From abcd64c5f3df08789acc3294b8371a05567abf69 Mon Sep 17 00:00:00 2001
From: Stephen Brennan <stephen.s.brennan@oracle.com>
Date: Thu, 14 Apr 2022 13:27:45 -0700
Subject: [PATCH] UBUNTU: SAUCE: debug: Lock down kgdb

KGDB and KDB allow read and write access to kernel memory, and thus
should not be allowed during lockdown. An attacker with access to a
serial port (for example, via a hypervisor console, which some cloud
vendors provide over the network) could trigger the debugger and use it
to bypass lockdown. Ensure KDB and KGDB cannot be used during lockdown.

This fixes CVE-2022-21499.

Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
CVE-2022-21499
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Andrea Righi <andrea.righi@canonical.com>
---
 include/linux/security.h  | 1 +
 kernel/debug/debug_core.c | 3 +++
 security/security.c       | 1 +
 3 files changed, 5 insertions(+)

diff --git a/include/linux/security.h b/include/linux/security.h
index 9b55c2df869a0..5c1c4933d4b21 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -121,6 +121,7 @@ enum lockdown_reason {
 	LOCKDOWN_DEBUGFS,
 	LOCKDOWN_XMON_WR,
 	LOCKDOWN_BPF_WRITE_USER,
+	LOCKDOWN_KGDB,
 	LOCKDOWN_INTEGRITY_MAX,
 	LOCKDOWN_KCORE,
 	LOCKDOWN_KPROBES,
diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
index b4aa6bb6b2bd9..6c8648bc86873 100644
--- a/kernel/debug/debug_core.c
+++ b/kernel/debug/debug_core.c
@@ -56,6 +56,7 @@
 #include <linux/vmacache.h>
 #include <linux/rcupdate.h>
 #include <linux/irq.h>
+#include <linux/security.h>
 
 #include <asm/cacheflush.h>
 #include <asm/byteorder.h>
@@ -748,6 +749,8 @@ static int kgdb_cpu_enter(struct kgdb_state *ks, struct pt_regs *regs,
 
 	while (1) {
 cpu_master_loop:
+		if (security_locked_down(LOCKDOWN_KGDB))
+			break;
 		if (dbg_kdb_mode) {
 			kgdb_connected = 1;
 			error = kdb_stub(ks);
diff --git a/security/security.c b/security/security.c
index 5caf182522655..c6f535494f733 100644
--- a/security/security.c
+++ b/security/security.c
@@ -60,6 +60,7 @@ const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
 	[LOCKDOWN_DEBUGFS] = "debugfs access",
 	[LOCKDOWN_XMON_WR] = "xmon write access",
 	[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
+	[LOCKDOWN_KGDB] = "KDB or KGDB access",
 	[LOCKDOWN_INTEGRITY_MAX] = "integrity",
 	[LOCKDOWN_KCORE] = "/proc/kcore access",
 	[LOCKDOWN_KPROBES] = "use of kprobes",