From patchwork Mon Feb 27 20:43:00 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9594171 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1A55F60471 for ; Mon, 27 Feb 2017 20:43:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0CCC227F9F for ; Mon, 27 Feb 2017 20:43:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0159C28492; Mon, 27 Feb 2017 20:43:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id CCB1527F9F for ; Mon, 27 Feb 2017 20:43:50 +0000 (UTC) Received: (qmail 7239 invoked by uid 550); 27 Feb 2017 20:43:48 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 6043 invoked from network); 27 Feb 2017 20:43:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Y8koQCeH/t2XpOeQMnv9fOGAjfEk+FBJAJeR3MKdcNE=; b=dIrHhuBMUlueI9Hl2mvJ9UrIIP0VQ6lJPFDxpkG4ZxIhaJM7DKE7C/pqAr+Ur4xgox n4yMHOZE6/6tR0bsSiKYP5lAEwnYO0C/XbG2FV1YiJ/q17X7Yf8oWvNdd6fa+2av32ot adqts5E0812sJie6PpFQa28IU0yzHDTZ80AJA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Y8koQCeH/t2XpOeQMnv9fOGAjfEk+FBJAJeR3MKdcNE=; b=Iax6AIcmyxLT0uIoHU1k9b0wybTlZnMYzunp5oP9dGncEu7iR2TooxkwM/tEUNxrcN X62ZaI2ln9xnOKTQJQuzwkutleFs9xztcd+uDw6lqzySCIdtrGlKEbO9NxBTIPsXbzhn PjbL+uWtoVjRXlzCjJfKsa1cj617PwzfjTD22cd8j2v+IVP0Hf18mFvcINUrqCIJNou3 R4yLJWHeoOxklouyrVDXY8lREsEPgkvZbJFoju56iEE+0BbWuHT4MnS8c3qoJuf+4O9/ Ob7Ava2q5mztPS3/O5gYbxUzQduVR4g+OiicrvxPcpW2YOuAlbaBK1/kIiMdrYxIx2Gr UCYQ== X-Gm-Message-State: AMke39k9C+oT1xlVzFJWleAi/I+dR1TcfjhFuz8rJjp1n5eeB0gZr9bCc+X3TzZv/26uBykm X-Received: by 10.84.217.212 with SMTP id d20mr26822301plj.53.1488228211787; Mon, 27 Feb 2017 12:43:31 -0800 (PST) From: Kees Cook To: kernel-hardening@lists.openwall.com Cc: Kees Cook , Mark Rutland , Andy Lutomirski , Hoeun Ryu , PaX Team , Emese Revfy , Russell King , x86@kernel.org Date: Mon, 27 Feb 2017 12:43:00 -0800 Message-Id: <1488228186-110679-3-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1488228186-110679-1-git-send-email-keescook@chromium.org> References: <1488228186-110679-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [RFC][PATCH 2/8] lkdtm: add test for rare_write() infrastructure X-Virus-Scanned: ClamAV using ClamSMTP This adds the WRITE_RARE_WRITE test to validate variables marked with __wr_rare. This isn't the final form of the test, since right now the result is inverted from what is normally expected from LKDTM: it should BUG on success... Signed-off-by: Kees Cook --- drivers/misc/lkdtm.h | 1 + drivers/misc/lkdtm_core.c | 1 + drivers/misc/lkdtm_perms.c | 21 ++++++++++++++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index cfa1039c62e7..42b5bb1f0062 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -35,6 +35,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void __init lkdtm_perms_init(void); void lkdtm_WRITE_RO(void); void lkdtm_WRITE_RO_AFTER_INIT(void); +void lkdtm_WRITE_RARE_WRITE(void); void lkdtm_WRITE_KERN(void); void lkdtm_EXEC_DATA(void); void lkdtm_EXEC_STACK(void); diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 7eeb71a75549..cc5a0186d80b 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -219,6 +219,7 @@ struct crashtype crashtypes[] = { CRASHTYPE(ACCESS_USERSPACE), CRASHTYPE(WRITE_RO), CRASHTYPE(WRITE_RO_AFTER_INIT), + CRASHTYPE(WRITE_RARE_WRITE), CRASHTYPE(WRITE_KERN), CRASHTYPE(ATOMIC_UNDERFLOW), CRASHTYPE(ATOMIC_OVERFLOW), diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c index c7635a79341f..70559c76592e 100644 --- a/drivers/misc/lkdtm_perms.c +++ b/drivers/misc/lkdtm_perms.c @@ -20,12 +20,15 @@ /* This is non-const, so it will end up in the .data section. */ static u8 data_area[EXEC_SIZE]; -/* This is cost, so it will end up in the .rodata section. */ +/* This is const, so it will end up in the .rodata section. */ static const unsigned long rodata = 0xAA55AA55; /* This is marked __ro_after_init, so it should ultimately be .rodata. */ static unsigned long ro_after_init __ro_after_init = 0x55AA5500; +/* This is marked __wr_rare, so it should ultimately be .rodata. */ +static unsigned long wr_rare __wr_rare = 0xAA66AA66; + /* * This just returns to the caller. It is designed to be copied into * non-executable memory regions. @@ -103,6 +106,22 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) *ptr ^= 0xabcd1234; } +void lkdtm_WRITE_RARE_WRITE(void) +{ + /* Explicitly cast away "const" for the test. */ + unsigned long *ptr = (unsigned long *)&wr_rare; + +#ifdef CONFIG_HAVE_ARCH_RARE_WRITE + pr_info("attempting good rare write at %p\n", ptr); + rare_write(*ptr, 0x11335577); + if (wr_rare != 0x11335577) + pr_warn("Yikes: wr_rare did not actually change!\n"); +#endif + + pr_info("attempting bad rare write at %p\n", ptr); + *ptr ^= 0xbcd12345; +} + void lkdtm_WRITE_KERN(void) { size_t size;