From patchwork Fri Jul 11 11:33:37 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Thompson <daniel.thompson@linaro.org>
X-Patchwork-Id: 33478
Return-Path: <patchwork-forward+bncBCAPDLF44QLBBLEY76OQKGQE5N7DEOY@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-vc0-f199.google.com (mail-vc0-f199.google.com
 [209.85.220.199])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 7CFC720672
 for <linaro@patches.linaro.org>; Fri, 11 Jul 2014 11:36:12 +0000 (UTC)
Received: by mail-vc0-f199.google.com with SMTP id ij19sf3246054vcb.10
 for <linaro@patches.linaro.org>; Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:in-reply-to:references:x-original-sender
 :x-original-authentication-results:precedence:mailing-list:list-id
 :list-post:list-help:list-archive:list-unsubscribe;
 bh=PYdIQc1cIxN9yHOsOUUukEpHlan2V4H10HrHvtwyMkc=;
 b=UU52OtfePYH1B9/hGDp1NXEFbTv4E2FjWKS3epSjfSwnXfbjxLwjw/cnYNRu6CYmHL
 pIVY5EzMxI/1IQhAhlqONCza3TVc1o32Btcf/6VFtJklZqPZ5JMMcbM0nrblN250yY1W
 XjcmTCAS90vlExhaWS3Tb82GVHVeCG/5DC8qubFljaxugMtDl/QuYOaxAtoloOo+Dh5G
 U9sK0TowB9RKyJ906xiPlfIxoV+D9oNHK4QN+9z++s5RcmFrv4mGgBGEbNQSvaleyuGk
 /ht6VUZKbYxzLi6QLPHcFzI+wimLk/4GFluqhv1enD0Usgsn/xH7nB9VChZIvZIGUMOx
 p4gQ==
X-Gm-Message-State: ALoCoQltRS1EXjo5RFumyTp5bd3rGOEWK40gEBWx6jz34XKdPc43eNEAZnWpJXVMkLYZQR6qmjeo
X-Received: by 10.58.160.232 with SMTP id xn8mr4326298veb.0.1405078572175;
 Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.38.51 with SMTP id s48ls358257qgs.64.gmail; Fri, 11 Jul
 2014 04:36:12 -0700 (PDT)
X-Received: by 10.58.46.212 with SMTP id x20mr114510vem.65.1405078572099;
 Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
Received: from mail-vc0-f180.google.com (mail-vc0-f180.google.com
 [209.85.220.180]) by mx.google.com with ESMTPS id
 fx5si1344682vec.14.2014.07.11.04.36.12
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.220.180 as permitted sender) client-ip=209.85.220.180; 
Received: by mail-vc0-f180.google.com with SMTP id im17so1711360vcb.25
 for <patchwork-forward@linaro.org>;
 Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
X-Received: by 10.52.244.35 with SMTP id xd3mr100333vdc.71.1405078572004;
 Fri, 11 Jul 2014 04:36:12 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patches@linaro.org
Received: by 10.221.37.5 with SMTP id tc5csp27726vcb;
 Fri, 11 Jul 2014 04:36:11 -0700 (PDT)
X-Received: by 10.194.187.101 with SMTP id fr5mr12553642wjc.125.1405078570995; 
 Fri, 11 Jul 2014 04:36:10 -0700 (PDT)
Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52])
 by mx.google.com with ESMTPS id q9si3642490wjq.40.2014.07.11.04.36.04
 for <patches@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Fri, 11 Jul 2014 04:36:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of daniel.thompson@linaro.org
 designates 74.125.82.52 as permitted sender)
 client-ip=74.125.82.52; 
Received: by mail-wg0-f52.google.com with SMTP id a1so181657wgh.35
 for <patches@linaro.org>; Fri, 11 Jul 2014 04:36:03 -0700 (PDT)
X-Received: by 10.180.86.225 with SMTP id s1mr4343750wiz.36.1405078563419;
 Fri, 11 Jul 2014 04:36:03 -0700 (PDT)
Received: from harvey.bri.st.com
 (LPuteaux-656-01-48-212.w82-127.abo.wanadoo.fr. [82.127.83.212])
 by mx.google.com with ESMTPSA id
 ub8sm6541984wib.0.2014.07.11.04.36.01 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Fri, 11 Jul 2014 04:36:02 -0700 (PDT)
From: Daniel Thompson <daniel.thompson@linaro.org>
To: Jason Wessel <jason.wessel@windriver.com>
Cc: Anton Vorontsov <anton.vorontsov@linaro.org>, patches@linaro.org,
 linaro-kernel@lists.linaro.org, linux-kernel@vger.kernel.org,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 Jiri Slaby <jslaby@suse.cz>, Steven Rostedt <rostedt@goodmis.org>,
 Frederic Weisbecker <fweisbec@gmail.com>, Ingo Molnar <mingo@redhat.com>,
 John Stultz <john.stultz@linaro.org>, Colin Cross <ccross@android.com>,
 kernel-team@android.com, kgdb-bugreport@lists.sourceforge.net,
 Daniel Thompson <daniel.thompson@linaro.org>
Subject: [RESEND PATCH v5 3.16-rc4 7/8] kdb: Add enable mask for groups of
 commands
Date: Fri, 11 Jul 2014 12:33:37 +0100
Message-Id: <1405078418-14070-8-git-send-email-daniel.thompson@linaro.org>
X-Mailer: git-send-email 1.9.3
In-Reply-To: <1405078418-14070-1-git-send-email-daniel.thompson@linaro.org>
References: <1399381429-16194-1-git-send-email-daniel.thompson@linaro.org>
 <1405078418-14070-1-git-send-email-daniel.thompson@linaro.org>
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: daniel.thompson@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.220.180 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Precedence: list
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
List-ID: <patchwork-forward.linaro.org>
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>

From: Anton Vorontsov <anton.vorontsov@linaro.org>

Currently all kdb commands are enabled whenever kdb is deployed. This
makes it difficult to deploy kdb to help debug certain types of
systems.

Android phones provide one example; the FIQ debugger found on some
Android devices has a deliberately weak set of commands to allow the
debugger to enabled very late in the production cycle.

Certain kiosk environments offer another interesting case where an
engineer might wish to probe the system state using passive inspection
commands without providing sufficient power for a passer by to root it.

Without any restrictions, obtaining the root rights via KDB is a matter of
a few commands, and works everywhere. For example, log in as a normal
user:

cbou:~$ id
uid=1001(cbou) gid=1001(cbou) groups=1001(cbou)

Now enter KDB (for example via sysrq):

Entering kdb (current=0xffff8800065bc740, pid 920) due to Keyboard Entry
kdb> ps
23 sleeping system daemon (state M) processes suppressed,
use 'ps A' to see all.
Task Addr               Pid   Parent [*] cpu State Thread             Command
0xffff8800065bc740      920      919  1    0   R  0xffff8800065bca20 *bash

0xffff880007078000        1        0  0    0   S  0xffff8800070782e0  init
[...snip...]
0xffff8800065be3c0      918        1  0    0   S  0xffff8800065be6a0  getty
0xffff8800065b9c80      919        1  0    0   S  0xffff8800065b9f60  login
0xffff8800065bc740      920      919  1    0   R  0xffff8800065bca20 *bash

All we need is the offset of cred pointers. We can look up the offset in
the distro's kernel source, but it is unnecessary. We can just start
dumping init's task_struct, until we see the process name:

kdb> md 0xffff880007078000
0xffff880007078000 0000000000000001 ffff88000703c000   ................
0xffff880007078010 0040210000000002 0000000000000000   .....!@.........
[...snip...]
0xffff8800070782b0 ffff8800073e0580 ffff8800073e0580   ..>.......>.....
0xffff8800070782c0 0000000074696e69 0000000000000000   init............

^ Here, 'init'. Creds are just above it, so the offset is 0x02b0.

Now we set up init's creds for our non-privileged shell:

kdb> mm 0xffff8800065bc740+0x02b0 0xffff8800073e0580
0xffff8800065bc9f0 = 0xffff8800073e0580
kdb> mm 0xffff8800065bc740+0x02b8 0xffff8800073e0580
0xffff8800065bc9f8 = 0xffff8800073e0580

And thus gaining the root:

kdb> go
cbou:~$ id
uid=0(root) gid=0(root) groups=0(root)
cbou:~$ bash
root:~#

p.s. No distro enables kdb by default (although, with a nice KDB-over-KMS
feature availability, I would expect at least some would enable it), so
it's not actually some kind of a major issue.

Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: kgdb-bugreport@lists.sourceforge.net
---
 include/linux/kdb.h         |  1 +
 kernel/debug/kdb/kdb_main.c | 30 +++++++++++++++++++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/include/linux/kdb.h b/include/linux/kdb.h
index f1fe361..75ae2e2 100644
--- a/include/linux/kdb.h
+++ b/include/linux/kdb.h
@@ -105,6 +105,7 @@ extern atomic_t kdb_event;
 #define KDB_BADLENGTH	(-19)
 #define KDB_NOBP	(-20)
 #define KDB_BADADDR	(-21)
+#define KDB_NOPERM	(-22)
 
 /*
  * kdb_diemsg
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index 941ff97..c670fe4 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -12,6 +12,7 @@
  */
 
 #include <linux/ctype.h>
+#include <linux/types.h>
 #include <linux/string.h>
 #include <linux/kernel.h>
 #include <linux/kmsg_dump.h>
@@ -23,6 +24,7 @@
 #include <linux/vmalloc.h>
 #include <linux/atomic.h>
 #include <linux/module.h>
+#include <linux/moduleparam.h>
 #include <linux/mm.h>
 #include <linux/init.h>
 #include <linux/kallsyms.h>
@@ -42,6 +44,12 @@
 #include <linux/slab.h>
 #include "kdb_private.h"
 
+#undef	MODULE_PARAM_PREFIX
+#define	MODULE_PARAM_PREFIX "kdb."
+
+static int kdb_cmd_enabled;
+module_param_named(cmd_enable, kdb_cmd_enabled, int, 0600);
+
 #define GREP_LEN 256
 char kdb_grep_string[GREP_LEN];
 int kdb_grepping_flag;
@@ -121,6 +129,7 @@ static kdbmsg_t kdbmsgs[] = {
 	KDBMSG(BADLENGTH, "Invalid length field"),
 	KDBMSG(NOBP, "No Breakpoint exists"),
 	KDBMSG(BADADDR, "Invalid address"),
+	KDBMSG(NOPERM, "Permission denied"),
 };
 #undef KDBMSG
 
@@ -496,6 +505,15 @@ int kdbgetaddrarg(int argc, const char **argv, int *nextarg,
 	kdb_symtab_t symtab;
 
 	/*
+	 * If the enable flags prohibit both arbitrary memory access
+	 * and flow control then there are no reasonable grounds to
+	 * provide symbol lookup.
+	 */
+	if (!kdb_check_flags(KDB_ENABLE_MEM_READ | KDB_ENABLE_FLOW_CTRL,
+			     kdb_cmd_enabled, false))
+		return KDB_NOPERM;
+
+	/*
 	 * Process arguments which follow the following syntax:
 	 *
 	 *  symbol | numeric-address [+/- numeric-offset]
@@ -1028,6 +1046,10 @@ int kdb_parse(const char *cmdstr)
 
 	if (i < kdb_max_commands) {
 		int result;
+
+		if (!kdb_check_flags(tp->cmd_flags, kdb_cmd_enabled, argc <= 1))
+			return KDB_NOPERM;
+
 		KDB_STATE_SET(CMD);
 		result = (*tp->cmd_func)(argc-1, (const char **)argv);
 		if (result && ignore_errors && result > KDB_CMD_GO)
@@ -1939,10 +1961,14 @@ static int kdb_rm(int argc, const char **argv)
  */
 static int kdb_sr(int argc, const char **argv)
 {
+	bool check_mask =
+	    !kdb_check_flags(KDB_ENABLE_ALL, kdb_cmd_enabled, false);
+
 	if (argc != 1)
 		return KDB_ARGCOUNT;
+
 	kdb_trap_printk++;
-	__handle_sysrq(*argv[1], false);
+	__handle_sysrq(*argv[1], check_mask);
 	kdb_trap_printk--;
 
 	return 0;
@@ -2393,6 +2419,8 @@ static int kdb_help(int argc, const char **argv)
 			return 0;
 		if (!kt->cmd_name)
 			continue;
+		if (!kdb_check_flags(kt->cmd_flags, kdb_cmd_enabled, true))
+			continue;
 		if (strlen(kt->cmd_usage) > 20)
 			space = "\n                                    ";
 		kdb_printf("%-15.15s %-20s%s%s\n", kt->cmd_name,