From patchwork Fri Mar 24 17:51:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9643487 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BF99B602C9 for ; Fri, 24 Mar 2017 17:51:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B63FD1FF87 for ; Fri, 24 Mar 2017 17:51:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AAEC72684F; Fri, 24 Mar 2017 17:51:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id DF4791FF87 for ; Fri, 24 Mar 2017 17:51:42 +0000 (UTC) Received: (qmail 30280 invoked by uid 550); 24 Mar 2017 17:51:41 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 30229 invoked from network); 24 Mar 2017 17:51:39 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=0kwpzUN0uw2S3DLIas6vPLCpBrs58fWYscoNrcXwjeE=; b=ZlWz3tx4Nj2UptqAB/9vQfrN2Y9Tpr1FYNUtVKZQ8N7jZF1nlTQWsfoxgww6Jj1+Xp e7MN1a7+FUcHkXms93ibRqHVCCGHqN3T7/jQ/+LxOu/9ClVC/QBPTSNMUFUYLIFgmOx6 jcPD9yqYigKbRA5MZWL5gnX/oGNc60LYd+gg8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=0kwpzUN0uw2S3DLIas6vPLCpBrs58fWYscoNrcXwjeE=; b=pNeotv1A5hRqIIc3e7ffaMGEQuoQhtrnMegbiYC74YjmbvfjetAlaaOMeKdOD8j0TO rEHLlb3UlvQa5an/8oEP4Fcsofbn1hj6nF0kAe4ITihxZfOr/OSdsTZqtVPU0/XJ5k7Y NgO+Jh8EjFj2krMPCpRpBk1ykOC4dobDSt7c1NpGFARoqfomyp3iZh2khx2B0GKBEQXF wM/ipzGyqTHqfiioJy8Tsd+vy64O4xMMIL+N9t3Sq/JGLL/0tWsmuM1fm+tdG46Xsw5W 55mPa7wShbtCzY538B0o9LWgysDM2ilDlN2Ua8Q0rQgR9hXyqOcVg4f7/hm4maw7aJ6k vL/A== X-Gm-Message-State: AFeK/H3s7txn0K1vRWE2WlQvzkWTRZeSN5wmN5JLp9X7IFHxnODcyOb4RXJX6aXoxZYAIAoE X-Received: by 10.99.102.134 with SMTP id a128mr10293363pgc.215.1490377887452; Fri, 24 Mar 2017 10:51:27 -0700 (PDT) Date: Fri, 24 Mar 2017 10:51:25 -0700 From: Kees Cook To: Thomas Garnier Cc: Heiko Carstens , Christian Borntraeger , "linux-s390@vger.kernel.org" , LKML , "x86@kernel.org" , "linux-arm-kernel@lists.infradead.org" , "kernel-hardening@lists.openwall.com" Message-ID: <20170324175125.GA108985@beast> MIME-Version: 1.0 Content-Disposition: inline Subject: [kernel-hardening] [PATCH v2] lkdtm: add bad USER_DS test X-Virus-Scanned: ClamAV using ClamSMTP This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Signed-off-by: Kees Cook --- drivers/misc/lkdtm.h | 1 + drivers/misc/lkdtm_bugs.c | 11 +++++++++++ drivers/misc/lkdtm_core.c | 1 + 3 files changed, 13 insertions(+) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 67d27be60405..3b4976396ec4 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void); void lkdtm_REFCOUNT_ZERO_ADD(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); +void lkdtm_CORRUPT_USER_DS(void); /* lkdtm_heap.c */ void lkdtm_OVERWRITE_ALLOCATION(void); diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index e3f4cd8876b5..ed4f4c56c796 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -8,6 +8,8 @@ #include #include #include +#include +#include struct lkdtm_list { struct list_head node; @@ -279,3 +281,12 @@ void lkdtm_CORRUPT_LIST_DEL(void) else pr_err("list_del() corruption not detected!\n"); } + +void lkdtm_CORRUPT_USER_DS(void) +{ + pr_info("setting bad task size limit\n"); + set_fs(KERNEL_DS); + + /* Make sure we do not keep running with a KERNEL_DS! */ + force_sig(SIGKILL, current); +} diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index b9a4cd4a9b68..42d2b8e31e6b 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -199,6 +199,7 @@ struct crashtype crashtypes[] = { CRASHTYPE(OVERFLOW), CRASHTYPE(CORRUPT_LIST_ADD), CRASHTYPE(CORRUPT_LIST_DEL), + CRASHTYPE(CORRUPT_USER_DS), CRASHTYPE(CORRUPT_STACK), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), CRASHTYPE(OVERWRITE_ALLOCATION),