From patchwork Sun Oct 22 00:22:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 10021519 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 350EF600CC for ; Sun, 22 Oct 2017 00:23:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1ED4E286F1 for ; Sun, 22 Oct 2017 00:23:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 13788288F6; Sun, 22 Oct 2017 00:23:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id C915E286F1 for ; Sun, 22 Oct 2017 00:23:51 +0000 (UTC) Received: (qmail 15494 invoked by uid 550); 22 Oct 2017 00:23:23 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 15453 invoked from network); 22 Oct 2017 00:23:21 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=BDCIuYZAQHq/z+XLgbe7Xp1pdf++X01jz9lTmwHQfmI=; b=OjUixjQqwXFqJfn8qZUk19lYV50RktMSf6GoG86sXXqGz56h53WvAnhtu8BkF71ohK Bdl3HTnsYjU4qNj9iwEuKfw1QDRZQ9wc5FmKfnogV91lbPkhIlrDn/5QfLVAjZbsbggW G0mK3KW0mj/qG5KIJt8h4pYTS6AzNWNyBKx+8sp7SGiD5EN6o3/W6X2AjUdilE5HX8+g Hd+FTpBG3uZZID/gF1Z6TFPeiyEvJfFYDDm51zHW3ydUDM9T6IU48Bwhnf5EV2/I4VzI lwlYoPPOBwXw+iMfJ0wJvwMRKj9xzAPCZ8qH8EQW4yG7rvak0Krspze5OM778anhLUzA GrBA== X-Gm-Message-State: AMCzsaVC32pOKXaLPx1rtgQwce1CfJNNsieEumq/dCSdHIe5MLUdlrDK j12clnyIpfxZiD6VTHJc2u1Xn//y X-Google-Smtp-Source: ABhQp+QPov2dO5gUNNuB+unV8XmJff4P8T6XkABOMsXYNk+mMsNByhH4Ly9hFtyAnrBdtB0uP3k+kg== X-Received: by 10.46.2.197 with SMTP id y66mr3583029lje.151.1508631789707; Sat, 21 Oct 2017 17:23:09 -0700 (PDT) From: Alexander Popov To: kernel-hardening@lists.openwall.com, keescook@chromium.org, pageexec@freemail.hu, spender@grsecurity.net, Ingo Molnar , Andy Lutomirski , tycho@docker.com, Laura Abbott , Mark Rutland , Ard Biesheuvel , Borislav Petkov , Thomas Gleixner , "H . Peter Anvin" , Peter Zijlstra , x86@kernel.org, alex.popov@linux.com Date: Sun, 22 Oct 2017 03:22:51 +0300 Message-Id: <1508631773-2502-4-git-send-email-alex.popov@linux.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1508631773-2502-1-git-send-email-alex.popov@linux.com> References: <1508631773-2502-1-git-send-email-alex.popov@linux.com> Subject: [kernel-hardening] [PATCH RFC v5 3/5] lkdtm: Add a test for STACKLEAK X-Virus-Scanned: ClamAV using ClamSMTP Introduce two lkdtm tests for the STACKLEAK feature: STACKLEAK_CHECK_ALLOCA and STACKLEAK_TRACK_STACK. Both of them check that the current task stack is properly erased (filled with STACKLEAK_POISON). In addition, STACKLEAK_CHECK_ALLOCA tests that: - check_alloca() allows alloca calls which don't exhaust the kernel stack; - alloca calls which exhaust/overflow the kernel stack hit BUG() in check_alloca(). And STACKLEAK_TRACK_STACK checks that exhausting the thread stack with a recursion is detected: - it hits the BUG() in track_stack() if CONFIG_VMAP_STACK is not enabled, - or hits the guard page otherwise. Signed-off-by: Tycho Andersen Signed-off-by: Alexander Popov --- drivers/misc/Makefile | 3 + drivers/misc/lkdtm.h | 4 ++ drivers/misc/lkdtm_core.c | 2 + drivers/misc/lkdtm_stackleak.c | 139 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 drivers/misc/lkdtm_stackleak.c diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile index d84819d..105e16e 100644 --- a/drivers/misc/Makefile +++ b/drivers/misc/Makefile @@ -63,6 +63,9 @@ lkdtm-$(CONFIG_LKDTM) += lkdtm_perms.o lkdtm-$(CONFIG_LKDTM) += lkdtm_refcount.o lkdtm-$(CONFIG_LKDTM) += lkdtm_rodata_objcopy.o lkdtm-$(CONFIG_LKDTM) += lkdtm_usercopy.o +lkdtm-$(CONFIG_LKDTM) += lkdtm_stackleak.o + +KASAN_SANITIZE_lkdtm_stackleak.o := n KCOV_INSTRUMENT_lkdtm_rodata.o := n diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index bfb6c45..5952339 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -82,4 +82,8 @@ void lkdtm_USERCOPY_STACK_FRAME_FROM(void); void lkdtm_USERCOPY_STACK_BEYOND(void); void lkdtm_USERCOPY_KERNEL(void); +/* lkdtm_stackleak.c */ +void lkdtm_STACKLEAK_CHECK_ALLOCA(void); +void lkdtm_STACKLEAK_TRACK_STACK(void); + #endif diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 981b3ef..264d948 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -251,6 +251,8 @@ struct crashtype crashtypes[] = { CRASHTYPE(USERCOPY_STACK_FRAME_FROM), CRASHTYPE(USERCOPY_STACK_BEYOND), CRASHTYPE(USERCOPY_KERNEL), + CRASHTYPE(STACKLEAK_CHECK_ALLOCA), + CRASHTYPE(STACKLEAK_TRACK_STACK), }; diff --git a/drivers/misc/lkdtm_stackleak.c b/drivers/misc/lkdtm_stackleak.c new file mode 100644 index 0000000..1f95ee3 --- /dev/null +++ b/drivers/misc/lkdtm_stackleak.c @@ -0,0 +1,139 @@ +/* + * This file tests a few aspects of the STACKLEAK feature: + * - the current task stack is properly erased (filled with STACKLEAK_POISON); + * - check_alloca() allows alloca calls which don't exhaust the kernel stack; + * - alloca calls which exhaust/overflow the kernel stack hit BUG() in + * check_alloca(); + * - exhausting the thread stack with a recursion is detected: it hits the + * BUG() in track_stack() if CONFIG_VMAP_STACK is not enabled, or hits the + * guard page otherwise. + * + * Copyright (C) Docker, Inc. 2017 + * + * Authors: + * Tycho Andersen + * Alexander Popov + */ + +#include "lkdtm.h" +#include +#include + +#ifndef CONFIG_GCC_PLUGIN_STACKLEAK +# define STACKLEAK_POISON -0xBEEF +# define CONFIG_STACKLEAK_TRACK_MIN_SIZE 100 +#endif + +static noinline bool stack_is_erased(void) +{ + unsigned long *sp, left, found, i; + + /* + * For the details about the alignment of the poison values, see + * the comment in track_stack(). + */ + sp = PTR_ALIGN(&i, sizeof(unsigned long)); + + left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long); + sp--; + + /* + * Two unsigned long ints at the bottom of the thread stack are + * reserved and not poisoned. + */ + if (left <= 2) + return false; + + left -= 2; + pr_info("checking unused part of the thread stack (%lu bytes)...\n", + left * sizeof(unsigned long)); + + /* Search for 17 poison values in a row (like erase_kstack() does) */ + for (i = 0, found = 0; i < left && found < 17; i++) { + if (*(sp - i) == STACKLEAK_POISON) + found++; + else + found = 0; + } + + if (found < 17) { + pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n", + i * sizeof(unsigned long)); + return false; + } + + pr_info("first %lu bytes are unpoisoned\n", + (i - found) * sizeof(unsigned long)); + + /* The rest of thread stack should be erased */ + for (; i < left; i++) { + if (*(sp - i) != STACKLEAK_POISON) { + pr_err("FAIL: thread stack is NOT properly erased\n"); + return false; + } + } + + pr_info("the rest of the thread stack is properly erased\n"); + return true; +} + +static noinline void do_alloca(unsigned long size) +{ + char buf[size]; + + /* So this doesn't get inlined or optimized out */ + snprintf(buf, size, "hello world\n"); +} + +void lkdtm_STACKLEAK_CHECK_ALLOCA(void) +{ + unsigned long left = (unsigned long)&left & (THREAD_SIZE - 1); + + if (!stack_is_erased()) + return; + + /* Try a small alloca to see if it works */ + pr_info("try a small alloca of 16 bytes...\n"); + do_alloca(16); + pr_info("small alloca is successful\n"); + + /* Try to hit the BUG() in check_alloca() */ + pr_info("try a large alloca of %lu bytes (stack overflow)...\n", left); + do_alloca(left); + pr_err("FAIL: large alloca overstepped the thread stack boundary\n"); +} + +/* + * The stack frame size of recursion() is bigger than the + * CONFIG_STACKLEAK_TRACK_MIN_SIZE, hence that function is instrumented + * by the STACKLEAK gcc plugin and it calls track_stack() at the beginning. + */ +static noinline unsigned long recursion(unsigned long prev_sp) +{ + char buf[CONFIG_STACKLEAK_TRACK_MIN_SIZE + 42]; + unsigned long sp = (unsigned long)&sp; + + snprintf(buf, sizeof(buf), "hello world\n"); + + if (prev_sp < sp + THREAD_SIZE) + sp = recursion(prev_sp); + + return sp; +} + +void lkdtm_STACKLEAK_TRACK_STACK(void) +{ + unsigned long sp = (unsigned long)&sp; + + if (!stack_is_erased()) + return; + + /* + * Exhaust the thread stack with a recursion. It should hit the + * BUG() in track_stack() if CONFIG_VMAP_STACK is not enabled, or + * access the guard page otherwise. + */ + pr_info("try to exhaust the thread stack with the recursion...\n"); + pr_err("FAIL: thread stack exhaustion (%lu bytes) is not detected\n", + sp - recursion(sp)); +}