Skip to content

Commit 4fc265a

Browse files
keessuryasaimadhu
authored andcommitted
x86/mtrr: Require CAP_SYS_ADMIN for all access
Zhang Xiaoxu noted that physical address locations for MTRR were visible to non-root users, which could be considered an information leak. In discussing[1] the options for solving this, it sounded like just moving the capable check into open() was the first step. If this breaks userspace, then we will have a test case for the more conservative approaches discussed in the thread. In summary: - MTRR should check capabilities at open time (or retain the checks on the opener's permissions for later checks). - changing the DAC permissions might break something that expects to open mtrr when not uid 0. - if we leave the DAC permissions alone and just move the capable check to the opener, we should get the desired protection. (i.e. check against CAP_SYS_ADMIN not just the wider uid 0.) - if that still breaks things, as in userspace expects to be able to read other parts of the file as non-uid-0 and non-CAP_SYS_ADMIN, then we need to censor the contents using the opener's permissions. For example, as done in other /proc cases, like commit 51d7b12 ("/proc/iomem: only expose physical resource addresses to privileged users"). [1] https://lore.kernel.org/lkml/201911110934.AC5BA313@keescook/ Reported-by: Zhang Xiaoxu <[email protected]> Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> Acked-by: James Morris <[email protected]> Cc: "H. Peter Anvin" <[email protected]> Cc: Colin Ian King <[email protected]> Cc: Ingo Molnar <[email protected]> Cc: [email protected] Cc: Matthew Garrett <[email protected]> Cc: Thomas Gleixner <[email protected]> Cc: Tyler Hicks <[email protected]> Cc: x86-ml <[email protected]> Cc: Thomas Gleixner <[email protected]> Link: https://lkml.kernel.org/r/201911181308.63F06502A1@keescook
1 parent 2e30dd9 commit 4fc265a

File tree

1 file changed

+2
-19
lines changed
  • arch/x86/kernel/cpu/mtrr

1 file changed

+2
-19
lines changed

arch/x86/kernel/cpu/mtrr/if.c

Lines changed: 2 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -101,9 +101,6 @@ mtrr_write(struct file *file, const char __user *buf, size_t len, loff_t * ppos)
101101
int length;
102102
size_t linelen;
103103

104-
if (!capable(CAP_SYS_ADMIN))
105-
return -EPERM;
106-
107104
memset(line, 0, LINE_SIZE);
108105

109106
len = min_t(size_t, len, LINE_SIZE - 1);
@@ -226,8 +223,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
226223
#ifdef CONFIG_COMPAT
227224
case MTRRIOC32_ADD_ENTRY:
228225
#endif
229-
if (!capable(CAP_SYS_ADMIN))
230-
return -EPERM;
231226
err =
232227
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
233228
file, 0);
@@ -236,24 +231,18 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
236231
#ifdef CONFIG_COMPAT
237232
case MTRRIOC32_SET_ENTRY:
238233
#endif
239-
if (!capable(CAP_SYS_ADMIN))
240-
return -EPERM;
241234
err = mtrr_add(sentry.base, sentry.size, sentry.type, false);
242235
break;
243236
case MTRRIOC_DEL_ENTRY:
244237
#ifdef CONFIG_COMPAT
245238
case MTRRIOC32_DEL_ENTRY:
246239
#endif
247-
if (!capable(CAP_SYS_ADMIN))
248-
return -EPERM;
249240
err = mtrr_file_del(sentry.base, sentry.size, file, 0);
250241
break;
251242
case MTRRIOC_KILL_ENTRY:
252243
#ifdef CONFIG_COMPAT
253244
case MTRRIOC32_KILL_ENTRY:
254245
#endif
255-
if (!capable(CAP_SYS_ADMIN))
256-
return -EPERM;
257246
err = mtrr_del(-1, sentry.base, sentry.size);
258247
break;
259248
case MTRRIOC_GET_ENTRY:
@@ -279,8 +268,6 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
279268
#ifdef CONFIG_COMPAT
280269
case MTRRIOC32_ADD_PAGE_ENTRY:
281270
#endif
282-
if (!capable(CAP_SYS_ADMIN))
283-
return -EPERM;
284271
err =
285272
mtrr_file_add(sentry.base, sentry.size, sentry.type, true,
286273
file, 1);
@@ -289,25 +276,19 @@ mtrr_ioctl(struct file *file, unsigned int cmd, unsigned long __arg)
289276
#ifdef CONFIG_COMPAT
290277
case MTRRIOC32_SET_PAGE_ENTRY:
291278
#endif
292-
if (!capable(CAP_SYS_ADMIN))
293-
return -EPERM;
294279
err =
295280
mtrr_add_page(sentry.base, sentry.size, sentry.type, false);
296281
break;
297282
case MTRRIOC_DEL_PAGE_ENTRY:
298283
#ifdef CONFIG_COMPAT
299284
case MTRRIOC32_DEL_PAGE_ENTRY:
300285
#endif
301-
if (!capable(CAP_SYS_ADMIN))
302-
return -EPERM;
303286
err = mtrr_file_del(sentry.base, sentry.size, file, 1);
304287
break;
305288
case MTRRIOC_KILL_PAGE_ENTRY:
306289
#ifdef CONFIG_COMPAT
307290
case MTRRIOC32_KILL_PAGE_ENTRY:
308291
#endif
309-
if (!capable(CAP_SYS_ADMIN))
310-
return -EPERM;
311292
err = mtrr_del_page(-1, sentry.base, sentry.size);
312293
break;
313294
case MTRRIOC_GET_PAGE_ENTRY:
@@ -410,6 +391,8 @@ static int mtrr_open(struct inode *inode, struct file *file)
410391
return -EIO;
411392
if (!mtrr_if->get)
412393
return -ENXIO;
394+
if (!capable(CAP_SYS_ADMIN))
395+
return -EPERM;
413396
return single_open(file, mtrr_seq_show, NULL);
414397
}
415398

0 commit comments

Comments
 (0)