From a60a3785ad5e14b0143b588e218efa0819f004c2 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Wed, 2 Oct 2019 01:22:17 +0200 Subject: [PATCH] add CONFIG for unprivileged_userfaultfd When disabled, unprivileged users will not be able to use the userfaultfd syscall. Userfaultfd provide attackers with a way to stall a kernel thread in the middle of memory accesses from userspace by initiating an access on an unmapped page. To avoid various heap grooming and heap spraying techniques for exploiting use-after-free flaws this should be disabled by default. This setting can be overridden at runtime via the vm.unprivileged_userfaultfd sysctl. Signed-off-by: Levente Polyak --- fs/userfaultfd.c | 4 ++++ init/Kconfig | 17 +++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 7408534653562..56d2e6966980c 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -28,7 +28,11 @@ #include #include +#ifdef CONFIG_USERFAULTFD_UNPRIVILEGED int sysctl_unprivileged_userfaultfd __read_mostly = 1; +#else +int sysctl_unprivileged_userfaultfd __read_mostly; +#endif static struct kmem_cache *userfaultfd_ctx_cachep __read_mostly; diff --git a/init/Kconfig b/init/Kconfig index 9c0b8dcfb4fd2..54786890b3e75 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -1650,6 +1650,23 @@ config USERFAULTFD Enable the userfaultfd() system call that allows to intercept and handle page faults in userland. +config USERFAULTFD_UNPRIVILEGED + bool "Allow unprivileged users to use the userfaultfd syscall" + depends on USERFAULTFD + default n + help + When disabled, unprivileged users will not be able to use the userfaultfd + syscall. Userfaultfd provide attackers with a way to stall a kernel + thread in the middle of memory accesses from userspace by initiating an + access on an unmapped page. To avoid various heap grooming and heap + spraying techniques for exploiting use-after-free flaws this should be + disabled by default. + + This setting can be overridden at runtime via the + vm.unprivileged_userfaultfd sysctl. + + If unsure, say N. + config ARCH_HAS_MEMBARRIER_CALLBACKS bool