Beforehand: v5.9
Linux v5.10 was launched in December, 2020. Right here’s my abstract of assorted safety issues that I discovered attention-grabbing:
AMD SEV-ES
Whereas visitor VM reminiscence encryption with AMD SEV has been supported for some time, Joerg Roedel, Thomas Lendacky, and others added register state encryption (SEV-ES). This implies it’s even tougher for a VM host to reconstruct a visitor VM’s state.
x86 static calls
Josh Poimboeuf and Peter Zijlstra carried out static calls for x86, which operates very equally to the “static department” infrastructure within the kernel. With static branches, an if/else alternative might be hard-coded, as a substitute of being run-time evaluated each time. Such branches might be up to date too (the kernel simply rewrites the code to modify across the “department”). All these rules apply to static calls as effectively, however they’re for changing oblique operate calls (i.e. a name by a operate pointer) with a direct name (i.e. a hard-coded name tackle). This eliminates the necessity for Spectre mitigations (e.g. RETPOLINE) for these oblique calls, and avoids a reminiscence lookup for the pointer. For decent-path code (just like the scheduler), this has a measurable efficiency influence. It additionally serves as a form of Management Circulation Integrity implementation: an oblique name acquired eliminated, and the potential locations have been explicitly recognized at compile-time.
community RNG enhancements
In an effort to enhance the pseudo-random quantity generator utilized by the community subsystem (for issues like port numbers and packet sequence numbers), Linux’s home-grown pRNG has been changed by the SipHash spherical operate, and perturbed by (hopefully) hard-to-predict inside kernel states. This could make it very laborious to brute drive the inner state of the pRNG and make predictions about future random numbers simply from analyzing community site visitors. Equally, ICMP’s international fee limiter was adjusted to keep away from leaking particulars of community state, as a begin to fixing current DNS Cache Poisoning assaults.
SafeSetID handles GID
Thomas Cedeno improved the SafeSetID LSM to deal with group IDs (which required instructing the kernel about which syscalls have been truly performing setgid.) Like the sooner setuid coverage, this lets the system proprietor outline an express record of allowed group ID transitions below CAP_SETGID (as a substitute of to only any group), offering a technique to hold the facility of granting this functionality far more restricted. (This isn’t full but, although, since dealing with setgroups() continues to be wanted.)
enhance kernel’s inside checking of file contents
The kernel gives LSMs (just like the Integrity subsystem) with particulars about recordsdata as they’re loaded. (For instance, loading modules, new kernel pictures for kexec, and firmware.) There wasn’t excellent protection for instances the place the contents have been coming from issues that weren’t recordsdata. To cope with this, new hooks have been added that permit the LSMs to introspect the contents immediately, and to do partial reads. It will give the LSMs a lot finer grain visibility into these sorts of operations.
set_fs removing continues
With the earlier work landed to free the core kernel code from set_fs(), Christoph Hellwig made it doable for set_fs() to be non-obligatory for an structure. Subsequently, he then eliminated set_fs() completely for x86, riscv, and powerpc. These architectures will now be free from the complete class of “kernel tackle restrict” assaults that solely wanted to deprave a single worth in struct thead_info.
sysfs_emit() replaces sprintf() in /sys
Joe Perches tackled one of the frequent bug courses with sprintf() and snprintf() in /sys handlers by creating a brand new helper, sysfs_emit(). It will deal with the instances the place kernel code was not appropriately coping with the size outcomes from sprintf() calls, which could result in buffer overflows within the PAGE_SIZE buffer that /sys handlers function on. With the helper in place, it was doable to begin the refactoring of the various sprintf() callers.
nosymfollow mount possibility
Mattias Nissler and Ross Zwisler carried out the nosymfollow mount possibility. This completely disables symlink decision for the given filesystem, much like different mount choices the place noexec disallows execve(), nosuid disallows setid bits, and nodev disallows system recordsdata. Quoting the patch, it’s “helpful as a defensive measure for programs that have to cope with untrusted file programs in privileged contexts.” (i.e. for when /proc/sys/fs/protected_symlinks isn’t a large enough hammer.) Chrome OS makes use of this feature for its stateful filesystem, as symlink traversal as been a frequent attack-persistence vector.
ARMv8.5 Reminiscence Tagging Extension help
Vincenzo Frascino added help to arm64 for the approaching Reminiscence Tagging Extension, which might be obtainable for ARMv8.5 and later chips. It gives 4 bits of tags (masking multiples of 16 byte spans of the tackle house). This is sufficient to deterministically get rid of all linear heap buffer overflow flaws (1 tag for “free”, after which rotate even values and odd values for neighboring allocations), which might be one of the frequent bugs being at present exploited. It additionally makes use-after-free and over/below indexing far more troublesome for attackers (however nonetheless doable if the goal’s tag bits might be uncovered). Perhaps some day we are able to change to 128 bit digital reminiscence addresses and have totally versioned allocations. However for now, 16 tag values is healthier than none, although we do nonetheless want to attend for anybody to truly be transport ARMv8.5 {hardware}.
fixes for flaws discovered by UBSAN
The work to make UBSAN typically usable below syzkaller continues to bear fruit, with varied fixes all around the kernel for stuff like shift-out-of-bounds, divide-by-zero, and integer overflow. Seeing these sorts of patches land reinforces the the rationale of shifting the burden of those sorts of checks to the toolchain: these run-time bugs proceed to pop up.
versatile array conversions
The work on versatile array conversions continues. Gustavo A. R. Silva and others continued to grind on the conversions, getting the kernel ever nearer to having the ability to allow the -Warray-bounds compiler flag and clear the trail for saner bounds checking of array indexes and memcpy() utilization.
That’s it for now! Please let me know should you assume the rest wants some consideration. Subsequent up is Linux v5.11.
© 2022, Kees Cook dinner. This work is licensed below a Artistic Commons Attribution-ShareAlike 4.0 License.
