Commit 02f29ab6 authored by Andrew Beggs's avatar Andrew Beggs Committed by Commit Bot

AArch64: Block PAuth key access attempts

For AArch64 a restricted ptrace call will result in an error when
trying to access PAC keys. Malicious code could derive the key via
the system call and potentially defeat any PAC control-flow
integrity checks. The ptrace call to set registers, PTRACE_SETREGSET,
is already blocked, so they cannot be changed.

Change-Id: I6954e3b038912871a964d413a305c69f8a57d543
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2438130Reviewed-by: default avatarRobert Sesek <rsesek@chromium.org>
Reviewed-by: default avatarMatthew Denton <mpdenton@chromium.org>
Commit-Queue: Richard Townsend <richard.townsend@arm.com>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#813031}
parent 1fbba037
...@@ -434,6 +434,7 @@ source_set("sandbox_services_headers") { ...@@ -434,6 +434,7 @@ source_set("sandbox_services_headers") {
"system_headers/linux_filter.h", "system_headers/linux_filter.h",
"system_headers/linux_futex.h", "system_headers/linux_futex.h",
"system_headers/linux_prctl.h", "system_headers/linux_prctl.h",
"system_headers/linux_ptrace.h",
"system_headers/linux_seccomp.h", "system_headers/linux_seccomp.h",
"system_headers/linux_signal.h", "system_headers/linux_signal.h",
"system_headers/linux_syscalls.h", "system_headers/linux_syscalls.h",
......
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/system_headers/linux_futex.h" #include "sandbox/linux/system_headers/linux_futex.h"
#include "sandbox/linux/system_headers/linux_prctl.h" #include "sandbox/linux/system_headers/linux_prctl.h"
#include "sandbox/linux/system_headers/linux_ptrace.h"
#include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/linux/system_headers/linux_syscalls.h"
#include "sandbox/linux/system_headers/linux_time.h" #include "sandbox/linux/system_headers/linux_time.h"
...@@ -405,20 +406,26 @@ ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) { ...@@ -405,20 +406,26 @@ ResultExpr RestrictPrlimitToGetrlimit(pid_t target_pid) {
#if !defined(OS_NACL_NONSFI) #if !defined(OS_NACL_NONSFI)
ResultExpr RestrictPtrace() { ResultExpr RestrictPtrace() {
const Arg<int> request(0); const Arg<int> request(0);
return Switch(request).CASES(( #if defined(__aarch64__)
const Arg<uintptr_t> addr(2);
#endif
return Switch(request)
.CASES((
#if !defined(__aarch64__) #if !defined(__aarch64__)
PTRACE_GETREGS, PTRACE_GETREGS, PTRACE_GETFPREGS, PTRACE_GET_THREAD_AREA,
PTRACE_GETFPREGS, PTRACE_GETREGSET,
PTRACE_GET_THREAD_AREA,
#endif #endif
#if defined(__arm__) #if defined(__arm__)
PTRACE_GETVFPREGS, PTRACE_GETVFPREGS,
#endif
PTRACE_PEEKDATA, PTRACE_ATTACH, PTRACE_DETACH),
Allow())
#if defined(__aarch64__)
.Case(
PTRACE_GETREGSET,
If(AllOf(addr != NT_ARM_PACA_KEYS, addr != NT_ARM_PACG_KEYS), Allow())
.Else(CrashSIGSYSPtrace()))
#endif #endif
PTRACE_GETREGSET,
PTRACE_PEEKDATA,
PTRACE_ATTACH,
PTRACE_DETACH),
Allow())
.Default(CrashSIGSYSPtrace()); .Default(CrashSIGSYSPtrace());
} }
#endif // defined(OS_NACL_NONSFI) #endif // defined(OS_NACL_NONSFI)
......
...@@ -32,6 +32,7 @@ ...@@ -32,6 +32,7 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/seccomp-bpf/syscall.h" #include "sandbox/linux/seccomp-bpf/syscall.h"
#include "sandbox/linux/services/syscall_wrappers.h" #include "sandbox/linux/services/syscall_wrappers.h"
#include "sandbox/linux/system_headers/linux_ptrace.h"
#include "sandbox/linux/system_headers/linux_syscalls.h" #include "sandbox/linux/system_headers/linux_syscalls.h"
#include "sandbox/linux/system_headers/linux_time.h" #include "sandbox/linux/system_headers/linux_time.h"
#include "sandbox/linux/tests/unit_tests.h" #include "sandbox/linux/tests/unit_tests.h"
...@@ -341,6 +342,36 @@ BPF_DEATH_TEST_C( ...@@ -341,6 +342,36 @@ BPF_DEATH_TEST_C(
&iov); &iov);
} }
#if defined(__aarch64__)
BPF_DEATH_TEST_C(
ParameterRestrictions,
ptrace_getregs_nt_arm_paca_keys_blocked,
DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()),
RestrictPtracePolicy) {
user_regs_struct regs{};
iovec iov;
iov.iov_base = &regs;
iov.iov_len = sizeof(regs);
errno = 0;
ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACA_KEYS),
&iov);
}
BPF_DEATH_TEST_C(
ParameterRestrictions,
ptrace_getregs_nt_arm_pacg_keys_blocked,
DEATH_SEGV_MESSAGE(sandbox::GetPtraceErrorMessageContentForTests()),
RestrictPtracePolicy) {
user_regs_struct regs{};
iovec iov;
iov.iov_base = &regs;
iov.iov_len = sizeof(regs);
errno = 0;
ptrace(PTRACE_GETREGSET, getpid(), reinterpret_cast<void*>(NT_ARM_PACG_KEYS),
&iov);
}
#endif
} // namespace } // namespace
} // namespace sandbox } // namespace sandbox
// Copyright 2020 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_
#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_
#if !defined(NT_ARM_PACA_KEYS)
#define NT_ARM_PACA_KEYS 0x407 /* Arm pointer authentication address keys */
#define NT_ARM_PACG_KEYS 0x408 /* Arm pointer authentication generic key */
#endif
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_PTRACE_H_
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment