From patchwork Tue Jan 9 20:55:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10153299 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 77790602CA for ; Tue, 9 Jan 2018 20:57:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6EC102040D for ; Tue, 9 Jan 2018 20:57:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 61F5524B5B; Tue, 9 Jan 2018 20:57:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 7CC432040D for ; Tue, 9 Jan 2018 20:57:04 +0000 (UTC) Received: (qmail 7331 invoked by uid 550); 9 Jan 2018 20:57:02 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 7294 invoked from network); 9 Jan 2018 20:57:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iCW828Iz1H8xnzRGZ37wSq4TwDEyLu2rRR4zRnRxwss=; b=gqMgGfboLT/WWK/9m9UUjpwz+q7UT2TNGZvOBcvLCcZL1TP2k/4yAeVIVz14OKW1yl 9ZQbCMbvWLX/osPJ8ApQm/Vbz4bqVox1+TJ3k7ps+Be9TUKuTjh5b0zIEctidH+twGyr +9pXS/vpn9jY29c8DDV4lK1hyyQXE9CtPCJOI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iCW828Iz1H8xnzRGZ37wSq4TwDEyLu2rRR4zRnRxwss=; b=T3W7XE89mKdN3i2IY5V1Ef+fKutqxliRmRu+Zi6zG8Q99njEuS3GOegUiocC8N+74d biar4dvBoqR7VnVm5U84NnwuHrrj6E5RUuao0Bcx2tLpnZdT3GEMLyhWP/E5btzkl9Bn z7u7TW2uP83B8dG9T/nsxg3p+02wFuyV/UiEZ0SCCp2js8zkTcuYxkbCX60V3DpdXqxC scEiNErkzRMsJ9NjiXcjhZTNRh1VMUqV8Ka1EODSghWWja75qll+qG6dbePsMelNVWTf Blzav3b21z5NB90zSMJCEejNCQkmaRTTCPb4NkRYbPBFip5qIihTHw8xZ9hhgZd7Tja+ OTbQ== X-Gm-Message-State: AKGB3mJduIdXV1HoZPcNse63JPY18zmrTM1Euedj3zhYR22qjY3jX+7b GNLxnerZej/vYCPHGa7+32xTFA== X-Google-Smtp-Source: ACJfBot0OCGQAcZOElJBnu5zQ/R+A+NJuWqBxNwEJFM59ANDt3On2MGysKntzACAkI0ifCRW1drEFA== X-Received: by 10.99.107.198 with SMTP id g189mr12391632pgc.251.1515531410280; Tue, 09 Jan 2018 12:56:50 -0800 (PST) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Linus Torvalds , David Windsor , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Tue, 9 Jan 2018 12:55:32 -0800 Message-Id: <1515531365-37423-4-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1515531365-37423-1-git-send-email-keescook@chromium.org> References: <1515531365-37423-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 03/36] lkdtm/usercopy: Adjust test to include an offset to check reporting X-Virus-Scanned: ClamAV using ClamSMTP Instead of doubling the size, push the start position up by 16 bytes to still trigger an overflow. This allows to verify that offset reporting is working correctly. Signed-off-by: Kees Cook --- drivers/misc/lkdtm_usercopy.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c index a64372cc148d..9ebbb031e5e3 100644 --- a/drivers/misc/lkdtm_usercopy.c +++ b/drivers/misc/lkdtm_usercopy.c @@ -119,6 +119,8 @@ static void do_usercopy_heap_size(bool to_user) { unsigned long user_addr; unsigned char *one, *two; + void __user *test_user_addr; + void *test_kern_addr; size_t size = unconst + 1024; one = kmalloc(size, GFP_KERNEL); @@ -139,27 +141,30 @@ static void do_usercopy_heap_size(bool to_user) memset(one, 'A', size); memset(two, 'B', size); + test_user_addr = (void __user *)(user_addr + 16); + test_kern_addr = one + 16; + if (to_user) { pr_info("attempting good copy_to_user of correct size\n"); - if (copy_to_user((void __user *)user_addr, one, size)) { + if (copy_to_user(test_user_addr, test_kern_addr, size / 2)) { pr_warn("copy_to_user failed unexpectedly?!\n"); goto free_user; } pr_info("attempting bad copy_to_user of too large size\n"); - if (copy_to_user((void __user *)user_addr, one, 2 * size)) { + if (copy_to_user(test_user_addr, test_kern_addr, size)) { pr_warn("copy_to_user failed, but lacked Oops\n"); goto free_user; } } else { pr_info("attempting good copy_from_user of correct size\n"); - if (copy_from_user(one, (void __user *)user_addr, size)) { + if (copy_from_user(test_kern_addr, test_user_addr, size / 2)) { pr_warn("copy_from_user failed unexpectedly?!\n"); goto free_user; } pr_info("attempting bad copy_from_user of too large size\n"); - if (copy_from_user(one, (void __user *)user_addr, 2 * size)) { + if (copy_from_user(test_kern_addr, test_user_addr, size)) { pr_warn("copy_from_user failed, but lacked Oops\n"); goto free_user; }