From patchwork Tue May 6 13:03:48 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Thompson X-Patchwork-Id: 29706 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-vc0-f197.google.com (mail-vc0-f197.google.com [209.85.220.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 2B8EC20534 for ; Tue, 6 May 2014 13:04:59 +0000 (UTC) Received: by mail-vc0-f197.google.com with SMTP id if11sf2163459vcb.8 for ; Tue, 06 May 2014 06:04:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject :date:message-id:in-reply-to:references:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-unsubscribe; bh=x5YaFjYOI7YICkQxfUY/zlR0DUBNjQ3USSE7gYMyLgU=; b=bkaz5Lz1s7nOG4mQVQMYE2s0Qes8j9MKTAHJo62C2qJOdmVZcYiFE+n8gy4K9ioEte Vhnl6+iFsYak2IQC50yCfCqn9ssNN6wtO2Qz/zDLlk5ph0UpulgBu9mNQUeK4LT+FPst Nu1xT8YLCKL8ZiAt5UcYwHFdGzJKrAeKKHm3I2Y6JsP0rf/s8qciRBU/11XgWIVprwE3 NXGNeFOOxxH2bvXsKN3jBWqvb7L28uMKtLlhoELIuWUO0elfVz2NoW2KCIvesS3d2Va2 C1eTC0cs99mIbFoYxNidxFOYliK3fKmptGzxls/F4iIQXbMLQM3SFIHWYsuO9BVsazPB tbNQ== X-Gm-Message-State: ALoCoQmQdHHOFN4l0v8c1CapTZ3Nmx5hnSCvAzVI/1Wj8gFzO9qzb3Kk0zraCHtRpY9WJ409m4wk X-Received: by 10.58.141.200 with SMTP id rq8mr1041848veb.31.1399381498977; Tue, 06 May 2014 06:04:58 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.22.145 with SMTP id 17ls2832217qgn.21.gmail; Tue, 06 May 2014 06:04:58 -0700 (PDT) X-Received: by 10.58.216.163 with SMTP id or3mr92710vec.80.1399381498853; Tue, 06 May 2014 06:04:58 -0700 (PDT) Received: from mail-ve0-f177.google.com (mail-ve0-f177.google.com [209.85.128.177]) by mx.google.com with ESMTPS id xx5si2306045vcb.180.2014.05.06.06.04.58 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 May 2014 06:04:58 -0700 (PDT) Received-SPF: none (google.com: patch+caf_=patchwork-forward=linaro.org@linaro.org does not designate permitted sender hosts) client-ip=209.85.128.177; Received: by mail-ve0-f177.google.com with SMTP id db11so5672853veb.22 for ; Tue, 06 May 2014 06:04:58 -0700 (PDT) X-Received: by 10.220.5.129 with SMTP id 1mr348370vcv.71.1399381498766; Tue, 06 May 2014 06:04:58 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp221768vcb; Tue, 6 May 2014 06:04:58 -0700 (PDT) X-Received: by 10.180.91.114 with SMTP id cd18mr20888416wib.28.1399381491304; Tue, 06 May 2014 06:04:51 -0700 (PDT) Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by mx.google.com with ESMTPS id hi10si4491230wib.54.2014.05.06.06.04.50 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 May 2014 06:04:51 -0700 (PDT) Received-SPF: none (google.com: daniel.thompson@linaro.org does not designate permitted sender hosts) client-ip=74.125.82.44; Received: by mail-wg0-f44.google.com with SMTP id a1so6534129wgh.27 for ; Tue, 06 May 2014 06:04:50 -0700 (PDT) X-Received: by 10.194.1.242 with SMTP id 18mr33268479wjp.22.1399381490690; Tue, 06 May 2014 06:04:50 -0700 (PDT) Received: from sundance.lan (cpc4-aztw19-0-0-cust157.18-1.cable.virginm.net. [82.33.25.158]) by mx.google.com with ESMTPSA id by1sm21966350wjc.26.2014.05.06.06.04.49 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 May 2014 06:04:49 -0700 (PDT) From: Daniel Thompson To: kgdb-bugreport@lists.sourceforge.net, Jason Wessel Cc: patches@linaro.org, linaro-kernel@lists.linaro.org, Anton Vorontsov , linux-kernel@vger.kernel.org, Greg Kroah-Hartman , Jiri Slaby , Steven Rostedt , Frederic Weisbecker , Ingo Molnar , John Stultz , Colin Cross , kernel-team@android.com, Daniel Thompson Subject: [PATCH v4 8/9] kdb: Add enable mask for groups of commands Date: Tue, 6 May 2014 14:03:48 +0100 Message-Id: <1399381429-16194-9-git-send-email-daniel.thompson@linaro.org> X-Mailer: git-send-email 1.9.0 In-Reply-To: <1399381429-16194-1-git-send-email-daniel.thompson@linaro.org> References: <1398443370-12668-1-git-send-email-daniel.thompson@linaro.org> <1399381429-16194-1-git-send-email-daniel.thompson@linaro.org> X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: daniel.thompson@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: patch+caf_=patchwork-forward=linaro.org@linaro.org does not designate permitted sender hosts) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , From: Anton Vorontsov Currently all kdb commands are enabled whenever kdb is deployed. This makes it difficult to deploy kdb to help debug certain types of systems. Android phones provide one example; the FIQ debugger found on some Android devices has a deliberately weak set of commands to allow the debugger to enabled very late in the production cycle. Certain kiosk environments offer another interesting case where an engineer might wish to probe the system state using passive inspection commands without providing sufficient power for a passer by to root it. Without any restrictions, obtaining the root rights via KDB is a matter of a few commands, and works everywhere. For example, log in as a normal user: cbou:~$ id uid=1001(cbou) gid=1001(cbou) groups=1001(cbou) Now enter KDB (for example via sysrq): Entering kdb (current=0xffff8800065bc740, pid 920) due to Keyboard Entry kdb> ps 23 sleeping system daemon (state M) processes suppressed, use 'ps A' to see all. Task Addr Pid Parent [*] cpu State Thread Command 0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash 0xffff880007078000 1 0 0 0 S 0xffff8800070782e0 init [...snip...] 0xffff8800065be3c0 918 1 0 0 S 0xffff8800065be6a0 getty 0xffff8800065b9c80 919 1 0 0 S 0xffff8800065b9f60 login 0xffff8800065bc740 920 919 1 0 R 0xffff8800065bca20 *bash All we need is the offset of cred pointers. We can look up the offset in the distro's kernel source, but it is unnecessary. We can just start dumping init's task_struct, until we see the process name: kdb> md 0xffff880007078000 0xffff880007078000 0000000000000001 ffff88000703c000 ................ 0xffff880007078010 0040210000000002 0000000000000000 .....!@......... [...snip...] 0xffff8800070782b0 ffff8800073e0580 ffff8800073e0580 ..>.......>..... 0xffff8800070782c0 0000000074696e69 0000000000000000 init............ ^ Here, 'init'. Creds are just above it, so the offset is 0x02b0. Now we set up init's creds for our non-privileged shell: kdb> mm 0xffff8800065bc740+0x02b0 0xffff8800073e0580 0xffff8800065bc9f0 = 0xffff8800073e0580 kdb> mm 0xffff8800065bc740+0x02b8 0xffff8800073e0580 0xffff8800065bc9f8 = 0xffff8800073e0580 And thus gaining the root: kdb> go cbou:~$ id uid=0(root) gid=0(root) groups=0(root) cbou:~$ bash root:~# p.s. No distro enables kdb by default (although, with a nice KDB-over-KMS feature availability, I would expect at least some would enable it), so it's not actually some kind of a major issue. Signed-off-by: Anton Vorontsov Signed-off-by: John Stultz Signed-off-by: Daniel Thompson --- include/linux/kdb.h | 1 + kernel/debug/kdb/kdb_main.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/include/linux/kdb.h b/include/linux/kdb.h index 08f9875..0872b35 100644 --- a/include/linux/kdb.h +++ b/include/linux/kdb.h @@ -125,6 +125,7 @@ extern atomic_t kdb_event; #define KDB_BADLENGTH (-19) #define KDB_NOBP (-20) #define KDB_BADADDR (-21) +#define KDB_NOPERM (-22) /* * kdb_diemsg diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c index dcf45a9..4a82dc3 100644 --- a/kernel/debug/kdb/kdb_main.c +++ b/kernel/debug/kdb/kdb_main.c @@ -12,6 +12,7 @@ */ #include +#include #include #include #include @@ -23,6 +24,7 @@ #include #include #include +#include #include #include #include @@ -42,6 +44,12 @@ #include #include "kdb_private.h" +#undef MODULE_PARAM_PREFIX +#define MODULE_PARAM_PREFIX "kdb." + +static int kdb_cmd_enabled; +module_param_named(cmd_enable, kdb_cmd_enabled, int, 0600); + #define GREP_LEN 256 char kdb_grep_string[GREP_LEN]; int kdb_grepping_flag; @@ -121,6 +129,7 @@ static kdbmsg_t kdbmsgs[] = { KDBMSG(BADLENGTH, "Invalid length field"), KDBMSG(NOBP, "No Breakpoint exists"), KDBMSG(BADADDR, "Invalid address"), + KDBMSG(NOPERM, "Permission denied"), }; #undef KDBMSG @@ -476,6 +485,15 @@ int kdbgetaddrarg(int argc, const char **argv, int *nextarg, kdb_symtab_t symtab; /* + * If the enable flags prohibit both arbitrary memory access + * and flow control then there are no reasonable grounds to + * provide symbol lookup. + */ + if (!kdb_check_flags(KDB_ENABLE_MEM_READ | KDB_ENABLE_FLOW_CTRL, + kdb_cmd_enabled, false)) + return KDB_NOPERM; + + /* * Process arguments which follow the following syntax: * * symbol | numeric-address [+/- numeric-offset] @@ -1008,6 +1026,10 @@ int kdb_parse(const char *cmdstr) if (i < kdb_max_commands) { int result; + + if (!kdb_check_flags(tp->cmd_flags, kdb_cmd_enabled, argc <= 1)) + return KDB_NOPERM; + KDB_STATE_SET(CMD); result = (*tp->cmd_func)(argc-1, (const char **)argv); if (result && ignore_errors && result > KDB_CMD_GO) @@ -1926,10 +1948,14 @@ static int kdb_rm(int argc, const char **argv) */ static int kdb_sr(int argc, const char **argv) { + bool check_mask = + !kdb_check_flags(KDB_ENABLE_ALL, kdb_cmd_enabled, false); + if (argc != 1) return KDB_ARGCOUNT; + kdb_trap_printk++; - __handle_sysrq_nolock(*argv[1], false); + __handle_sysrq_nolock(*argv[1], check_mask); kdb_trap_printk--; return 0; @@ -2380,6 +2406,8 @@ static int kdb_help(int argc, const char **argv) return 0; if (!kt->cmd_name) continue; + if (!kdb_check_flags(kt->cmd_flags, kdb_cmd_enabled, true)) + continue; if (strlen(kt->cmd_usage) > 20) space = "\n "; kdb_printf("%-15.15s %-20s%s%s\n", kt->cmd_name,