[src/trunk]: src/sys The way the kernel tries to prevent a userland process f...

[maxv <maxv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/75b0926b7181
branches:  trunk
changeset: 346908:75b0926b7181
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sat Aug 06 15:13:13 2016 +0000

description:
The way the kernel tries to prevent a userland process from allocating page
zero is hugely flawed. It is easy to demonstrate that one can trick UVM
into chosing a NULL hint after the user_va0_disable check from uvm_map.
Such a bypass allows kernel NULL pointer dereferences to be exploitable on
architectures with a shared userland<->kernel VA, like amd64.

Fix this by increasing the limit of the vm space made available for
userland processes. This way, UVM will never chose a NULL hint, since it
would be outside of the vm space.

The user_va0_disable sysctl still controls this feature.

diffstat:

 sys/compat/linux32/common/linux32_exec_elf32.c |   6 +++---
 sys/compat/netbsd32/netbsd32_exec_aout.c       |  14 +++++++-------
 sys/compat/netbsd32/netbsd32_exec_elf32.c      |   6 +++---
 sys/kern/kern_exec.c                           |  24 +++++++++++++++++++-----
 sys/sys/exec.h                                 |   3 ++-
 sys/uvm/uvm_map.c                              |   6 +++---
 6 files changed, 37 insertions(+), 22 deletions(-)

diffs (222 lines):

diff -r d7d46650d717 -r 75b0926b7181 sys/compat/linux32/common/linux32_exec_elf32.c
--- a/sys/compat/linux32/common/linux32_exec_elf32.c    Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/compat/linux32/common/linux32_exec_elf32.c    Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: linux32_exec_elf32.c,v 1.18 2015/03/20 20:36:27 maxv Exp $ */
+/*     $NetBSD: linux32_exec_elf32.c,v 1.19 2016/08/06 15:13:13 maxv Exp $ */
 
 /*-                     
  * Copyright (c) 1995, 1998, 2000, 2001,2006 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.18 2015/03/20 20:36:27 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_exec_elf32.c,v 1.19 2016/08/06 15:13:13 maxv Exp $");
 
 #define        ELFSIZE         32
 
@@ -93,7 +93,7 @@
 #endif
 
        epp->ep_flags |= EXEC_32 | EXEC_FORCEAUX;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = USRSTACK32;
 
        return 0;
diff -r d7d46650d717 -r 75b0926b7181 sys/compat/netbsd32/netbsd32_exec_aout.c
--- a/sys/compat/netbsd32/netbsd32_exec_aout.c  Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/compat/netbsd32/netbsd32_exec_aout.c  Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_exec_aout.c,v 1.29 2014/12/05 22:21:47 christos Exp $ */
+/*     $NetBSD: netbsd32_exec_aout.c,v 1.30 2016/08/06 15:13:13 maxv Exp $     */
 /*     from: NetBSD: exec_aout.c,v 1.15 1996/09/26 23:34:46 cgd Exp */
 
 /*
@@ -57,7 +57,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_aout.c,v 1.29 2014/12/05 22:21:47 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_aout.c,v 1.30 2016/08/06 15:13:13 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -164,7 +164,7 @@
        epp->ep_daddr = epp->ep_taddr + execp->a_text;
        epp->ep_dsize = execp->a_data + execp->a_bss;
        epp->ep_entry = execp->a_entry;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS32;
 
        error = vn_marktext(epp->ep_vp);
@@ -205,7 +205,7 @@
        epp->ep_daddr = roundup(epp->ep_taddr + execp->a_text, AOUT_LDPGSZ);
        epp->ep_dsize = execp->a_data + execp->a_bss;
        epp->ep_entry = execp->a_entry;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS32;
 
        /* set up command for text segment */
@@ -244,7 +244,7 @@
        epp->ep_daddr = epp->ep_taddr + execp->a_text;
        epp->ep_dsize = execp->a_data + execp->a_bss;
        epp->ep_entry = execp->a_entry;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS32;
 
        /* set up command for text and data segments */
@@ -294,7 +294,7 @@
        epp->ep_daddr = epp->ep_taddr + execp->a_text;
        epp->ep_dsize = execp->a_data + execp->a_bss;
        epp->ep_entry = execp->a_entry;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS32;
 
        error = vn_marktext(epp->ep_vp);
@@ -342,7 +342,7 @@
        epp->ep_daddr = roundup(epp->ep_taddr + execp->a_text, AOUT_LDPGSZ);
        epp->ep_dsize = execp->a_data + execp->a_bss;
        epp->ep_entry = execp->a_entry;
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS32;
 
        /* set up command for text segment */
diff -r d7d46650d717 -r 75b0926b7181 sys/compat/netbsd32/netbsd32_exec_elf32.c
--- a/sys/compat/netbsd32/netbsd32_exec_elf32.c Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/compat/netbsd32/netbsd32_exec_elf32.c Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_exec_elf32.c,v 1.39 2015/03/20 20:36:27 maxv Exp $    */
+/*     $NetBSD: netbsd32_exec_elf32.c,v 1.40 2016/08/06 15:13:13 maxv Exp $    */
 /*     from: NetBSD: exec_aout.c,v 1.15 1996/09/26 23:34:46 cgd Exp */
 
 /*
@@ -57,7 +57,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.39 2015/03/20 20:36:27 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_exec_elf32.c,v 1.40 2016/08/06 15:13:13 maxv Exp $");
 
 #define        ELFSIZE         32
 
@@ -115,7 +115,7 @@
 #ifdef _LP64
        epp->ep_flags |= EXEC_32 | EXEC_FORCEAUX;
 #endif
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = USRSTACK32;
 #ifdef ELF_INTERP_NON_RELOCATABLE
        *pos = ELF_LINK_ADDR;
diff -r d7d46650d717 -r 75b0926b7181 sys/kern/kern_exec.c
--- a/sys/kern/kern_exec.c      Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/kern/kern_exec.c      Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: kern_exec.c,v 1.435 2016/07/07 06:55:43 msaitoh Exp $  */
+/*     $NetBSD: kern_exec.c,v 1.436 2016/08/06 15:13:13 maxv Exp $     */
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -59,7 +59,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.435 2016/07/07 06:55:43 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: kern_exec.c,v 1.436 2016/08/06 15:13:13 maxv Exp $");
 
 #include "opt_exec.h"
 #include "opt_execfmt.h"
@@ -122,6 +122,8 @@
 
 struct execve_data;
 
+extern int user_va0_disable;
+
 static size_t calcargs(struct execve_data * restrict, const size_t);
 static size_t calcstack(struct execve_data * restrict, const size_t);
 static int copyoutargs(struct execve_data * restrict, struct lwp *,
@@ -401,11 +403,10 @@
        /*
         * Set up default address space limits.  Can be overridden
         * by individual exec packages.
-        *
-        * XXX probably should be all done in the exec packages.
         */
-       epp->ep_vm_minaddr = VM_MIN_ADDRESS;
+       epp->ep_vm_minaddr = exec_vm_minaddr(VM_MIN_ADDRESS);
        epp->ep_vm_maxaddr = VM_MAXUSER_ADDRESS;
+
        /*
         * set up the vmcmds for creation of the process
         * address space
@@ -652,6 +653,19 @@
        return 0;
 }
 
+vaddr_t
+exec_vm_minaddr(vaddr_t va_min)
+{
+       /*
+        * Increase va_min if we don't want NULL to be mappable by the
+        * process.
+        */
+#define VM_MIN_GUARD   (2 * PAGE_SIZE)
+       if (user_va0_disable && (va_min < VM_MIN_GUARD))
+               return VM_MIN_GUARD;
+       return va_min;
+}
+
 static int
 execve_loadvm(struct lwp *l, const char *path, char * const *args,
        char * const *envs, execve_fetch_element_t fetch_element,
diff -r d7d46650d717 -r 75b0926b7181 sys/sys/exec.h
--- a/sys/sys/exec.h    Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/sys/exec.h    Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: exec.h,v 1.150 2016/01/23 14:03:48 christos Exp $      */
+/*     $NetBSD: exec.h,v 1.151 2016/08/06 15:13:14 maxv Exp $  */
 
 /*-
  * Copyright (c) 1992, 1993
@@ -250,6 +250,7 @@
  * funtions used either by execve() or the various CPU-dependent execve()
  * hooks.
  */
+vaddr_t        exec_vm_minaddr         (vaddr_t);
 void   kill_vmcmd              (struct exec_vmcmd **);
 int    exec_makecmds           (struct lwp *, struct exec_package *);
 int    exec_runcmds            (struct lwp *, struct exec_package *);
diff -r d7d46650d717 -r 75b0926b7181 sys/uvm/uvm_map.c
--- a/sys/uvm/uvm_map.c Sat Aug 06 14:54:25 2016 +0000
+++ b/sys/uvm/uvm_map.c Sat Aug 06 15:13:13 2016 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvm_map.c,v 1.340 2016/07/07 06:55:44 msaitoh Exp $    */
+/*     $NetBSD: uvm_map.c,v 1.341 2016/08/06 15:13:14 maxv Exp $       */
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.340 2016/07/07 06:55:44 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.341 2016/08/06 15:13:14 maxv Exp $");
 
 #include "opt_ddb.h"
 #include "opt_uvmhist.h"
@@ -171,7 +171,7 @@
 #undef __USER_VA0_DISABLE_DEFAULT
 #define __USER_VA0_DISABLE_DEFAULT USER_VA0_DISABLE_DEFAULT
 #endif
-static int user_va0_disable = __USER_VA0_DISABLE_DEFAULT;
+int user_va0_disable = __USER_VA0_DISABLE_DEFAULT;
 #endif
 
 /*