Previously: v4.9.
Here’s a quick summary of some of the interesting security things in last week’s v4.10 release of the Linux kernel:
PAN emulation on arm64
Catalin Marinas introduced ARM64_SW_TTBR0_PAN
, which is functionally the arm64 equivalent of arm’s CONFIG_CPU_SW_DOMAIN_PAN
. While Privileged eXecute Never (PXN) has been available in ARM hardware for a while now, Privileged Access Never (PAN) will only be available in hardware once vendors start manufacturing ARMv8.1 or later CPUs. Right now, everything is still ARMv8.0, which left a bit of a gap in security flaw mitigations on ARM since CONFIG_CPU_SW_DOMAIN_PAN
can only provide PAN coverage on ARMv7 systems, but nothing existed on ARMv8.0. This solves that problem and closes a common exploitation method for arm64 systems.
thread_info relocation on arm64
As done earlier for x86, Mark Rutland has moved thread_info
off the kernel stack on arm64. With thread_info
no longer on the stack, it’s more difficult for attackers to find it, which makes it harder to subvert the very sensitive addr_limit
field.
linked list hardening
I added CONFIG_BUG_ON_DATA_CORRUPTION
to restore the original CONFIG_DEBUG_LIST
behavior that existed prior to v2.6.27 (9 years ago): if list metadata corruption is detected, the kernel refuses to perform the operation, rather than just WARN
ing and continuing with the corrupted operation anyway. Since linked list corruption (usually via heap overflows) are a common method for attackers to gain a write-what-where primitive, it’s important to stop the list add/del operation if the metadata is obviously corrupted.
seeding kernel RNG from UEFI
A problem for many architectures is finding a viable source of early boot entropy to initialize the kernel Random Number Generator. For x86, this is mainly solved with the RDRAND
instruction. On ARM, however, the solutions continue to be very vendor-specific. As it turns out, UEFI is supposed to hide various vendor-specific things behind a common set of APIs. The EFI_RNG_PROTOCOL
call is designed to provide entropy, but it can’t be called when the kernel is running. To get entropy into the kernel, Ard Biesheuvel created a UEFI config table (LINUX_EFI_RANDOM_SEED_TABLE_GUID
) that is populated during the UEFI boot stub and fed into the kernel entropy pool during early boot.
arm64 W^X detection
As done earlier for x86, Laura Abbott implemented CONFIG_DEBUG_WX on arm64. Now any dangerous arm64 kernel memory protections will be loudly reported at boot time.
64-bit get_user()
zeroing fix on arm
While the fix itself is pretty minor, I like that this bug was found through a combined improvement to the usercopy test code in lib/test_user_copy.c
. Hoeun Ryu added zeroing-on-failure testing, and I expanded the get_user()/put_user() tests to include all sizes. Neither improvement alone would have found the ARM bug, but together they uncovered a typo in a corner case.
no-new-privs visible in /proc/$pid/status
This is a tiny change, but I like being able to introspect processes externally. Prior to this, I wasn’t able to trivially answer the question “is that process setting the no-new-privs flag?” To address this, I exposed the flag in /proc/$pid/status
, as NoNewPrivs
.
Kernel Userspace Execute Prevention on powerpc
Like SMEP on x86 and PXN on ARM, Balbir Singh implemented the protection on Power9 and later PPC CPUs under CONFIG_PPC_RADIX_MMU=y
(which is the default). This means that if the kernel has a function pointer overwritten, it can no longer point into arbitrary code in userspace memory. An attacker’s ability is reduced to only using executable kernel memory, which is much less under their control (and has more limited visibility).
That’s all for now! Please let me know if you saw anything else you think needs to be called out. :) I’m already excited about the v4.11 merge window opening…
Edit: Added note about SMEP on Power9
© 2017 – 2019, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.