From patchwork Mon Aug 7 20:39:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9886183 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7E30C603F2 for ; Mon, 7 Aug 2017 20:44:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C97428703 for ; Mon, 7 Aug 2017 20:44:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F8EF28710; Mon, 7 Aug 2017 20:44:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D560928703 for ; Mon, 7 Aug 2017 20:44:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:To:From :Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=mz8loUcAzouZECZYMtrC9OVuGPJFmxI+kvRy95Xua3k=; b=j2VKzqqZQg4e2B pkap0EFy4J+bbhYryGZt3T8WEImQduVVVC5L4Z9HoFyKlzkDfsLjqc9HOGW0UDaogR1wI4pPeqGtj mue8Yl4NEej+6cCmvZsWnNrGBAP6SzHePwNmfC6/iI2KQgfprUF7IWWXyJSPMS7smVjfUENPY6hUx 8xjXR46GG2tvAoZu2T3EQINWbm0REhHPBmtYCVM/ZbmjBWY+tQwaGWyGj0lrn3wCBnmi4sh3wRQXv eRrlm8quYgUfaQoTpIrwG9nlfbLpGwBgc4q//agqhqkZE0fuP9pwf2tvzPxcE+dbCJo4yugY4LjMJ Gr6JD0SG6Y+qDY5mTQ1g==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1deosq-0000e9-R4; Mon, 07 Aug 2017 20:44:16 +0000 Received: from mail-pg0-x22b.google.com ([2607:f8b0:400e:c05::22b]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1deoos-00044X-Vk for linux-arm-kernel@lists.infradead.org; Mon, 07 Aug 2017 20:40:30 +0000 Received: by mail-pg0-x22b.google.com with SMTP id u5so6001390pgn.0 for ; Mon, 07 Aug 2017 13:39:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=dJHVhAEsjO3bX2swGCLuyRed9Fl4YEqHoeGVaZEcf4U=; b=ISfc3vU7iaklH3skIiMr22X2qTBx9qQlrfCN6Sw2szVwWEpXu6S4dkEB0DFg1UxO39 X5H+D+Tr8oQ0Bw6Vl0qEHR/O8zy0WCkvJWjWc6CjCPsM9FSID38DvKUl8WLhW7EDEOsm 68A3LGhNa4JV/Z2eZsGQhwuEwUM+iztXCGn1U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=dJHVhAEsjO3bX2swGCLuyRed9Fl4YEqHoeGVaZEcf4U=; b=sM6Qt74bHv+dJx4cfxX2ZI1PuUqlGdVwqLAWJ34jsodjzXE/GPG0IWO9NFHx6vrUjA LL2+zu201Eicm88JV7O+LXCVg6gBu0k23fN9c2YrP/Ua6xthxyykpSmMxnsysDqfWP4w l7sgeRDMbGne2tPhGlyj+X2xNypyQnpQOZRPQKMbrjWLQ2zSXec70B+vyyIYkzlBSWdw lKxRhN+NXBIK9SDXIXvrymkOo3HyKKDL9oVIoqgt09zEa4Hzw4OQaxmBHZTGW+42i4yJ 2UP3W3WEgoJF1s7wWa75zKJrYCwW83GxIJzIzi2NNp5paSc5JUPzM54zyRMsGg07Jwb+ 3ziQ== X-Gm-Message-State: AHYfb5h8KUPm9Us5lO4cGczPXRK9JE4vY1qKvdqG2Nhx6YjFZGfF+uDP NOKf82hQubrc2fp3 X-Received: by 10.98.27.65 with SMTP id b62mr1898553pfb.258.1502138389877; Mon, 07 Aug 2017 13:39:49 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id v128sm13294309pgv.49.2017.08.07.13.39.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Aug 2017 13:39:49 -0700 (PDT) Date: Mon, 7 Aug 2017 13:39:48 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Subject: [PATCH] lkdtm: Test VMAP_STACK allocates leading/trailing guard pages Message-ID: <20170807203948.GA22298@beast> MIME-Version: 1.0 Content-Disposition: inline X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170807_134011_483244_A742342F X-CRM114-Status: GOOD ( 13.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , ard.biesheuvel@linaro.org, matt@codeblueprint.co.uk, catalin.marinas@arm.com, kernel-hardening@lists.openwall.com, will.deacon@arm.com, luto@amacapital.net, james.morse@arm.com, labbott@redhat.com, linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING attempt to read the byte before and after, respectively, of the current stack frame, which should fault under VMAP_STACK. Signed-off-by: Kees Cook --- Do these tests both trip with the new arm64 VMAP_STACK code? --- drivers/misc/lkdtm.h | 2 ++ drivers/misc/lkdtm_bugs.c | 30 ++++++++++++++++++++++++++++++ drivers/misc/lkdtm_core.c | 2 ++ 3 files changed, 34 insertions(+) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 063f5d651076..3c8627ca5f42 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -22,6 +22,8 @@ void lkdtm_HUNG_TASK(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); void lkdtm_CORRUPT_USER_DS(void); +void lkdtm_STACK_GUARD_PAGE_LEADING(void); +void lkdtm_STACK_GUARD_PAGE_TRAILING(void); /* lkdtm_heap.c */ void lkdtm_OVERWRITE_ALLOCATION(void); diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index ef3d06f901fc..041fe6e9532a 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -8,6 +8,7 @@ #include #include #include +#include #include struct lkdtm_list { @@ -199,6 +200,7 @@ void lkdtm_CORRUPT_LIST_DEL(void) pr_err("list_del() corruption not detected!\n"); } +/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */ void lkdtm_CORRUPT_USER_DS(void) { pr_info("setting bad task size limit\n"); @@ -207,3 +209,31 @@ void lkdtm_CORRUPT_USER_DS(void) /* Make sure we do not keep running with a KERNEL_DS! */ force_sig(SIGKILL, current); } + +/* Test that VMAP_STACK is actually allocating with a leading guard page */ +void lkdtm_STACK_GUARD_PAGE_LEADING(void) +{ + const unsigned char *stack = task_stack_page(current); + const unsigned char *ptr = stack - 1; + volatile unsigned char byte; + + pr_info("attempting bad read from page below current stack\n"); + + byte = *ptr; + + pr_err("FAIL: accessed page before stack!\n"); +} + +/* Test that VMAP_STACK is actually allocating with a trailing guard page */ +void lkdtm_STACK_GUARD_PAGE_TRAILING(void) +{ + const unsigned char *stack = task_stack_page(current); + const unsigned char *ptr = stack + THREAD_SIZE; + volatile unsigned char byte; + + pr_info("attempting bad read from page above current stack\n"); + + byte = *ptr; + + pr_err("FAIL: accessed page after stack!\n"); +} diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 51decc07eeda..9e98d7ef5503 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -201,6 +201,8 @@ struct crashtype crashtypes[] = { CRASHTYPE(CORRUPT_LIST_DEL), CRASHTYPE(CORRUPT_USER_DS), CRASHTYPE(CORRUPT_STACK), + CRASHTYPE(STACK_GUARD_PAGE_LEADING), + CRASHTYPE(STACK_GUARD_PAGE_TRAILING), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), CRASHTYPE(OVERWRITE_ALLOCATION), CRASHTYPE(WRITE_AFTER_FREE),