WSL2-Linux-Kernel/arch/riscv
Stefan O'Rear dff6072124 riscv: process: Fix kernel gp leakage
commit d14fa1fcf69db9d070e75f1c4425211fa619dfc8 upstream.

childregs represents the registers which are active for the new thread
in user context. For a kernel thread, childregs->gp is never used since
the kernel gp is not touched by switch_to. For a user mode helper, the
gp value can be observed in user space after execve or possibly by other
means.

[From the email thread]

The /* Kernel thread */ comment is somewhat inaccurate in that it is also used
for user_mode_helper threads, which exec a user process, e.g. /sbin/init or
when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have
PF_KTHREAD set and are valid targets for ptrace etc. even before they exec.

childregs is the *user* context during syscall execution and it is observable
from userspace in at least five ways:

1. kernel_execve does not currently clear integer registers, so the starting
   register state for PID 1 and other user processes started by the kernel has
   sp = user stack, gp = kernel __global_pointer$, all other integer registers
   zeroed by the memset in the patch comment.

   This is a bug in its own right, but I'm unwilling to bet that it is the only
   way to exploit the issue addressed by this patch.

2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread
   before it execs, but ptrace requires SIGSTOP to be delivered which can only
   happen at user/kernel boundaries.

3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for
   user_mode_helpers before the exec completes, but gp is not one of the
   registers it returns.

4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel
   addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses
   are also exposed via PERF_SAMPLE_REGS_USER which is permitted under
   LOCKDOWN_PERF. I have not attempted to write exploit code.

5. Much of the tracing infrastructure allows access to user registers. I have
   not attempted to determine which forms of tracing allow access to user
   registers without already allowing access to kernel registers.

Fixes: 7db91e57a0 ("RISC-V: Task implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Stefan O'Rear <sorear@fastmail.com>
Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20240327061258.2370291-1-sorear@fastmail.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-04-10 16:19:42 +02:00
..
boot riscv: dts: sifive: add missing #interrupt-cells to pmic 2024-03-26 18:21:12 -04:00
configs RISC-V: defconfigs: Set CONFIG_FB=y, for FB console 2022-07-12 16:34:54 +02:00
errata
include riscv: Fix spurious errors from __get/put_kernel_nofault 2024-04-10 16:19:42 +02:00
kernel riscv: process: Fix kernel gp leakage 2024-04-10 16:19:42 +02:00
lib riscv: uaccess: Return the number of bytes effectively not copied 2023-08-26 14:23:36 +02:00
mm riscv: mm: fix truncation warning on RV32 2023-07-23 13:47:45 +02:00
net riscv, bpf: Sign-extend return values 2023-10-19 23:05:34 +02:00
Kbuild
Kconfig riscv: fix kprobe __user string arg print fault issue 2023-06-14 11:13:09 +02:00
Kconfig.debug
Kconfig.erratas riscv: alternative only works on !XIP_KERNEL 2022-03-16 14:23:42 +01:00
Kconfig.socs riscv: alternative only works on !XIP_KERNEL 2022-03-16 14:23:42 +01:00
Makefile riscv: Handle zicsr/zifencei issues between clang and binutils 2023-03-30 12:47:59 +02:00