Bug Classes/Kernel pointer leak

From Linux Kernel Security Subsystem
Revision as of 22:34, 4 November 2015 by KeesCook (talk | contribs) (Created page with "= Details = When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Details

When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation.

Examples

  • so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc
  • alpha-omega.c uses INET_DIAG to target socket structure function pointers on the heap

Mitigations

  • kptr_restrict is too weak: requires opt-in by developers
  • remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM)
  • detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)