| Message ID | 20210312004919.669614-11-samitolvanen@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add support for Clang CFI | expand |
On Thu, Mar 11, 2021 at 04:49:12PM -0800, Sami Tolvanen wrote: > To ensure we take the actual address of a function in kernel text, use > __va_function. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces > the address with a pointer to the CFI jump table, which is actually in > the module when compiled with CONFIG_LKDTM=m. > > Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Kees Cook <keescook@chromium.org>
diff --git a/drivers/misc/lkdtm/usercopy.c b/drivers/misc/lkdtm/usercopy.c index 109e8d4302c1..d173d6175c87 100644 --- a/drivers/misc/lkdtm/usercopy.c +++ b/drivers/misc/lkdtm/usercopy.c @@ -314,7 +314,7 @@ void lkdtm_USERCOPY_KERNEL(void) pr_info("attempting bad copy_to_user from kernel text: %px\n", vm_mmap); - if (copy_to_user((void __user *)user_addr, vm_mmap, + if (copy_to_user((void __user *)user_addr, __va_function(vm_mmap), unconst + PAGE_SIZE)) { pr_warn("copy_to_user failed, but lacked Oops\n"); goto free_user;
To ensure we take the actual address of a function in kernel text, use __va_function. Otherwise, with CONFIG_CFI_CLANG, the compiler replaces the address with a pointer to the CFI jump table, which is actually in the module when compiled with CONFIG_LKDTM=m. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> --- drivers/misc/lkdtm/usercopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)