Bug Classes/Kernel pointer leak

From Linux Kernel Security Subsystem
Revision as of 01:50, 5 November 2015 by KeesCook (talk | contribs) (→‎Details)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Details

When a kernel memory address (any of text, stack, heap, etc) leaks into userspace, attackers can learn potentially sensitive information about data layout, kernel layout, stack layout, architecture layout, etc. These can be used in turn to perform attacks where those sensitive locations are needed for a successful exploitation. If locations aren't identified correctly, an attacker could crash the entire system, which makes kernel leaks critical to successful exploitation.

Examples

  • so many: /proc (kallsyms, modules, slabinfo, etc), /sys, etc
  • alpha-omega.c uses INET_DIAG to target socket structure function pointers on the heap

Mitigations

  • kptr_restrict is too weak: requires opt-in by developers
  • remove visibility to kernel symbols (e.g. GRKERNSEC_HIDESYM)
  • detect and block usage of %p or similar writes to seq_file or other user buffers (e.g. GRKERNSEC_HIDESYM + PAX_USERCOPY)