From patchwork Wed Jul 11 20:36:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 10520489 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2663E600CA for ; Wed, 11 Jul 2018 20:38:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0771D29265 for ; Wed, 11 Jul 2018 20:38:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EEFB728DE3; Wed, 11 Jul 2018 20:38:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 8D7E1206E2 for ; Wed, 11 Jul 2018 20:38:14 +0000 (UTC) Received: (qmail 5268 invoked by uid 550); 11 Jul 2018 20:37:55 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 5219 invoked from network); 11 Jul 2018 20:37:54 -0000 X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=aXk4wVgIkjCRIk95sL5Z9oyPA1VBSUkHoSXWH2NYE0M=; b=c0OHRy6hsjpCI0p2y2ex/m1Vg1IOcMOukQqSdLO5LGRE1GfPw7d+tkNJz1In86pc8m qvNGP2DcSX53V/UcFvGqPURPhoY44VSYpnVn3NB9QYLY6co8xqRZf21+0YA0KoDjm8rG RpRZmTEozLIr90rDEaIH2iHoxr9b+dpWdc9Nn9yQShAnH2AX9G2Mp4rGtYW1H8FTwhWz IxPH9jr7NI8uwDAzqhxwf7LCnpLcFoMr7NMhk72+M66DxyiV2dcpFW6oS4/hZY5wa1rY dFg8OdNldE4LgmGyXVmY65rFGL2TYv/T6Pm94ojR0nuBjGVQPtY3GD6/gZlL4uq5LODB oEWw== X-Gm-Message-State: AOUpUlE6so2b0NkbKUDSY+THXP4zUoN9u/0vEU56PBKw03RHUTF2brJ3 bPPWCt8oWN8bezsMMorUSFa2e9bOrz8= X-Google-Smtp-Source: AAOMgpcM2HSKgyF+upYlP1B4TdTDBnXVz9tDacTF886B6mQprtnlOQokQEnF7vLjwCtxwWEZwxHkIw== X-Received: by 2002:a19:5a56:: with SMTP id o83-v6mr102650lfb.50.1531341462912; Wed, 11 Jul 2018 13:37:42 -0700 (PDT) From: Alexander Popov To: kernel-hardening@lists.openwall.com, Kees Cook , PaX Team , Brad Spengler , Ingo Molnar , Andy Lutomirski , Tycho Andersen , Laura Abbott , Mark Rutland , Ard Biesheuvel , Borislav Petkov , Richard Sandiford , Thomas Gleixner , "H . Peter Anvin" , Peter Zijlstra , "Dmitry V . Levin" , Emese Revfy , Jonathan Corbet , Andrey Ryabinin , "Kirill A . Shutemov" , Thomas Garnier , Andrew Morton , Alexei Starovoitov , Josef Bacik , Masami Hiramatsu , Nicholas Piggin , Al Viro , "David S . Miller" , Ding Tianhong , David Woodhouse , Josh Poimboeuf , Steven Rostedt , Dominik Brodowski , Juergen Gross , Linus Torvalds , Greg Kroah-Hartman , Dan Williams , Dave Hansen , Mathias Krause , Vikas Shivappa , Kyle Huey , Dmitry Safonov , Will Deacon , Arnd Bergmann , Florian Weimer , Boris Lukashev , Andrey Konovalov , x86@kernel.org, linux-kernel@vger.kernel.org, alex.popov@linux.com Subject: [PATCH v14 4/6] lkdtm: Add a test for STACKLEAK Date: Wed, 11 Jul 2018 23:36:38 +0300 Message-Id: <1531341400-12077-5-git-send-email-alex.popov@linux.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1531341400-12077-1-git-send-email-alex.popov@linux.com> References: <1531341400-12077-1-git-send-email-alex.popov@linux.com> X-Virus-Scanned: ClamAV using ClamSMTP Introduce lkdtm tests for the STACKLEAK feature. First, all of them check that the current task stack is properly erased (filled with STACKLEAK_POISON). STACKLEAK_DEEP_RECURSION tests that exhausting the current task stack with deep recursion is detected by CONFIG_VMAP_STACK (which is implied by CONFIG_GCC_PLUGIN_STACKLEAK). STACKLEAK_BIG_ALLOCA and STACKLEAK_RECURSION_WITH_ALLOCA test that alloca() calls which overflow the kernel stack hit BUG()/panic() in stackleak_check_alloca(). Signed-off-by: Alexander Popov Signed-off-by: Tycho Andersen --- drivers/misc/lkdtm/Makefile | 2 + drivers/misc/lkdtm/core.c | 3 + drivers/misc/lkdtm/lkdtm.h | 5 ++ drivers/misc/lkdtm/stackleak.c | 146 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 156 insertions(+) create mode 100644 drivers/misc/lkdtm/stackleak.c diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile index 3370a41..951c984 100644 --- a/drivers/misc/lkdtm/Makefile +++ b/drivers/misc/lkdtm/Makefile @@ -8,7 +8,9 @@ lkdtm-$(CONFIG_LKDTM) += perms.o lkdtm-$(CONFIG_LKDTM) += refcount.o lkdtm-$(CONFIG_LKDTM) += rodata_objcopy.o lkdtm-$(CONFIG_LKDTM) += usercopy.o +lkdtm-$(CONFIG_LKDTM) += stackleak.o +KASAN_SANITIZE_stackleak.o := n KCOV_INSTRUMENT_rodata.o := n OBJCOPYFLAGS := diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index 2154d1b..9d0324a 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -183,6 +183,9 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(USERCOPY_STACK_FRAME_FROM), CRASHTYPE(USERCOPY_STACK_BEYOND), CRASHTYPE(USERCOPY_KERNEL), + CRASHTYPE(STACKLEAK_BIG_ALLOCA), + CRASHTYPE(STACKLEAK_DEEP_RECURSION), + CRASHTYPE(STACKLEAK_RECURSION_WITH_ALLOCA), }; diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 9e513dc..865a6c3 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -83,4 +83,9 @@ void lkdtm_USERCOPY_STACK_FRAME_FROM(void); void lkdtm_USERCOPY_STACK_BEYOND(void); void lkdtm_USERCOPY_KERNEL(void); +/* lkdtm_stackleak.c */ +void lkdtm_STACKLEAK_BIG_ALLOCA(void); +void lkdtm_STACKLEAK_DEEP_RECURSION(void); +void lkdtm_STACKLEAK_RECURSION_WITH_ALLOCA(void); + #endif diff --git a/drivers/misc/lkdtm/stackleak.c b/drivers/misc/lkdtm/stackleak.c new file mode 100644 index 0000000..5aecdec --- /dev/null +++ b/drivers/misc/lkdtm/stackleak.c @@ -0,0 +1,146 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * This code tests several aspects of the STACKLEAK feature: + * - the current task stack is properly erased (filled with STACKLEAK_POISON); + * - exhausting the current task stack with deep recursion is detected by + * CONFIG_VMAP_STACK (which is implied by CONFIG_GCC_PLUGIN_STACKLEAK); + * - alloca() calls which overflow the kernel stack hit BUG()/panic() in + * stackleak_check_alloca(). + * + * Authors: + * Alexander Popov + * Tycho Andersen + */ + +#include "lkdtm.h" +#include + +static noinline bool stack_is_erased(void) +{ + unsigned long *sp, left, found, i; + const unsigned long check_depth = + STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long); + + /* + * For the details about the alignment of the poison values, see + * the comment in stackleak_track_stack(). + */ + sp = PTR_ALIGN(&i, sizeof(unsigned long)); + + left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long); + sp--; + + /* + * One 'long int' at the bottom of the thread stack is reserved + * and not poisoned. + */ + if (left > 1) + left--; + else + return false; + + pr_info("checking unused part of the thread stack (%lu bytes)...\n", + left * sizeof(unsigned long)); + + /* + * Search for 'check_depth' poison values in a row (just like + * stackleak_erase() does). + */ + for (i = 0, found = 0; i < left && found <= check_depth; i++) { + if (*(sp - i) == STACKLEAK_POISON) + found++; + else + found = 0; + } + + if (found <= check_depth) { + pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n", + i * sizeof(unsigned long)); + return false; + } + + pr_info("first %lu bytes are unpoisoned\n", + (i - found) * sizeof(unsigned long)); + + /* The rest of thread stack should be erased */ + for (; i < left; i++) { + if (*(sp - i) != STACKLEAK_POISON) { + pr_err("FAIL: thread stack is NOT properly erased\n"); + return false; + } + } + + pr_info("the rest of the thread stack is properly erased\n"); + return true; +} + +static noinline void do_alloca(unsigned long size) +{ + char buf[size]; + + /* So this doesn't get inlined or optimized out */ + snprintf(buf, size, "testing alloca...\n"); +} + +void lkdtm_STACKLEAK_BIG_ALLOCA(void) +{ + if (!stack_is_erased()) + return; + + pr_info("try a small alloca() of 16 bytes...\n"); + do_alloca(16); + pr_info("small alloca() is successful\n"); + + pr_info("try alloca() over the thread stack boundary...\n"); + do_alloca(THREAD_SIZE); + pr_err("FAIL: alloca() over the thread stack boundary is NOT detected\n"); +} + +static noinline unsigned long recursion(unsigned long prev_sp, bool with_alloca) +{ + char buf[400]; + unsigned long sp = (unsigned long)&sp; + + snprintf(buf, sizeof(buf), "testing deep recursion...\n"); + + if (with_alloca) + do_alloca(400); + + if (prev_sp < sp + THREAD_SIZE) + sp = recursion(prev_sp, with_alloca); + + return sp; +} + +void lkdtm_STACKLEAK_DEEP_RECURSION(void) +{ + unsigned long sp = (unsigned long)&sp; + + if (!stack_is_erased()) + return; + + /* + * Overflow the thread stack using deep recursion. It should hit the + * guard page provided by CONFIG_VMAP_STACK (which is implied by + * CONFIG_GCC_PLUGIN_STACKLEAK). + */ + pr_info("try to overflow the thread stack using deep recursion...\n"); + pr_err("FAIL: stack depth overflow (%lu bytes) is not detected\n", + sp - recursion(sp, 0)); +} + +void lkdtm_STACKLEAK_RECURSION_WITH_ALLOCA(void) +{ + unsigned long sp = (unsigned long)&sp; + + if (!stack_is_erased()) + return; + + /* + * Overflow the thread stack using deep recursion with alloca. + * It should hit BUG()/panic() in stackleak_check_alloca(). + */ + pr_info("try to overflow the thread stack using recursion & alloca\n"); + recursion(sp, 1); + pr_err("FAIL: stack depth overflow is not detected\n"); +}