On 21/12/2018 21:45, Matthew Wilcox wrote:
On Fri, Dec 21, 2018 at 11:38:16AM -0800, Nadav Amit wrote:
On Dec 19, 2018, at 1:33 PM, Igor Stoppa <igor.stoppa@xxxxxxxxx> wrote:
+static inline void *wr_memset(void *p, int c, __kernel_size_t len)
+{
+ return __wr_op((unsigned long)p, (unsigned long)c, len, WR_MEMSET);
+}
What do you think about doing something like:
#define __wr __attribute__((address_space(5)))
And then make all the pointers to write-rarely memory to use this attribute?
It might require more changes to the code, but can prevent bugs.
I like this idea. It was something I was considering suggesting.
I have been thinking about this sort of problem, although from a bit
different angle:
1) enforcing alignment for pointers
This can be implemented in similar way, by creating a multi-attribute
that would define section, address space, like said here, and alignment.
However I'm not sure if it's possible to do anything to enforce the
alignment of a pointer field within a structure. I haven't had time to
look into this yet.
2) validation of the correctness of the actual value
Inside the kernel code, a function is not supposed to sanitize its
arguments, as long as they come from some other trusted part of the
kernel, rather than say from userspace or from some HW interface.
However,ROP/JOP should be considered.
I am aware of various efforts to make it harder to exploit these
techniques, like signed pointers, CFI plugins, LTO.
But they are not necessarily available on every platform and mostly,
afaik, they focus on specific type of attacks.
LTO can help with global optimizations, for example inlining functions
across different objects.
CFI can detect jumps in the middle of a function, rather than proper
function invocation, from its natural entry point.
Signed pointers can prevent data-based attacks to the execution flow,
and they might have a role in preventing the attack I have in mind, but
they are not available on all platforms.
What I'd like to do, is to verify, at runtime, that the pointer belongs
to the type that the receiving function is meant for.
Ex: a legitimate __wr_after_init data must exist between
__start_wr_after_init and __end_wr_after_init
That is easier and cleaner to test, imho.
But dynamically allocated memory doesn't have any such constraint.
If it was possible to introduce, for example, a flag to pass to vmalloc,
to get the vmap_area from within a specific address range, it would
reduce the attack surface.
In the implementation I have right now, I'm using extra flags for the
pmalloc pages, which means the metadata is the new target for an attack.
But with adding the constraint that a dynamically allocated protected
memory page must be within a range, then the attacker must change the
underlying PTE. And if a region of PTEs are all part of protected
memory, it is possible to make the PMD write rare.
--
igor