20.html > [5] https://bugs.chromium.org/p/project-zero/issues/detail?id=808 > > Changes since v5: > > - Added printk_once when unprivileged_userfaultfd is set to 0 and > userfaultfd syscall is called without UFFD_USER_MODE_ONLY in the > absence of CAP_SYS_PTRACE capability. > > Changes since v4: > > - Added warning when bailing out from handling kernel fault. > > Changes since v3: > > - Modified the meaning of value '0' of unprivileged_userfaultfd > sysctl knob. Setting this knob to '0' now allows unprivileged users > to use userfaultfd, but can handle page faults in user-mode only. > - The default value of unprivileged_userfaultfd sysctl knob is changed > to '0'. > > Changes since v2: > > - Removed 'uffd_flags' and directly used 'UFFD_USER_MODE_ONLY' in > userfaultfd(). > > Changes since v1: > > - Added external references to the threats from allowing unprivileged > users to handle page faults from kernel-mode. > - Removed the new sysctl knob restricting handling of page > faults from kernel-mode, and added an option for the same > in the existing 'unprivileged_userfaultfd' knob. > > Lokesh Gidra (2): > Add UFFD_USER_MODE_ONLY > Add user-mode only option to unprivileged_userfaultfd sysctl knob > > Documentation/admin-guide/sysctl/vm.rst | 15 ++++++++++----- > fs/userfaultfd.c | 20 +++++++++++++++++--- > include/uapi/linux/userfaultfd.h | 9 +++++++++ > 3 files changed, 36 insertions(+), 8 deletions(-) > > -- > 2.29.0.rc1.297.gfa9743e501-goog > Adding linux-mm@xxxxxxxxx mailing list.