From patchwork Thu Mar 23 20:34:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9641919 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 68B66602D6 for ; Thu, 23 Mar 2017 20:34:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 597DE283FB for ; Thu, 23 Mar 2017 20:34:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4D9702846B; Thu, 23 Mar 2017 20:34:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id DA58D283FB for ; Thu, 23 Mar 2017 20:34:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:To:From :Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=TNb3bWrCmk2LERAtbRSgXrQ2jAXqinn3RRqXVfr+bwk=; b=ccqWiJ9HK+G20z qOvXwwVTGuZCzFqj8dBf/Rfvkzy/qM/Sxp06x8jvL45q4DyX/IaXUUW4rxu/6butGJzTtHdex1fJj aAycJWCWJ8+zGG+6/rObUGflYVSWhhsJIWVSTpnuL2STHSblw27eHHXbs503AhzWo3JoVRGHXX6JR A/BOnEr0jvERuFll8CHToX22JWSF6F4ha4uxhh6xONkIdf67XREQ1hbInqEFd0EuSb3s6t+DYgPcZ owdDorKo31ztiniHHH4o32xX67z4poeaHc3evYWPFaXKaeeDXqFOQ2ZHN5FqyzOqcBNm7OUUUmvE+ 4gKejZoJmHcVt02J5Gzg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1cr9RZ-0006eW-Nb; Thu, 23 Mar 2017 20:34:49 +0000 Received: from mail-pf0-x22e.google.com ([2607:f8b0:400e:c00::22e]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1cr9RU-0006SZ-OO for linux-arm-kernel@lists.infradead.org; Thu, 23 Mar 2017 20:34:46 +0000 Received: by mail-pf0-x22e.google.com with SMTP id 20so62608986pfk.2 for ; Thu, 23 Mar 2017 13:34:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=gEzy2u2F6PzLhRASnLDCLJg32r3/0kRaj3R1Dy3obVY=; b=DybRP5ZoJCgyI5C+4ZUpzXmYSz9RwyJjTIsL32i995Z5vVJkWtyMWZV3wXpxcp0xbG l+MiSF0FJa5VBjskBbRtXlEAHzXcQFBgGU/wYM2Lck2pt95GbhUlPcHO6qtLQ8BXgcvJ uyYKJkEziz24ju8Gtb3OxGNZzEcpql7wNxcOk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=gEzy2u2F6PzLhRASnLDCLJg32r3/0kRaj3R1Dy3obVY=; b=dI4lvlyIt3qb1EfRcWGzGJllv8xzsHkN3vvY+uJ9tebciLdIxfVGcdDkZ6V67Q44cE awIiwvJ66pBRmPiNHgqkJYSCWE8XwLcyC7dTf/CUsO9XSp7hC/7MHiVKL/ko5tAUzC9I 61KtYCVpuhN0mM2F+/7F2CnEi+uyXCGxuH1jsdTOhKWQ2qWDTHTdjA6u3QAAeU66nD3p boXTyjeR9lPIQo0WKQp9trqQoI6cRF0DA1+WoePVZjFW1nknV0NUnhl4U4wB7IhI+1cS 29STVHvNzaIR6fFhLBpHMkSFze8JKGneFjMhUm9Tjvxfys8ZMu3g8Ba41iB+Nw+4igvw qqjQ== X-Gm-Message-State: AFeK/H1IRg4uK8jag6Ktcx7wpK163mt0uDsFs8Yz51PSs1TQpMStMfTV/jgOttJ8lbGVdUky X-Received: by 10.84.229.73 with SMTP id d9mr6097192pln.177.1490301262344; Thu, 23 Mar 2017 13:34:22 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v9sm94813pfg.133.2017.03.23.13.34.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Mar 2017 13:34:21 -0700 (PDT) Date: Thu, 23 Mar 2017 13:34:19 -0700 From: Kees Cook To: Thomas Garnier Subject: [PATCH] lkdtm: add bad USER_DS test Message-ID: <20170323203419.GA62859@beast> MIME-Version: 1.0 Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170323_133444_827494_5A519441 X-CRM114-Status: GOOD ( 16.11 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , "kernel-hardening@lists.openwall.com" , Catalin Marinas , Heiko Carstens , LKML , David Howells , Dave Hansen , "H . Peter Anvin" , Ingo Molnar , Pavel Tikhomirov , "linux-s390@vger.kernel.org" , "x86@kernel.org" , Russell King , Will Deacon , Christian Borntraeger , Ingo Molnar , "Paul E . McKenney" , Stephen Smalley , Rik van Riel , Arnd Bergmann , Brian Gerst , =?iso-8859-1?Q?Ren=E9?= Nyffenegger , Borislav Petkov , Al Viro , Andy Lutomirski , Josh Poimboeuf , Thomas Gleixner , "linux-arm-kernel@lists.infradead.org" , Linux API , Oleg Nesterov , James Morse , Martin Schwidefsky , Paolo Bonzini , Andrew Morton , "Kirill A . Shutemov" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks. Signed-off-by: Kees Cook --- drivers/misc/lkdtm.h | 1 + drivers/misc/lkdtm_bugs.c | 20 ++++++++++++++++++++ drivers/misc/lkdtm_core.c | 1 + 3 files changed, 22 insertions(+) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 67d27be60405..3b4976396ec4 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void); void lkdtm_REFCOUNT_ZERO_ADD(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); +void lkdtm_CORRUPT_USER_DS(void); /* lkdtm_heap.c */ void lkdtm_OVERWRITE_ALLOCATION(void); diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index e3f4cd8876b5..4906e53a6df3 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -8,6 +8,7 @@ #include #include #include +#include struct lkdtm_list { struct list_head node; @@ -279,3 +280,22 @@ void lkdtm_CORRUPT_LIST_DEL(void) else pr_err("list_del() corruption not detected!\n"); } + +void lkdtm_CORRUPT_USER_DS(void) +{ + /* + * Test that USER_DS has been set correctly on exiting a syscall. + * Since setting this higher than USER_DS (TASK_SIZE) would introduce + * an exploitable condition, we lower it instead, since that should + * not create as large a problem on an unprotected system. + */ + mm_segment_t lowfs; +#ifdef MAKE_MM_SEG + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE); +#else + lowfs = TASK_SIZE - PAGE_SIZE; +#endif + + pr_info("setting bad task size limit\n"); + set_fs(lowfs); +} diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index b9a4cd4a9b68..42d2b8e31e6b 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -199,6 +199,7 @@ struct crashtype crashtypes[] = { CRASHTYPE(OVERFLOW), CRASHTYPE(CORRUPT_LIST_ADD), CRASHTYPE(CORRUPT_LIST_DEL), + CRASHTYPE(CORRUPT_USER_DS), CRASHTYPE(CORRUPT_STACK), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), CRASHTYPE(OVERWRITE_ALLOCATION),