Commit Graph

6 Commits

Author SHA1 Message Date
linD026
cccc98ab2c
Fix disallowed cr0 write protection and close_fd (#80)
Since the commit 8dbec27a242cd3e2816eeb98d3237b9f57cf6232 [1]
(kernel version v5.3+ [2]) the sensitive CR0 bits in x86 is pinned,
we need to use the inline asm [3][4] to bypass it.

commit 8dbec27a242cd3e2816eeb98d3237b9f57cf6232 :
> With sensitive CR4 bits pinned now, it's possible that the WP bit for
> CR0 might become a target as well.
>
> Following the same reasoning for the CR4 pinning, pin CR0's WP
> bit. Contrary to the cpu feature dependend CR4 pinning this can be done
> with a constant value.

Also, getting "sys_call_table" [8] from the symbol lookup by using the address
of "close_fd" does not work for v5.11+ [5][6]. The reason is the entry of
"sys_call_table[__NR_close]" is not the address of "close_fd", actually
it is "__x64_sys_close" in x86.

Two solutions were proposed: using "kallsyms_lookup_name" [7] or just specifying
the address into the module. The symbol "kallsyms_lookup_name"  is unexported
since v5.7; the address of "sys_call_table" can be found in
"/boot/System.map" or "/proc/kallsyms".

Since v5.7, the manual symbol lookup is not guaranteed to work
because of control-flow integrity (or control-flow enforcement [9][10]) is added
[11] for x86, but it is disabled since v5.11 [12][13]. To make sure manual symbol
lookup work, it only uses up to v5.4.

Reference:
[1] 8dbec27a24
[2] https://outflux.net/blog/archives/2019/11/14/security-things-in-linux-v5-3/
[3] https://patchwork.kernel.org/project/linux-kbuild/patch/20200903203053.3411268-3-samitolvanen@google.com/
[4] https://stackoverflow.com/questions/58512430/how-to-write-to-protected-pages-in-the-linux-kernel
[5] https://lore.kernel.org/bpf/20201120231441.29911-21-ebiederm@xmission.com/
[6] https://lore.kernel.org/bpf/87blj83ysq.fsf@x220.int.ebiederm.org/
[7] 0bd476e6c6
[8] 8f27766a88
[9] https://lore.kernel.org/lkml/20200204171425.28073-1-yu-cheng.yu@intel.com/
[10] https://lore.kernel.org/linux-doc/20201110162211.9207-1-yu-cheng.yu@intel.com/T/
[11] 5790921bc1
[12] 20bf2b3787
[13] https://lore.kernel.org/bpf/20210128123842.c9e33949e62f504b84bfadf5@gmail.com/
2021-08-31 11:07:01 +08:00
fennecJ
870b26fa2d Update several example code for newer kernel
Known issues with current example code:
If you using newer kernel(e.g linux 5.11.x) to compile the example code,
you may meet following error:
1. syscall.c:83:50: error: ‘ksys_close’ undeclared;
2. cryptosk.c:17:24: error: field ‘sg’ has incomplete type
3. cryptosk.c:143:9: error: implicit declaration of function
‘get_random_bytes’
4. error: macro "DECLARE_TASKLET" passed 3 arguments, but takes just 2

Solutions/workaround:
1. In syscall.c, replace #include <linux/syscalls.h> with
#include <linux/fdtable.h> and replace  ksys_close with close_fd
if the kernel version >= 5.11. [1][2]
2. Add #include <linux/scatterlist.h> into cryptosk.c
3. Add #include <linux/random.h> into cryptosk.c
4. In bottomhalf.c and example_tasklet.c, replace DECLARE_TASKLET
with DECLARE_TASKLET_OLD and dispose third argument(0L). [3]

[1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783
[2] - https://www.mail-archive.com/meta-arago@arago-project.org//msg11939.html
[3] - https://patchwork.kernel.org/project/kernel-hardening/patch/20200716030847.1564131-3-keescook@chromium.org/
2021-08-23 21:30:43 +08:00
Jim Huang
10c7a9433a Apply editorial changes
This patch makes source listing shorter and more compact, that helps
when browsing.
2021-08-08 01:24:59 +08:00
Jim Huang
b76e5d378e Reduce header inclusion 2021-07-22 10:31:24 +08:00
Jim Huang
50b8dfe6c2 Enforce the customized style for example code
Instead of using tab for indention, the style defaults to 4 spaces for
the sake of compact layout.
2021-07-22 06:58:13 +08:00
Jim Huang
2246e20809 Add LaTeX script and sample code 2021-07-22 06:35:24 +08:00