Commit 95f5e95f authored by Matthew Garrett's avatar Matthew Garrett Committed by James Morris

x86/msr: Restrict MSR access when the kernel is locked down

Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode.  Based on a
patch by Kees Cook.
Signed-off-by: default avatarMatthew Garrett <mjg59@google.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
cc: x86@kernel.org
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 96c4f672
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
#include <linux/notifier.h> #include <linux/notifier.h>
#include <linux/uaccess.h> #include <linux/uaccess.h>
#include <linux/gfp.h> #include <linux/gfp.h>
#include <linux/security.h>
#include <asm/cpufeature.h> #include <asm/cpufeature.h>
#include <asm/msr.h> #include <asm/msr.h>
...@@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf, ...@@ -79,6 +80,10 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
int err = 0; int err = 0;
ssize_t bytes = 0; ssize_t bytes = 0;
err = security_locked_down(LOCKDOWN_MSR);
if (err)
return err;
if (count % 8) if (count % 8)
return -EINVAL; /* Invalid chunk size */ return -EINVAL; /* Invalid chunk size */
...@@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) ...@@ -130,6 +135,9 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
err = -EFAULT; err = -EFAULT;
break; break;
} }
err = security_locked_down(LOCKDOWN_MSR);
if (err)
break;
err = wrmsr_safe_regs_on_cpu(cpu, regs); err = wrmsr_safe_regs_on_cpu(cpu, regs);
if (err) if (err)
break; break;
......
...@@ -109,6 +109,7 @@ enum lockdown_reason { ...@@ -109,6 +109,7 @@ enum lockdown_reason {
LOCKDOWN_HIBERNATION, LOCKDOWN_HIBERNATION,
LOCKDOWN_PCI_ACCESS, LOCKDOWN_PCI_ACCESS,
LOCKDOWN_IOPORT, LOCKDOWN_IOPORT,
LOCKDOWN_MSR,
LOCKDOWN_INTEGRITY_MAX, LOCKDOWN_INTEGRITY_MAX,
LOCKDOWN_CONFIDENTIALITY_MAX, LOCKDOWN_CONFIDENTIALITY_MAX,
}; };
......
...@@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = { ...@@ -24,6 +24,7 @@ static char *lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
[LOCKDOWN_HIBERNATION] = "hibernation", [LOCKDOWN_HIBERNATION] = "hibernation",
[LOCKDOWN_PCI_ACCESS] = "direct PCI access", [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
[LOCKDOWN_IOPORT] = "raw io port access", [LOCKDOWN_IOPORT] = "raw io port access",
[LOCKDOWN_MSR] = "raw MSR access",
[LOCKDOWN_INTEGRITY_MAX] = "integrity", [LOCKDOWN_INTEGRITY_MAX] = "integrity",
[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality", [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
}; };
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment