From patchwork Wed Mar 29 18:15:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9652185 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 32A0B602C8 for ; Wed, 29 Mar 2017 18:16:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1B65E28510 for ; Wed, 29 Mar 2017 18:16:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0E6362851A; Wed, 29 Mar 2017 18:16:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9EE5828510 for ; Wed, 29 Mar 2017 18:16:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=qtapIJ4Fd8M9fYWndnSkoH9txGBu7y6C1rTrrYiUEd4=; b=ic1FLYE/0S2wZFRadun1E4l70I YTVeL3PERJJnSxURePNN940U1PZPiyMetzEdxm9pEwfdszG+wl66THSDvEFVAbQFqcAPOh6hvEIF2 dFyOpdQ+tpVxCUHC7C3BXLu0H2QRvyToAwztOJDXOe+tYn5HldS8u3cyP80A5toxwYBfrggfJFl7x eJQIxJDFw6PCjS9nCh4bmTPYRwIz/JjoTlxY54wfCPaivcatuEIkKUZfkwUapbW0rdM/3C8AUoWFE ryRbcl10SOWIbUyfaOr1VgX7ewNfn3QdT0NpO28njeg8PZOsxUFtKTZqpOzXKe6Ou4C/63/w+t6vW 0BJ66grQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1ctI9H-0005CL-3Y; Wed, 29 Mar 2017 18:16:47 +0000 Received: from mail-pg0-x235.google.com ([2607:f8b0:400e:c05::235]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1ctI9D-00058D-2e for linux-arm-kernel@lists.infradead.org; Wed, 29 Mar 2017 18:16:44 +0000 Received: by mail-pg0-x235.google.com with SMTP id 81so14644515pgh.2 for ; Wed, 29 Mar 2017 11:16:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=QQdMH7itA8oUWWWKV2OmxQOAWRuaPzRbCkqICvi3DwY=; b=euwdfa+OXHna/A6nIqfjsxFrQnbMtO+XJCTNiECpM+v2exITk2WTqhKb58UW7DLpYQ iFYKaSAC8YLTw8vN6aFrp8h7D8Rl3SebuqJYNu7qvA9X7mDSY0akShTOSK9f6upHSSWm bX4ZIV18w4YbuV2eHTGhn95R7dejPm+5rEY0Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=QQdMH7itA8oUWWWKV2OmxQOAWRuaPzRbCkqICvi3DwY=; b=d8snvr+UZJcUSEw1N4v4B4iyo0vTv78EWWj7ppPhdRAAkrl5cLevV/A6+Gjb+0drIV IgpUaVeB8vB2i87SQf1BjF9PJ8k9bHEI0km3rFu5PNXkOb4RMncgP+dlEoCLWp/0tzCl 33NUE7WOPz2rh0nrOUyBVWS7YsQUJEJa3k87XYaF8YnDv0vsxyuHm8BTlBdccfEBE5FG bQ+yNQd1nwejPKJlBfbK5TfWbDT9kSbNsjVvq145TfRbzFLLKfqMUgpHAywPTkADEcsC XsypZKbDJnYN5FfUcRxgu2ve+7C5osiiiNIz3i993w5hi2XgE4xHKTf4W1IPbEuBOMml mUnw== X-Gm-Message-State: AFeK/H1OXgWJND8bMtAI8whRR/WWwKzsyKsNU2r+mh9/S2VQCKyxokHCiYFgyCf2ko6MDIto X-Received: by 10.98.102.88 with SMTP id a85mr1940197pfc.33.1490811381627; Wed, 29 Mar 2017 11:16:21 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id l1sm14924833pfk.8.2017.03.29.11.16.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Mar 2017 11:16:20 -0700 (PDT) From: Kees Cook To: kernel-hardening@lists.openwall.com Subject: [RFC v2][PATCH 02/11] lkdtm: add test for rare_write() infrastructure Date: Wed, 29 Mar 2017 11:15:54 -0700 Message-Id: <1490811363-93944-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1490811363-93944-1-git-send-email-keescook@chromium.org> References: <1490811363-93944-1-git-send-email-keescook@chromium.org> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170329_111643_201898_ACEFA86C X-CRM114-Status: GOOD ( 15.42 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Hoeun Ryu , Kees Cook , x86@kernel.org, Russell King , linux-kernel@vger.kernel.org, Emese Revfy , Andy Lutomirski , PaX Team , linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP This adds the WRITE_RARE_WRITE test to validate variables marked with __wr_rare. Signed-off-by: Kees Cook --- drivers/misc/lkdtm.h | 1 + drivers/misc/lkdtm_core.c | 1 + drivers/misc/lkdtm_perms.c | 19 ++++++++++++++++++- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 67d27be60405..d1fd5aefa235 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -39,6 +39,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void __init lkdtm_perms_init(void); void lkdtm_WRITE_RO(void); void lkdtm_WRITE_RO_AFTER_INIT(void); +void lkdtm_WRITE_RARE_WRITE(void); void lkdtm_WRITE_KERN(void); void lkdtm_EXEC_DATA(void); void lkdtm_EXEC_STACK(void); diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index b9a4cd4a9b68..ac8a55947189 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -219,6 +219,7 @@ struct crashtype crashtypes[] = { CRASHTYPE(ACCESS_USERSPACE), CRASHTYPE(WRITE_RO), CRASHTYPE(WRITE_RO_AFTER_INIT), + CRASHTYPE(WRITE_RARE_WRITE), CRASHTYPE(WRITE_KERN), CRASHTYPE(REFCOUNT_SATURATE_INC), CRASHTYPE(REFCOUNT_SATURATE_ADD), diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c index c7635a79341f..8fbadfa4cc34 100644 --- a/drivers/misc/lkdtm_perms.c +++ b/drivers/misc/lkdtm_perms.c @@ -20,12 +20,15 @@ /* This is non-const, so it will end up in the .data section. */ static u8 data_area[EXEC_SIZE]; -/* This is cost, so it will end up in the .rodata section. */ +/* This is const, so it will end up in the .rodata section. */ static const unsigned long rodata = 0xAA55AA55; /* This is marked __ro_after_init, so it should ultimately be .rodata. */ static unsigned long ro_after_init __ro_after_init = 0x55AA5500; +/* This is marked __wr_rare, so it should ultimately be .rodata. */ +static unsigned long wr_rare __wr_rare = 0xAA66AA66; + /* * This just returns to the caller. It is designed to be copied into * non-executable memory regions. @@ -103,6 +106,20 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) *ptr ^= 0xabcd1234; } +void lkdtm_WRITE_RARE_WRITE(void) +{ + /* Explicitly cast away "const" for the test. */ + unsigned long *ptr = (unsigned long *)&wr_rare; + + pr_info("attempting good rare write at %p\n", ptr); + rare_write(*ptr, 0x11335577); + if (wr_rare != 0x11335577) + pr_warn("Yikes: wr_rare did not actually change!\n"); + + pr_info("attempting bad rare write at %p\n", ptr); + *ptr ^= 0xbcd12345; +} + void lkdtm_WRITE_KERN(void) { size_t size;