]> git.baikalelectronics.ru Git - kernel.git/commitdiff
lockdown: also lock down previous kgdb use
authorDaniel Thompson <daniel.thompson@linaro.org>
Mon, 23 May 2022 18:11:02 +0000 (19:11 +0100)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 24 May 2022 18:29:34 +0000 (11:29 -0700)
KGDB and KDB allow read and write access to kernel memory, and thus
should be restricted during lockdown.  An attacker with access to a
serial port (for example, via a hypervisor console, which some cloud
vendors provide over the network) could trigger the debugger so it is
important that the debugger respect the lockdown mode when/if it is
triggered.

Fix this by integrating lockdown into kdb's existing permissions
mechanism.  Unfortunately kgdb does not have any permissions mechanism
(although it certainly could be added later) so, for now, kgdb is simply
and brutally disabled by immediately exiting the gdb stub without taking
any action.

For lockdowns established early in the boot (e.g. the normal case) then
this should be fine but on systems where kgdb has set breakpoints before
the lockdown is enacted than "bad things" will happen.

CVE: CVE-2022-21499
Co-developed-by: Stephen Brennan <stephen.s.brennan@oracle.com>
Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
include/linux/security.h
kernel/debug/debug_core.c
kernel/debug/kdb/kdb_main.c
security/security.c

index 25b3ef71f495e0d4cdbf389ddde905d73922a435..7fc4e9f49f542b521afb53514f1229bca0683edc 100644 (file)
@@ -121,10 +121,12 @@ enum lockdown_reason {
        LOCKDOWN_DEBUGFS,
        LOCKDOWN_XMON_WR,
        LOCKDOWN_BPF_WRITE_USER,
+       LOCKDOWN_DBG_WRITE_KERNEL,
        LOCKDOWN_INTEGRITY_MAX,
        LOCKDOWN_KCORE,
        LOCKDOWN_KPROBES,
        LOCKDOWN_BPF_READ_KERNEL,
+       LOCKDOWN_DBG_READ_KERNEL,
        LOCKDOWN_PERF,
        LOCKDOWN_TRACEFS,
        LOCKDOWN_XMON_RW,
index da06a5553835b5e443555ee6b446e93abc2c3ffe..7beceb447211d12cc3f62bfb128619507b7ff55d 100644 (file)
@@ -53,6 +53,7 @@
 #include <linux/vmacache.h>
 #include <linux/rcupdate.h>
 #include <linux/irq.h>
+#include <linux/security.h>
 
 #include <asm/cacheflush.h>
 #include <asm/byteorder.h>
@@ -752,6 +753,29 @@ cpu_master_loop:
                                continue;
                        kgdb_connected = 0;
                } else {
+                       /*
+                        * This is a brutal way to interfere with the debugger
+                        * and prevent gdb being used to poke at kernel memory.
+                        * This could cause trouble if lockdown is applied when
+                        * there is already an active gdb session. For now the
+                        * answer is simply "don't do that". Typically lockdown
+                        * *will* be applied before the debug core gets started
+                        * so only developers using kgdb for fairly advanced
+                        * early kernel debug can be biten by this. Hopefully
+                        * they are sophisticated enough to take care of
+                        * themselves, especially with help from the lockdown
+                        * message printed on the console!
+                        */
+                       if (security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL)) {
+                               if (IS_ENABLED(CONFIG_KGDB_KDB)) {
+                                       /* Switch back to kdb if possible... */
+                                       dbg_kdb_mode = 1;
+                                       continue;
+                               } else {
+                                       /* ... otherwise just bail */
+                                       break;
+                               }
+                       }
                        error = gdb_serial_stub(ks);
                }
 
index 0852a537dad4c083d651da7b80d3bbf48f181f61..ead4da947127075e825c9085ff20d69a23046dd4 100644 (file)
@@ -45,6 +45,7 @@
 #include <linux/proc_fs.h>
 #include <linux/uaccess.h>
 #include <linux/slab.h>
+#include <linux/security.h>
 #include "kdb_private.h"
 
 #undef MODULE_PARAM_PREFIX
@@ -166,10 +167,62 @@ struct task_struct *kdb_curr_task(int cpu)
 }
 
 /*
- * Check whether the flags of the current command and the permissions
- * of the kdb console has allow a command to be run.
+ * Update the permissions flags (kdb_cmd_enabled) to match the
+ * current lockdown state.
+ *
+ * Within this function the calls to security_locked_down() are "lazy". We
+ * avoid calling them if the current value of kdb_cmd_enabled already excludes
+ * flags that might be subject to lockdown. Additionally we deliberately check
+ * the lockdown flags independently (even though read lockdown implies write
+ * lockdown) since that results in both simpler code and clearer messages to
+ * the user on first-time debugger entry.
+ *
+ * The permission masks during a read+write lockdown permits the following
+ * flags: INSPECT, SIGNAL, REBOOT (and ALWAYS_SAFE).
+ *
+ * The INSPECT commands are not blocked during lockdown because they are
+ * not arbitrary memory reads. INSPECT covers the backtrace family (sometimes
+ * forcing them to have no arguments) and lsmod. These commands do expose
+ * some kernel state but do not allow the developer seated at the console to
+ * choose what state is reported. SIGNAL and REBOOT should not be controversial,
+ * given these are allowed for root during lockdown already.
+ */
+static void kdb_check_for_lockdown(void)
+{
+       const int write_flags = KDB_ENABLE_MEM_WRITE |
+                               KDB_ENABLE_REG_WRITE |
+                               KDB_ENABLE_FLOW_CTRL;
+       const int read_flags = KDB_ENABLE_MEM_READ |
+                              KDB_ENABLE_REG_READ;
+
+       bool need_to_lockdown_write = false;
+       bool need_to_lockdown_read = false;
+
+       if (kdb_cmd_enabled & (KDB_ENABLE_ALL | write_flags))
+               need_to_lockdown_write =
+                       security_locked_down(LOCKDOWN_DBG_WRITE_KERNEL);
+
+       if (kdb_cmd_enabled & (KDB_ENABLE_ALL | read_flags))
+               need_to_lockdown_read =
+                       security_locked_down(LOCKDOWN_DBG_READ_KERNEL);
+
+       /* De-compose KDB_ENABLE_ALL if required */
+       if (need_to_lockdown_write || need_to_lockdown_read)
+               if (kdb_cmd_enabled & KDB_ENABLE_ALL)
+                       kdb_cmd_enabled = KDB_ENABLE_MASK & ~KDB_ENABLE_ALL;
+
+       if (need_to_lockdown_write)
+               kdb_cmd_enabled &= ~write_flags;
+
+       if (need_to_lockdown_read)
+               kdb_cmd_enabled &= ~read_flags;
+}
+
+/*
+ * Check whether the flags of the current command, the permissions of the kdb
+ * console and the lockdown state allow a command to be run.
  */
-static inline bool kdb_check_flags(kdb_cmdflags_t flags, int permissions,
+static bool kdb_check_flags(kdb_cmdflags_t flags, int permissions,
                                   bool no_args)
 {
        /* permissions comes from userspace so needs massaging slightly */
@@ -1180,6 +1233,9 @@ static int kdb_local(kdb_reason_t reason, int error, struct pt_regs *regs,
                kdb_curr_task(raw_smp_processor_id());
 
        KDB_DEBUG_STATE("kdb_local 1", reason);
+
+       kdb_check_for_lockdown();
+
        kdb_go_count = 0;
        if (reason == KDB_REASON_DEBUG) {
                /* special case below */
index b7cf5cbfdc677a37017e1e493f76d5644365bbf0..aaf6566deb9f0e8153ab777c56b790e561d7806a 100644 (file)
@@ -59,10 +59,12 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
        [LOCKDOWN_DEBUGFS] = "debugfs access",
        [LOCKDOWN_XMON_WR] = "xmon write access",
        [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
+       [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
        [LOCKDOWN_INTEGRITY_MAX] = "integrity",
        [LOCKDOWN_KCORE] = "/proc/kcore access",
        [LOCKDOWN_KPROBES] = "use of kprobes",
        [LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",
+       [LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",
        [LOCKDOWN_PERF] = "unsafe use of perf",
        [LOCKDOWN_TRACEFS] = "use of tracefs",
        [LOCKDOWN_XMON_RW] = "xmon read and write access",