diff options
Diffstat (limited to 'src/VBox/HostDrivers')
15 files changed, 167 insertions, 59 deletions
diff --git a/src/VBox/HostDrivers/Support/Makefile.kmk b/src/VBox/HostDrivers/Support/Makefile.kmk index 6543b624..46c2784c 100644 --- a/src/VBox/HostDrivers/Support/Makefile.kmk +++ b/src/VBox/HostDrivers/Support/Makefile.kmk @@ -237,6 +237,7 @@ SUPR3HardenedStatic_DEFS += \ $(if $(VBOX_WITH_RAW_MODE),VBOX_WITH_RAW_MODE,) \ $(if $(VBOX_WITH_DRIVERLESS_NEM_FALLBACK),VBOX_WITH_DRIVERLESS_NEM_FALLBACK,) \ $(if $(VBOX_WITHOUT_DEBUGGER_CHECKS),VBOX_WITHOUT_DEBUGGER_CHECKS,) \ + $(if $(VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT),VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT,) \ $(if $(VBOX_PERMIT_VISUAL_STUDIO_PROFILING),VBOX_PERMIT_VISUAL_STUDIO_PROFILING,) \ VBOX_PERMIT_MORE \ VBOX_PERMIT_EVEN_MORE @@ -780,6 +781,9 @@ if !defined(VBOX_ONLY_DOCS) \ win/SUPHardenedVerifyImage-win.cpp \ win/SUPHardenedVerifyProcess-win.cpp \ $(VBOX_SUP_WIN_CERTS_FILE) + ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + VBoxDrv_DEFS.win += VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + endif endif VBoxDrv_SOURCES = \ SUPDrv.d \ diff --git a/src/VBox/HostDrivers/Support/SUPDrv.cpp b/src/VBox/HostDrivers/Support/SUPDrv.cpp index 59573a31..8c9ffccb 100644 --- a/src/VBox/HostDrivers/Support/SUPDrv.cpp +++ b/src/VBox/HostDrivers/Support/SUPDrv.cpp @@ -1847,6 +1847,7 @@ static int supdrvIOCtlInnerUnrestricted(uintptr_t uIOCtl, PSUPDRVDEVEXT pDevExt, { /* validate */ PSUPLDRLOAD pReq = (PSUPLDRLOAD)pReqHdr; + uint8_t const * const pbSrcImage = pReq->u.In.abImage; REQ_CHECK_EXPR(Name, pReq->Hdr.cbIn >= SUP_IOCTL_LDR_LOAD_SIZE_IN(32)); REQ_CHECK_SIZES_EX(SUP_IOCTL_LDR_LOAD, SUP_IOCTL_LDR_LOAD_SIZE_IN(pReq->u.In.cbImageWithEverything), SUP_IOCTL_LDR_LOAD_SIZE_OUT); REQ_CHECK_EXPR_FMT( !pReq->u.In.cSymbols @@ -1875,14 +1876,14 @@ static int supdrvIOCtlInnerUnrestricted(uintptr_t uIOCtl, PSUPDRVDEVEXT pDevExt, if (pReq->u.In.cSymbols) { uint32_t i; - PSUPLDRSYM paSyms = (PSUPLDRSYM)&pReq->u.In.abImage[pReq->u.In.offSymbols]; + PSUPLDRSYM paSyms = (PSUPLDRSYM)(&pbSrcImage[pReq->u.In.offSymbols]); for (i = 0; i < pReq->u.In.cSymbols; i++) { REQ_CHECK_EXPR_FMT(paSyms[i].offSymbol < pReq->u.In.cbImageWithEverything, ("SUP_IOCTL_LDR_LOAD: sym #%ld: symb off %#lx (max=%#lx)\n", (long)i, (long)paSyms[i].offSymbol, (long)pReq->u.In.cbImageWithEverything)); REQ_CHECK_EXPR_FMT(paSyms[i].offName < pReq->u.In.cbStrTab, ("SUP_IOCTL_LDR_LOAD: sym #%ld: name off %#lx (max=%#lx)\n", (long)i, (long)paSyms[i].offName, (long)pReq->u.In.cbImageWithEverything)); - REQ_CHECK_EXPR_FMT(RTStrEnd((char const *)&pReq->u.In.abImage[pReq->u.In.offStrTab + paSyms[i].offName], + REQ_CHECK_EXPR_FMT(RTStrEnd((char const *)(&pbSrcImage[pReq->u.In.offStrTab + paSyms[i].offName]), pReq->u.In.cbStrTab - paSyms[i].offName), ("SUP_IOCTL_LDR_LOAD: sym #%ld: unterminated name! (%#lx / %#lx)\n", (long)i, (long)paSyms[i].offName, (long)pReq->u.In.cbImageWithEverything)); } @@ -1890,7 +1891,7 @@ static int supdrvIOCtlInnerUnrestricted(uintptr_t uIOCtl, PSUPDRVDEVEXT pDevExt, { uint32_t i; uint32_t offPrevEnd = 0; - PSUPLDRSEG paSegs = (PSUPLDRSEG)&pReq->u.In.abImage[pReq->u.In.offSegments]; + PSUPLDRSEG paSegs = (PSUPLDRSEG)(&pbSrcImage[pReq->u.In.offSegments]); for (i = 0; i < pReq->u.In.cSegments; i++) { REQ_CHECK_EXPR_FMT(paSegs[i].off < pReq->u.In.cbImageBits && !(paSegs[i].off & PAGE_OFFSET_MASK), @@ -5548,7 +5549,8 @@ static int supdrvIOCtl_LdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, P pImage->cSegments = pReq->u.In.cSegments; { size_t cbSegments = pImage->cSegments * sizeof(SUPLDRSEG); - pImage->paSegments = (PSUPLDRSEG)RTMemDup(&pReq->u.In.abImage[pReq->u.In.offSegments], cbSegments); + uint8_t const * const pbSrcImage = pReq->u.In.abImage; + pImage->paSegments = (PSUPLDRSEG)RTMemDup(&pbSrcImage[pReq->u.In.offSegments], cbSegments); if (pImage->paSegments) /* Align the last segment size to avoid upsetting RTR0MemObjProtect. */ /** @todo relax RTR0MemObjProtect */ pImage->paSegments[pImage->cSegments - 1].cb = RT_ALIGN_32(pImage->paSegments[pImage->cSegments - 1].cb, PAGE_SIZE); else @@ -5617,10 +5619,11 @@ static int supdrvIOCtl_LdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, P */ if (!pImage->fNative) { + uint8_t const * const pbSrcImage = pReq->u.In.abImage; pImage->cbStrTab = pReq->u.In.cbStrTab; if (pImage->cbStrTab) { - pImage->pachStrTab = (char *)RTMemDup(&pReq->u.In.abImage[pReq->u.In.offStrTab], pImage->cbStrTab); + pImage->pachStrTab = (char *)RTMemDup(&pbSrcImage[pReq->u.In.offStrTab], pImage->cbStrTab); if (!pImage->pachStrTab) rc = supdrvLdrLoadError(VERR_NO_MEMORY, pReq, "Out of memory for string table: %#x", pImage->cbStrTab); SUPDRV_CHECK_SMAP_CHECK(pDevExt, RT_NOTHING); @@ -5630,7 +5633,7 @@ static int supdrvIOCtl_LdrLoad(PSUPDRVDEVEXT pDevExt, PSUPDRVSESSION pSession, P if (RT_SUCCESS(rc) && pImage->cSymbols) { size_t cbSymbols = pImage->cSymbols * sizeof(SUPLDRSYM); - pImage->paSymbols = (PSUPLDRSYM)RTMemDup(&pReq->u.In.abImage[pReq->u.In.offSymbols], cbSymbols); + pImage->paSymbols = (PSUPLDRSYM)RTMemDup(&pbSrcImage[pReq->u.In.offSymbols], cbSymbols); if (!pImage->paSymbols) rc = supdrvLdrLoadError(VERR_NO_MEMORY, pReq, "Out of memory for symbol table: %#x", cbSymbols); SUPDRV_CHECK_SMAP_CHECK(pDevExt, RT_NOTHING); diff --git a/src/VBox/HostDrivers/Support/SUPDrvTracer.cpp b/src/VBox/HostDrivers/Support/SUPDrvTracer.cpp index 7b25b5ce..9ea87201 100644 --- a/src/VBox/HostDrivers/Support/SUPDrvTracer.cpp +++ b/src/VBox/HostDrivers/Support/SUPDrvTracer.cpp @@ -55,6 +55,15 @@ #include <iprt/param.h> #include <iprt/uuid.h> +#if defined(RT_OS_LINUX) +# if RTLNX_VER_MIN(4,15,10) +# include <asm/nospec-branch.h> +# endif /* < 4.15.10 */ +# if RTLNX_VER_MIN(5,17,0) +# include <asm/linkage.h> +# endif /* < 5.17.0 */ +#endif /* !RT_OS_LINUX */ + /********************************************************************************************************************************* * Structures and Typedefs * @@ -96,7 +105,8 @@ typedef struct SUPDRVTPPROVIDER * tracer. */ bool fRegistered; /** The provider name (for logging purposes). */ - char szName[1]; + RT_FLEXIBLE_ARRAY_EXTENSION + char szName[RT_FLEXIBLE_ARRAY]; } SUPDRVTPPROVIDER; /** Pointer to the data for a tracepoint provider. */ typedef SUPDRVTPPROVIDER *PSUPDRVTPPROVIDER; @@ -161,7 +171,8 @@ typedef struct SUPDRVTRACERUMOD /** The number of probe locations. */ uint32_t cProbeLocs; /** Ring-0 probe location info. */ - SUPDRVPROBELOC aProbeLocs[1]; + RT_FLEXIBLE_ARRAY_EXTENSION + SUPDRVPROBELOC aProbeLocs[RT_FLEXIBLE_ARRAY]; } SUPDRVTRACERUMOD; /** Magic value for SUPDRVVTGCOPY. */ #define SUPDRVTRACERUMOD_MAGIC UINT32_C(0x00080486) @@ -1495,11 +1506,25 @@ SUPR0TracerFireProbe: \n\ # if defined(RT_ARCH_AMD64) __asm__("\ movq g_pfnSupdrvProbeFireKernel(%rip), %rax \n\ + " +# if defined(RT_OS_LINUX) +# if RTLNX_VER_MIN(4,15,10) + ANNOTATE_RETPOLINE_SAFE +# endif +# endif + " \n\ jmp *%rax \n\ "); # elif defined(RT_ARCH_X86) __asm__("\ movl g_pfnSupdrvProbeFireKernel, %eax \n\ + " +# if defined(RT_OS_LINUX) +# if RTLNX_VER_MIN(4,15,10) + ANNOTATE_RETPOLINE_SAFE +# endif +# endif + " \n\ jmp *%eax \n\ "); # else @@ -1511,8 +1536,20 @@ __asm__("\ .type supdrvTracerProbeFireStub,@function \n\ .global supdrvTracerProbeFireStub \n\ supdrvTracerProbeFireStub: \n\ - ret \n\ - .size supdrvTracerProbeFireStub, . - supdrvTracerProbeFireStub \n\ + " +# if defined(RT_OS_LINUX) +# if RTLNX_VER_MIN(5,17,0) + ASM_RET "\n\ + " +# else /* < 5.17.0 */ + "ret \n\ + " +# endif /* < 5.17.0 */ +# else /* !RT_OS_LINUX */ + "ret \n\ + " +# endif /* !RT_OS_LINUX */ + ".size supdrvTracerProbeFireStub, . - supdrvTracerProbeFireStub \n\ \n\ .previous \n\ "); diff --git a/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp b/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp index 99b4278a..25c6b4c5 100644 --- a/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp +++ b/src/VBox/HostDrivers/Support/SUPR3HardenedMain.cpp @@ -1398,6 +1398,21 @@ static void supR3HardenedGetFullExePath(void) default: supR3HardenedFatal("supR3HardenedExecDir: Unknown program binary location: %#x\n", g_fSupHardenedMain); } + +#ifdef RTPATH_APP_PRIVATE_ARCH + /* + * If the location is fixed, do not continue if it is not correct. Binaries + * must not be allowed to be started from anywhere else. (@bugref{10626}) + */ + if (suplibHardenedStrCmp(g_szSupLibHardenedAppBinPath, RTPATH_APP_PRIVATE_ARCH) != 0) + supR3HardenedFatal("supR3HardenedExecDir: Invalid program binary location: %s (expected %s)\n", + g_szSupLibHardenedAppBinPath, RTPATH_APP_PRIVATE_ARCH); +# ifdef RT_OS_WINDOWS +# error "Didn't expect RTPATH_APP_PRIVATE_ARCH to be defined on Windows." +# endif +#elif defined(RT_OS_LINUX) || defined(RT_OS_FREEBSD) || defined(RT_OS_SOLARIS) || defined(RT_OS_DARWIN) +# error "Expected RTPATH_APP_PRIVATE_ARCH to be define on this host." +#endif } diff --git a/src/VBox/HostDrivers/Support/linux/SUPDrv-linux.c b/src/VBox/HostDrivers/Support/linux/SUPDrv-linux.c index 2a77412c..6ce2a8d0 100644 --- a/src/VBox/HostDrivers/Support/linux/SUPDrv-linux.c +++ b/src/VBox/HostDrivers/Support/linux/SUPDrv-linux.c @@ -54,6 +54,7 @@ #include <VBox/err.h> #include <iprt/mem.h> #include <VBox/log.h> +#include <VBox/VBoxLnxModInline.h> #include <iprt/mp.h> /** @todo figure out the exact version number */ @@ -307,12 +308,12 @@ DECLINLINE(RTGID) vboxdrvLinuxKernGid(void) #ifdef VBOX_WITH_HARDENING -/** Get the effective UID within the current user namespace. */ -DECLINLINE(RTUID) vboxdrvLinuxEuidInNs(void) +/** Get the effective UID of the current process. */ +DECLINLINE(RTUID) vboxdrvLinuxEuid(void) { # if RTLNX_VER_MIN(2,6,29) # if RTLNX_VER_MIN(3,5,0) - return from_kuid(current_user_ns(), current->cred->euid); + return __kuid_val(current->cred->euid); # else return current->cred->euid; # endif @@ -332,6 +333,10 @@ static int __init VBoxDrvLinuxInit(void) { int rc; + /* Check if modue loading was disabled. */ + if (!vbox_mod_should_load()) + return -EINVAL; + #if RTLNX_VER_MIN(5,0,0) spin_lock_init(&g_supdrvLinuxWrapperModuleSpinlock); RTListInit(&g_supdrvLinuxWrapperModuleList); @@ -487,9 +492,9 @@ static int vboxdrvLinuxCreateCommon(struct inode *pInode, struct file *pFilp, bo * Only root is allowed to access the unrestricted device, enforce it! */ if ( fUnrestricted - && vboxdrvLinuxEuidInNs() != 0 /* root */ ) + && vboxdrvLinuxEuid() != 0 /* root */ ) { - Log(("VBoxDrvLinuxCreate: euid=%d, expected 0 (root)\n", vboxdrvLinuxEuidInNs())); + Log(("VBoxDrvLinuxCreate: euid=%d, expected 0 (root)\n", vboxdrvLinuxEuid())); return -EPERM; } #endif /* VBOX_WITH_HARDENING */ diff --git a/src/VBox/HostDrivers/Support/linux/files_vboxdrv b/src/VBox/HostDrivers/Support/linux/files_vboxdrv index cd8b214a..5fbf92a5 100755 --- a/src/VBox/HostDrivers/Support/linux/files_vboxdrv +++ b/src/VBox/HostDrivers/Support/linux/files_vboxdrv @@ -93,6 +93,7 @@ FILES_VBOXDRV_NOBIN=" \ ${PATH_ROOT}/include/VBox/types.h=>include/VBox/types.h \ ${PATH_ROOT}/include/VBox/SUPDrvMangling.h=>include/VBox/SUPDrvMangling.h \ ${PATH_ROOT}/include/VBox/VBoxTpG.h=>include/VBox/VBoxTpG.h \ + ${PATH_ROOT}/include/VBox/VBoxLnxModInline.h=>include/VBox/VBoxLnxModInline.h \ ${PATH_ROOT}/include/VBox/vmm/hm_vmx.h=>include/VBox/vmm/hm_vmx.h \ ${PATH_ROOT}/include/VBox/vmm/hm_svm.h=>include/VBox/vmm/hm_svm.h \ ${PATH_ROOT}/include/VBox/vmm/cpuidcall.h=>include/VBox/vmm/cpuidcall.h \ diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h index 0f953e38..a14ee4a7 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerify-win.h @@ -151,8 +151,9 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 p # define SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT RT_BIT(2) /** Whether to allow image verification by catalog file. */ # define SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION RT_BIT(3) -/** The file owner must be TrustedInstaller on Vista+. */ -# define SUPHNTVI_F_TRUSTED_INSTALLER_OWNER RT_BIT(4) +/** The file owner must be TrustedInstaller, Builtin\\Administrators + * (S-1-5-32-544) or local system (S-1-5-21) on Vista+. */ +# define SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER RT_BIT(4) /** Ignore the image architecture (otherwise it must match the verification * code). Used with resource images and such. */ # define SUPHNTVI_F_IGNORE_ARCHITECTURE RT_BIT(30) diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp index 747d975e..c05d0210 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp @@ -807,7 +807,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u pwsz = pwszName + cwcOther + 1; /* Must be owned by trusted installer. (This test is superfuous, thus no relaxation here.) */ - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; @@ -868,7 +868,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u return rc; /* Must be owned by trusted installer. */ - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; return VINF_LDRVI_NOT_SIGNED; @@ -885,7 +885,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u cwcOther = g_System32NtPath.UniStr.Length / sizeof(WCHAR); /* ASSUMES System32 is called System32. */ pwsz = pwszName + cwcOther + 1; - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; @@ -933,7 +933,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u # endif ) { - if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( !(fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return rc; return VINF_LDRVI_NOT_SIGNED; @@ -943,7 +943,7 @@ static int supHardNtViCheckIfNotSignedOk(RTLDRMOD hLdrMod, PCRTUTF16 pwszName, u /* * Anything that's owned by the trusted installer. */ - if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( (fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) || supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(hFile, pwszName)) return VINF_LDRVI_NOT_SIGNED; @@ -1379,7 +1379,7 @@ DECLHIDDEN(int) supHardenedWinVerifyImageByLdrMod(RTLDRMOD hLdrMod, PCRTUTF16 pw */ /** @todo Since we're now allowing Builtin\\Administrators after all, perhaps we * could drop these system32 + winsxs hacks?? */ - if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OWNER) + if ( (pNtViRdr->fFlags & SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER) && !supHardNtViCheckIsOwnedByTrustedInstallerOrSimilar(pNtViRdr->hFile, pwszName)) { if (supHardViUtf16PathStartsWithEx(pwszName, (uint32_t)RTUtf16Len(pwszName), diff --git a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp index ec6b6a0a..f7ef4408 100644 --- a/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyProcess-win.cpp @@ -2147,7 +2147,7 @@ static int supHardNtLdrCacheNewEntry(PSUPHNTLDRCACHEENTRY pEntry, const char *ps * for this image. */ uint32_t fFlags = fDll - ? SUPHNTVI_F_TRUSTED_INSTALLER_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION + ? SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER | SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION : SUPHNTVI_F_REQUIRE_BUILD_CERT; if (f32bitResourceDll) fFlags |= SUPHNTVI_F_IGNORE_ARCHITECTURE; @@ -2394,10 +2394,12 @@ static int supHardNtVpCheckExe(PSUPHNTVPSTATE pThis) "NtQueryInformationProcess/ProcessImageInformation failed: %#x hProcess=%#x", rcNt, pThis->hProcess); } +#ifndef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT /* A kernel code signing cert is only via way to use /IntegrityCheck. */ if ( !(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY)) return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_FORCE_INTEGRITY, "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY to be set.", ImageInfo.DllCharacteristics); +#endif if (!(ImageInfo.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE)) return supHardNtVpSetInfo2(pThis, VERR_SUP_VP_EXE_MISSING_DYNAMIC_BASE, "EXE DllCharacteristics=%#x, expected IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE to be set.", diff --git a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp index a7dccfd9..ada99ee5 100644 --- a/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp +++ b/src/VBox/HostDrivers/Support/win/SUPR3HardenedMain-win.cpp @@ -1477,33 +1477,46 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA #ifndef VBOX_PERMIT_EVEN_MORE /* * Check the path. We don't allow DLLs to be loaded from just anywhere: - * 1. System32 - normal code or cat signing, owner TrustedInstaller. - * 2. WinSxS - normal code or cat signing, owner TrustedInstaller. - * 3. VirtualBox - kernel code signing and integrity checks. - * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller. - * 5. Program Files - normal code or cat signing, owner TrustedInstaller. - * 6. Common Files - normal code or cat signing, owner TrustedInstaller. + * 1. System32 - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 2. WinSxS - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 3. VirtualBox - build with: + * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem. + * - kernel code signing cert: kernel code signing and integrity checks. + * 4. AppPatchDir - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 5. Program Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. + * 6. Common Files - normal code or cat signing, owner TrustedInstaller/Administrators/LocalSystem. * 7. x86 variations of 4 & 5 - ditto. + * + * Note! VBOX_WITHOUT_KERNEL_CODE_SIGNING_CERT means the /IntegrityCheck does + * work as it doesn't seems like MS has come up with a generally accessible + * alternative to the expired kernel code signing scheme for using this + * securty enhancement. */ uint32_t fFlags = 0; if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_System32NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_WinSxSNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/)) +# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + /** @todo r=bird: See SUPHNTVI_F_REQUIRE_BUILD_CERT comment below (in the + * code that's actually used). */ + fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; +# else fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT; +# endif # ifdef VBOX_PERMIT_MORE else if (supHardViIsAppPatchDir(uBuf.UniStr.Buffer, uBuf.UniStr.Length / sizeof(WCHAR))) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesNtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; # ifdef RT_ARCH_AMD64 else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_ProgramFilesX86NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; else if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_CommonFilesX86NtPath.UniStr, true /*fCheckSlash*/)) - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; # endif # endif # ifdef VBOX_PERMIT_VISUAL_STUDIO_PROFILING @@ -1531,14 +1544,27 @@ supR3HardenedScreenImage(HANDLE hFile, bool fImage, bool fIgnoreArch, PULONG pfA #else /* VBOX_PERMIT_EVEN_MORE */ /* * Require trusted installer + some kind of signature on everything, except - * for the VBox bits where we require kernel code signing and special - * integrity checks. + * for the VBox bits where we have extra requirements depending on the signing + * certificate used: + * - regular code signing cert: build cert code signing, owner TrustedInstaller/Administrators/LocalSystem. + * - kernel code signing cert: kernel code signing and integrity checks. */ uint32_t fFlags = 0; if (supHardViUniStrPathStartsWithUniStr(&uBuf.UniStr, &g_SupLibHardenedAppBinNtPath.UniStr, true /*fCheckSlash*/)) +# ifdef VBOX_WITHOUT_WINDOWS_KERNEL_CODE_SIGNING_CERT + /** @todo r=bird: Since extension packs are installed under + * g_SupLibHardenedAppBinNtPath and I'm pretty sure that everything loaded into + * a VBox VM process goes thru this validation step at DLL load time, this means + * only we can now sign extension packs. + * + * I suspect we have to relax the signing restrictions on the ExtensionPacks + * subdirectory to keep 3rd party extensions working. */ + fFlags |= SUPHNTVI_F_REQUIRE_BUILD_CERT | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; +# else fFlags |= SUPHNTVI_F_REQUIRE_KERNEL_CODE_SIGNING | SUPHNTVI_F_REQUIRE_SIGNATURE_ENFORCEMENT; +# endif else - fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OWNER; + fFlags |= SUPHNTVI_F_ALLOW_CAT_FILE_VERIFICATION | SUPHNTVI_F_TRUSTED_INSTALLER_OR_SIMILAR_OWNER; #endif /* VBOX_PERMIT_EVEN_MORE */ /* diff --git a/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c b/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c index 0654e1d7..bc827fe6 100644 --- a/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c +++ b/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c @@ -54,6 +54,7 @@ #include <iprt/initterm.h> #include <iprt/mem.h> #include <iprt/string.h> +#include <VBox/VBoxLnxModInline.h> /* #include <iprt/assert.h> @@ -529,6 +530,11 @@ int vboxNetAdpOsInit(PVBOXNETADP pThis) static int __init VBoxNetAdpLinuxInit(void) { int rc; + + /* Check if modue loading was disabled. */ + if (!vbox_mod_should_load()) + return -EINVAL; + /* * Initialize IPRT. */ diff --git a/src/VBox/HostDrivers/VBoxNetAdp/linux/files_vboxnetadp b/src/VBox/HostDrivers/VBoxNetAdp/linux/files_vboxnetadp index 3f028677..288f9b1e 100755 --- a/src/VBox/HostDrivers/VBoxNetAdp/linux/files_vboxnetadp +++ b/src/VBox/HostDrivers/VBoxNetAdp/linux/files_vboxnetadp @@ -86,6 +86,7 @@ VBOX_VBOXNETADP_SOURCES=" \ ${PATH_ROOT}/include/VBox/sup.h=>include/VBox/sup.h \ ${PATH_ROOT}/include/VBox/types.h=>include/VBox/types.h \ ${PATH_ROOT}/include/VBox/SUPDrvMangling.h=>include/VBox/SUPDrvMangling.h \ + ${PATH_ROOT}/include/VBox/VBoxLnxModInline.h=>include/VBox/VBoxLnxModInline.h \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c=>linux/VBoxNetAdp-linux.c \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetAdp/VBoxNetAdp.c=>VBoxNetAdp.c \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetAdp/VBoxNetAdpInternal.h=>VBoxNetAdpInternal.h \ diff --git a/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c b/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c index eaf07e8c..85777fa1 100644 --- a/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c +++ b/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c @@ -73,6 +73,7 @@ #include <VBox/intnetinline.h> #include <VBox/vmm/pdmnetinline.h> #include <VBox/param.h> +#include <VBox/VBoxLnxModInline.h> #include <iprt/alloca.h> #include <iprt/assert.h> #include <iprt/spinlock.h> @@ -166,6 +167,17 @@ typedef struct VBOXNETFLTNOTIFIER *PVBOXNETFLTNOTIFIER; # endif #endif +#if RTLNX_VER_MIN(6,9,0) +# define VBOX_SKB_FRAG_LEN(_pFrag) ((_pFrag)->len) +# define VBOX_SKB_FRAG_OFFSET(_pFrag) ((_pFrag)->offset) +#elif RTLNX_VER_MIN(5,4,0) || RTLNX_SUSE_MAJ_PREREQ(15, 2) +# define VBOX_SKB_FRAG_LEN(_pFrag) ((_pFrag)->bv_len) +# define VBOX_SKB_FRAG_OFFSET(_pFrag) ((_pFrag)->bv_offset) +#else /* < KERNEL_VERSION(5, 4, 0) */ +# define VBOX_SKB_FRAG_LEN(_pFrag) ((_pFrag)->size) +# define VBOX_SKB_FRAG_OFFSET(_pFrag) ((_pFrag)->page_offset) +#endif /* > KERNEL_VERSION(6, 9, 0) */ + #if RTLNX_VER_MIN(3,20,0) || RTLNX_RHEL_RANGE(7,2, 8,0) || RTLNX_RHEL_RANGE(6,8, 7,0) # define VBOX_HAVE_SKB_VLAN #endif @@ -273,6 +285,11 @@ unsigned dev_get_flags(const struct net_device *dev) static int __init VBoxNetFltLinuxInit(void) { int rc; + + /* Check if modue loading was disabled. */ + if (!vbox_mod_should_load()) + return -EINVAL; + /* * Initialize IPRT. */ @@ -926,13 +943,8 @@ static void vboxNetFltLinuxSkBufToSG(PVBOXNETFLTINS pThis, struct sk_buff *pBuf, for (i = 0; i < skb_shinfo(pBuf)->nr_frags; i++) { skb_frag_t *pFrag = &skb_shinfo(pBuf)->frags[i]; -# if RTLNX_VER_MIN(5,4,0) || RTLNX_SUSE_MAJ_PREREQ(15, 2) - pSG->aSegs[iSeg].cb = pFrag->bv_len; - pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + pFrag->bv_offset; -# else /* < KERNEL_VERSION(5, 4, 0) */ - pSG->aSegs[iSeg].cb = pFrag->size; - pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + pFrag->page_offset; -# endif /* >= KERNEL_VERSION(5, 4, 0) */ + pSG->aSegs[iSeg].cb = VBOX_SKB_FRAG_LEN(pFrag); + pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + VBOX_SKB_FRAG_OFFSET(pFrag); Log6((" %p", pSG->aSegs[iSeg].pv)); pSG->aSegs[iSeg++].Phys = NIL_RTHCPHYS; Assert(iSeg <= pSG->cSegsAlloc); @@ -947,13 +959,8 @@ static void vboxNetFltLinuxSkBufToSG(PVBOXNETFLTINS pThis, struct sk_buff *pBuf, for (i = 0; i < skb_shinfo(pFragBuf)->nr_frags; i++) { skb_frag_t *pFrag = &skb_shinfo(pFragBuf)->frags[i]; -# if RTLNX_VER_MIN(5,4,0) || RTLNX_SUSE_MAJ_PREREQ(15, 2) - pSG->aSegs[iSeg].cb = pFrag->bv_len; - pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + pFrag->bv_offset; -# else /* < KERNEL_VERSION(5, 4, 0) */ - pSG->aSegs[iSeg].cb = pFrag->size; - pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + pFrag->page_offset; -# endif /* >= KERNEL_VERSION(5, 4, 0) */ + pSG->aSegs[iSeg].cb = VBOX_SKB_FRAG_LEN(pFrag); + pSG->aSegs[iSeg].pv = VBOX_SKB_KMAP_FRAG(pFrag) + VBOX_SKB_FRAG_OFFSET(pFrag); Log6((" %p", pSG->aSegs[iSeg].pv)); pSG->aSegs[iSeg++].Phys = NIL_RTHCPHYS; Assert(iSeg <= pSG->cSegsAlloc); diff --git a/src/VBox/HostDrivers/VBoxNetFlt/linux/files_vboxnetflt b/src/VBox/HostDrivers/VBoxNetFlt/linux/files_vboxnetflt index f2f8f1f4..bdff6ed2 100755 --- a/src/VBox/HostDrivers/VBoxNetFlt/linux/files_vboxnetflt +++ b/src/VBox/HostDrivers/VBoxNetFlt/linux/files_vboxnetflt @@ -88,6 +88,7 @@ VBOX_VBOXNETFLT_SOURCES=" \ ${PATH_ROOT}/include/VBox/sup.h=>include/VBox/sup.h \ ${PATH_ROOT}/include/VBox/types.h=>include/VBox/types.h \ ${PATH_ROOT}/include/VBox/SUPDrvMangling.h=>include/VBox/SUPDrvMangling.h \ + ${PATH_ROOT}/include/VBox/VBoxLnxModInline.h=>include/VBox/VBoxLnxModInline.h \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetFlt/linux/VBoxNetFlt-linux.c=>linux/VBoxNetFlt-linux.c \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetFlt/VBoxNetFlt.c=>VBoxNetFlt.c \ ${PATH_ROOT}/src/VBox/HostDrivers/VBoxNetFlt/VBoxNetFltInternal.h=>VBoxNetFltInternal.h \ diff --git a/src/VBox/HostDrivers/VBoxNetFlt/win/drv/VBoxNetFltRt-win.cpp b/src/VBox/HostDrivers/VBoxNetFlt/win/drv/VBoxNetFltRt-win.cpp index 44c7338c..d6ed6bb1 100644 --- a/src/VBox/HostDrivers/VBoxNetFlt/win/drv/VBoxNetFltRt-win.cpp +++ b/src/VBox/HostDrivers/VBoxNetFlt/win/drv/VBoxNetFltRt-win.cpp @@ -1134,17 +1134,16 @@ DECLHIDDEN(void) vboxNetFltWinQuFiniPacketQueue(PVBOXNETFLTINS pInstance) */ DECLHIDDEN(NDIS_STATUS) vboxNetFltWinAllocSG(UINT cbPacket, PINTNETSG *ppSG) { - NDIS_STATUS Status; - PINTNETSG pSG; - /* allocation: * 1. SG_PACKET - with one aSegs pointing to * 2. buffer of cbPacket containing the entire packet */ AssertCompileSizeAlignment(INTNETSG, sizeof(PVOID)); - Status = vboxNetFltWinMemAlloc((PVOID*)&pSG, cbPacket + sizeof(INTNETSG)); + PINTNETSG pSG = NULL; + UINT const cbSg = RT_UOFFSETOF_DYN(INTNETSG, aSegs[1]); + NDIS_STATUS Status = vboxNetFltWinMemAlloc((PVOID *)&pSG, cbSg + cbPacket); if (Status == NDIS_STATUS_SUCCESS) { - IntNetSgInitTemp(pSG, pSG + 1, cbPacket); + IntNetSgInitTemp(pSG, (uint8_t *)pSG + cbSg, cbPacket); LogFlow(("pSG created (%p)\n", pSG)); *ppSG = pSG; } |