From a712392b88b3cbc8385fd97be87a43db2ad7ecf0 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Wed, 2 Oct 2019 01:22:17 +0200 Subject: [PATCH] add CONFIG for unprivileged_userfaultfd When disabled, unprivileged users will not be able to use the userfaultfd syscall. Userfaultfd provide attackers with a way to stall a kernel thread in the middle of memory accesses from userspace by initiating an access on an unmapped page. To avoid various heap grooming and heap spraying techniques for exploiting use-after-free flaws this should be disabled by default. This setting can be overridden at runtime via the vm.unprivileged_userfaultfd sysctl. Signed-off-by: Levente Polyak --- fs/userfaultfd.c | 4 ++++ init/Kconfig | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 37df7c9eedb15..97e21b2c26708 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -28,7 +28,11 @@ #include #include +#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED int sysctl_unprivileged_userfaultfd __read_mostly = 1; +#else +int sysctl_unprivileged_userfaultfd __read_mostly; +#endif static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; diff --git a/init/Kconfig b/init/Kconfig index c8d235ed08471..83b01b09952eb 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1661,6 +1661,23 @@ config USERFAULTFD Enable the userfaultfd() system call that allows to intercept and handle page faults in userland. +config USERFAULTFD_UNPRIVILEGED + bool "Allow unprivileged users to use the userfaultfd syscall" + depends on USERFAULTFD + default n + help + When disabled, unprivileged users will not be able to use the userfaultfd + syscall. Userfaultfd provide attackers with a way to stall a kernel + thread in the middle of memory accesses from userspace by initiating an + access on an unmapped page. To avoid various heap grooming and heap + spraying techniques for exploiting use-after-free flaws this should be + disabled by default. + + This setting can be overridden at runtime via the + vm.unprivileged_userfaultfd sysctl. + + If unsure, say N. + config ARCH_HAS_MEMBARRIER_CALLBACKS bool