From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B49EC43217 for ; Thu, 17 Nov 2022 23:43:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 66BB46B0071; Thu, 17 Nov 2022 18:43:32 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 619C98E0002; Thu, 17 Nov 2022 18:43:32 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4936F6B0073; Thu, 17 Nov 2022 18:43:32 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 361E96B0071 for ; Thu, 17 Nov 2022 18:43:32 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 00B158121E for ; Thu, 17 Nov 2022 23:43:31 +0000 (UTC) X-FDA: 80144563464.29.6BC0513 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by imf15.hostedemail.com (Postfix) with ESMTP id 99232A0008 for ; Thu, 17 Nov 2022 23:43:31 +0000 (UTC) Received: by mail-pl1-f170.google.com with SMTP id jn7so1223317plb.13 for ; Thu, 17 Nov 2022 15:43:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lmIZZc21Vqw+ah0v9NZF0i5NZ6eVMCNaXJnOrpu6AVc=; b=Yrj5IFrDvbUZ3Yvcoww5ZxD9/vtv8JQAnR+pht+KQwLqqHXthMcS0yvQmCr+eNVO9f o6LbrbHFtt/SytHCo4KpaWV397L63RMWGED1Hs8t8YbB/ZISoD9PQxa5W7Z+rJ/EJ1vv DLJA5t4SrLk0wKYJE+jlGYm37CcLrDtO27/Xo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lmIZZc21Vqw+ah0v9NZF0i5NZ6eVMCNaXJnOrpu6AVc=; b=SnlyPhdL31JvovJy+8Ibm/KyrwP5JN+H53N7oVGMqsVX5yevJvMyunBGCPrPAFJRKi +UAv/gpWm+gRBXJUQVHBbWc/fxEtmDzh2jTTisctUkQ5PwLVBqyqr0p2YknMzkcJqv7x AssUKcVX7gJyyD5cIJtOzUPYQ1czL9dFPhPpVyd1R9diHg/kJBDAHcxaZx7e9AgN1hLU 4boFTo5nOu2Wp4Sb9CIzlqd4nULgIU7bk8UIxeqgNx65NsqmiaTYhfCi9xNZmhRiRCa2 LS8ZdKDJB5cZGUjXcDCsx4NXCLoKDBjWkoe8lOIr2w3WEqxngXqkkxRk3SMP4yOwsqGZ NRAQ== X-Gm-Message-State: ANoB5plzpKuyx8GwZCPgVnPVqMinKphCIUIoFxsIp0ePig7QKQ+pOsrb 1LABcMXd4jN3Py2s/uAiiuRu/Q== X-Google-Smtp-Source: AA0mqf7s/asEdnHkCrNi5YFesuLIeRxumx7zAhOgO328FmhLx3/DrF0ZZE+OszS5js75jDXYCsHOtQ== X-Received: by 2002:a17:90a:710b:b0:218:725:c820 with SMTP id h11-20020a17090a710b00b002180725c820mr5027614pjk.170.1668728610498; Thu, 17 Nov 2022 15:43:30 -0800 (PST) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id r16-20020aa79890000000b005627d995a36sm1726716pfl.44.2022.11.17.15.43.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Nov 2022 15:43:29 -0800 (PST) From: Kees Cook To: Jann Horn Cc: Kees Cook , Luis Chamberlain , Seth Jenkins , Greg KH , Linus Torvalds , Andy Lutomirski , Andrew Morton , tangmeng , "Guilherme G. Piccoli" , Tiezhu Yang , Sebastian Andrzej Siewior , "Eric W. Biederman" , Arnd Bergmann , Dmitry Vyukov , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Daniel Bristot de Oliveira , Valentin Schneider , Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Vincenzo Frascino , David Gow , "Paul E. McKenney" , Jonathan Corbet , Baolin Wang , "Jason A. Donenfeld" , Eric Biggers , Huang Ying , Anton Vorontsov , Mauro Carvalho Chehab , Laurent Dufour , Rob Herring , linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-doc@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 2/6] exit: Put an upper limit on how often we can oops Date: Thu, 17 Nov 2022 15:43:22 -0800 Message-Id: <20221117234328.594699-2-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221117233838.give.484-kees@kernel.org> References: <20221117233838.give.484-kees@kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5376; i=keescook@chromium.org; h=from:subject; bh=bLKz0AsFfkmjD/QLdbw/QzipPdep0rPypPtLzjq9ZTA=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjdsccBvLQ6nT8J4vcb5go4xzTn7/5z8tY/5Q7hcSb zMPNB62JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY3bHHAAKCRCJcvTf3G3AJpL1D/ oDk0k/qwVU9AOH7rJGYOAx8NIIF3c/+tKzCgbmUMHK8vTPitK9TmPTBdDT8RMWympaOJTlnGEyWEVZ qi89p2iZ/Ly7IkmOAm+XKeqt8Id7PBkvGfQ0S6hOJBU3vL9QiovG/ZBvBdaEjtezeuVa0K/njRUL8P IBXJMNwV1PaowE45g/K64RUmABpgQ6n/KmAcw61aJpDNRZS4WGzG7aXI3ZPYe9Jcrz8omNZM72o0sX lEvUNN1yHpHmGp9fsPIFzkQoW4QVRqRrxy8CUljllnNQzVo/03L4fA+cR1+RaTlnxwHiQ87T/32JP4 EmX6r4WjI21FvqTknthuTLg9BmgmB+TWSDDW/LnEIMcOY1vr4QymYzhycPxn1PK6WGkO8REkW+K1+O 4GwWjG895xklsuozUg/QU/iwbkRsvGxC4vSkT8qQBHVw7MAkISN+OkpAvxQg6gLZvyZlZC2zO2xMF5 VwiQFlFr6vuL9CMz+kBo68TOCs9iXuaYHRt0TnWcIel+zE9fZA0Mq72SGUglEf2cY6nqIlFNuBN8qe Vu1/C460YPWW9/d9EunqPkl3UUbL5qeCuR0jBraE02NNA1ta4jWs9BV7HenTQCni0j+clechmslpPH O1ShX8omxLAY2xC0IUAtMKY7RMIISZYapZnKNO18Lbo0S9i1uvATRGJh FHSw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Yrj5IFrD; spf=pass (imf15.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.170 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1668728611; a=rsa-sha256; cv=none; b=TDIYWZBiYGWec1LAbAG55ilUVMgQNDPmrKBc+hJFjEITt2j5SXtoq48FZ0SVlJD6M3ku94 alyR/o0TAlnrmTQfsUiQ+MFq5dLflvnZYQcZgoE0OCP+hu410wARhGGWTf1OoR0cYpFFve 3eHFPGc6iI80P2zojdGFSTz1dpWM63s= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1668728611; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=lmIZZc21Vqw+ah0v9NZF0i5NZ6eVMCNaXJnOrpu6AVc=; b=yHXIWdl4A19SqlJttfbLMigz6GZ/xYimOZhy8uz9e/03arKGEroNKW5le2qcMDtf3vjq83 cj/ZWvT2ue4GjN8JwWTh48eZN034i2YKXjbGdrqrXioNvr/DI07lUPMHkrzhXgp4Pv6oRw wzLEZZyUSRBPHjYtUdqIwbDWeB6vko0= Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Yrj5IFrD; spf=pass (imf15.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.170 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam02 X-Rspam-User: X-Stat-Signature: mrangchemuuxwoz8n88sgphs8j93ide3 X-Rspamd-Queue-Id: 99232A0008 X-HE-Tag: 1668728611-126631 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Jann Horn Many Linux systems are configured to not panic on oops; but allowing an attacker to oops the system **really** often can make even bugs that look completely unexploitable exploitable (like NULL dereferences and such) if each crash elevates a refcount by one or a lock is taken in read mode, and this causes a counter to eventually overflow. The most interesting counters for this are 32 bits wide (like open-coded refcounts that don't use refcount_t). (The ldsem reader count on 32-bit platforms is just 16 bits, but probably nobody cares about 32-bit platforms that much nowadays.) So let's panic the system if the kernel is constantly oopsing. The speed of oopsing 2^32 times probably depends on several factors, like how long the stack trace is and which unwinder you're using; an empirically important one is whether your console is showing a graphical environment or a text console that oopses will be printed to. In a quick single-threaded benchmark, it looks like oopsing in a vfork() child with a very short stack trace only takes ~510 microseconds per run when a graphical console is active; but switching to a text console that oopses are printed to slows it down around 87x, to ~45 milliseconds per run. (Adding more threads makes this faster, but the actual oops printing happens under &die_lock on x86, so you can maybe speed this up by a factor of around 2 and then any further improvement gets eaten up by lock contention.) It looks like it would take around 8-12 days to overflow a 32-bit counter with repeated oopsing on a multi-core X86 system running a graphical environment; both me (in an X86 VM) and Seth (with a distro kernel on normal hardware in a standard configuration) got numbers in that ballpark. 12 days aren't *that* short on a desktop system, and you'd likely need much longer on a typical server system (assuming that people don't run graphical desktop environments on their servers), and this is a *very* noisy and violent approach to exploiting the kernel; and it also seems to take orders of magnitude longer on some machines, probably because stuff like EFI pstore will slow it down a ton if that's active. Signed-off-by: Jann Horn Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com Reviewed-by: Luis Chamberlain Signed-off-by: Kees Cook --- Documentation/admin-guide/sysctl/kernel.rst | 8 ++++ kernel/exit.c | 42 +++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst index 98d1b198b2b4..09f3fb2f8585 100644 --- a/Documentation/admin-guide/sysctl/kernel.rst +++ b/Documentation/admin-guide/sysctl/kernel.rst @@ -667,6 +667,14 @@ This is the default behavior. an oops event is detected. +oops_limit +========== + +Number of kernel oopses after which the kernel should panic when +``panic_on_oops`` is not set. Setting this to 0 or 1 has the same effect +as setting ``panic_on_oops=1``. + + osrelease, ostype & version =========================== diff --git a/kernel/exit.c b/kernel/exit.c index 35e0a31a0315..799c5edd6be6 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -72,6 +72,33 @@ #include #include +/* + * The default value should be high enough to not crash a system that randomly + * crashes its kernel from time to time, but low enough to at least not permit + * overflowing 32-bit refcounts or the ldsem writer count. + */ +static unsigned int oops_limit = 10000; + +#if CONFIG_SYSCTL +static struct ctl_table kern_exit_table[] = { + { + .procname = "oops_limit", + .data = &oops_limit, + .maxlen = sizeof(oops_limit), + .mode = 0644, + .proc_handler = proc_douintvec, + }, + { } +}; + +static __init int kernel_exit_sysctls_init(void) +{ + register_sysctl_init("kernel", kern_exit_table); + return 0; +} +late_initcall(kernel_exit_sysctls_init); +#endif + static void __unhash_process(struct task_struct *p, bool group_dead) { nr_threads--; @@ -874,6 +901,8 @@ void __noreturn do_exit(long code) void __noreturn make_task_dead(int signr) { + static atomic_t oops_count = ATOMIC_INIT(0); + /* * Take the task off the cpu after something catastrophic has * happened. @@ -897,6 +926,19 @@ void __noreturn make_task_dead(int signr) preempt_count_set(PREEMPT_ENABLED); } + /* + * Every time the system oopses, if the oops happens while a reference + * to an object was held, the reference leaks. + * If the oops doesn't also leak memory, repeated oopsing can cause + * reference counters to wrap around (if they're not using refcount_t). + * This means that repeated oopsing can make unexploitable-looking bugs + * exploitable through repeated oopsing. + * To make sure this can't happen, place an upper bound on how often the + * kernel may oops without panic(). + */ + if (atomic_inc_return(&oops_count) >= READ_ONCE(oops_limit)) + panic("Oopsed too often (kernel.oops_limit is %d)", oops_limit); + /* * We're taking recursive faults here in make_task_dead. Safest is to just * leave this task alone and wait for reboot. -- 2.34.1