oss-sec mailing list archives
CVE-2022-21505: Kernel lockdown bypass bug
From: John Haxby <john.haxby () oracle com>
Date: Tue, 19 Jul 2022 17:02:12 +0000
Hello All, We recently discovered a bug that allows linux kernel lockdown to be trivially bypassed using IMA. See the patch, below, for more details. This has been assigned CVE-2022-21505. I've included the patch, below, but it has been sent upstream and you'll probably want to pull it from the repos on kernel.org. jch ~~~ The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. This LSM may also be used on machines without UEFI. It can also be enabled when UEFI Secure Boot is disabled. One of lockdown's features is to prevent kexec from loading untrusted kernels. Lockdown can be enabled through a bootparam or after the kernel has booted through securityfs. If IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. To defeat lockdown, boot without Secure Boot and add ima_appraise=log to the kernel command line; then: $ echo "integrity" > /sys/kernel/security/lockdown $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \ /sys/kernel/security/ima/policy $ kexec -ls unsigned-kernel Add a call to verify ima appraisal is set to "enforce" whenever lockdown is enabled. Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") Signed-off-by: Eric Snowberg <eric.snowberg () oracle com> Acked-by: Mimi Zohar <zohar () linux ibm com> Reviewed-by: John Haxby <john.haxby () oracle com> --- security/integrity/ima/ima_policy.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fa5a93dbe5d26..748b97a2582a4 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c @@ -2034,6 +2034,10 @@ bool ima_appraise_signature(enum kernel_read_file_id id) if (id >= READING_MAX_ID) return false; + if (id == READING_KEXEC_IMAGE && !(ima_appraise & IMA_APPRAISE_ENFORCE) + && security_locked_down(LOCKDOWN_KEXEC)) + return false; + func = read_idmap[id] ?: FILE_CHECK; rcu_read_lock(); -- 2.27.0
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- CVE-2022-21505: Kernel lockdown bypass bug John Haxby (Jul 19)