From patchwork Mon Aug 7 20:39:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9886131 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E26FD602CC for ; Mon, 7 Aug 2017 20:40:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D413B28691 for ; Mon, 7 Aug 2017 20:40:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C8F67286F6; Mon, 7 Aug 2017 20:40:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id F15A028691 for ; Mon, 7 Aug 2017 20:40:04 +0000 (UTC) Received: (qmail 29710 invoked by uid 550); 7 Aug 2017 20:40:02 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 28661 invoked from network); 7 Aug 2017 20:40:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=dJHVhAEsjO3bX2swGCLuyRed9Fl4YEqHoeGVaZEcf4U=; b=ISfc3vU7iaklH3skIiMr22X2qTBx9qQlrfCN6Sw2szVwWEpXu6S4dkEB0DFg1UxO39 X5H+D+Tr8oQ0Bw6Vl0qEHR/O8zy0WCkvJWjWc6CjCPsM9FSID38DvKUl8WLhW7EDEOsm 68A3LGhNa4JV/Z2eZsGQhwuEwUM+iztXCGn1U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=dJHVhAEsjO3bX2swGCLuyRed9Fl4YEqHoeGVaZEcf4U=; b=amzcRi5ZGYu/+fCPW0EcZ2pSEJCG1TJB2CPhx2HC3kPnQLO9rjZaIdGNZAIUUlWMYh VqJWT0uXeDdg7e/GPrm5otk3dppqkBoLZyMcXO3dofqNqJ1i8vJK/NemdP8P00Oj/31y Bv4F1lG9P92FlL+5d61B7a4m92oV4QJDZxBBki59Y3azhvl2dDbwAF9ZKyv0oLDQbexK oNc/AA84bujxvD4o4+dA3dJxRO9vZMVT9dzPgHhprJJfM4qBJSYeO4hqRVx4AcZQtsUW FUU+WD3UwZU/ZjHBVJRahn8UURjpFgUu47dsIjaKNK/4CZfm0AZgx1oJNXK/9UtRvRy3 CvjA== X-Gm-Message-State: AHYfb5jW0mKESNwYwOLhG3+XMeu51xxjnImb2miShBxihjIZGFJtW7cX +jCKM0/NyGd63qr6 X-Received: by 10.98.27.65 with SMTP id b62mr1898553pfb.258.1502138389877; Mon, 07 Aug 2017 13:39:49 -0700 (PDT) Date: Mon, 7 Aug 2017 13:39:48 -0700 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Mark Rutland , ard.biesheuvel@linaro.org, catalin.marinas@arm.com, james.morse@arm.com, labbott@redhat.com, luto@amacapital.net, matt@codeblueprint.co.uk, will.deacon@arm.com, kernel-hardening@lists.openwall.com, linux-arm-kernel@lists.infradead.org Message-ID: <20170807203948.GA22298@beast> MIME-Version: 1.0 Content-Disposition: inline Subject: [kernel-hardening] [PATCH] lkdtm: Test VMAP_STACK allocates leading/trailing guard pages X-Virus-Scanned: ClamAV using ClamSMTP Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING attempt to read the byte before and after, respectively, of the current stack frame, which should fault under VMAP_STACK. Signed-off-by: Kees Cook --- Do these tests both trip with the new arm64 VMAP_STACK code? --- drivers/misc/lkdtm.h | 2 ++ drivers/misc/lkdtm_bugs.c | 30 ++++++++++++++++++++++++++++++ drivers/misc/lkdtm_core.c | 2 ++ 3 files changed, 34 insertions(+) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 063f5d651076..3c8627ca5f42 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -22,6 +22,8 @@ void lkdtm_HUNG_TASK(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); void lkdtm_CORRUPT_USER_DS(void); +void lkdtm_STACK_GUARD_PAGE_LEADING(void); +void lkdtm_STACK_GUARD_PAGE_TRAILING(void); /* lkdtm_heap.c */ void lkdtm_OVERWRITE_ALLOCATION(void); diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index ef3d06f901fc..041fe6e9532a 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -8,6 +8,7 @@ #include #include #include +#include #include struct lkdtm_list { @@ -199,6 +200,7 @@ void lkdtm_CORRUPT_LIST_DEL(void) pr_err("list_del() corruption not detected!\n"); } +/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */ void lkdtm_CORRUPT_USER_DS(void) { pr_info("setting bad task size limit\n"); @@ -207,3 +209,31 @@ void lkdtm_CORRUPT_USER_DS(void) /* Make sure we do not keep running with a KERNEL_DS! */ force_sig(SIGKILL, current); } + +/* Test that VMAP_STACK is actually allocating with a leading guard page */ +void lkdtm_STACK_GUARD_PAGE_LEADING(void) +{ + const unsigned char *stack = task_stack_page(current); + const unsigned char *ptr = stack - 1; + volatile unsigned char byte; + + pr_info("attempting bad read from page below current stack\n"); + + byte = *ptr; + + pr_err("FAIL: accessed page before stack!\n"); +} + +/* Test that VMAP_STACK is actually allocating with a trailing guard page */ +void lkdtm_STACK_GUARD_PAGE_TRAILING(void) +{ + const unsigned char *stack = task_stack_page(current); + const unsigned char *ptr = stack + THREAD_SIZE; + volatile unsigned char byte; + + pr_info("attempting bad read from page above current stack\n"); + + byte = *ptr; + + pr_err("FAIL: accessed page after stack!\n"); +} diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 51decc07eeda..9e98d7ef5503 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -201,6 +201,8 @@ struct crashtype crashtypes[] = { CRASHTYPE(CORRUPT_LIST_DEL), CRASHTYPE(CORRUPT_USER_DS), CRASHTYPE(CORRUPT_STACK), + CRASHTYPE(STACK_GUARD_PAGE_LEADING), + CRASHTYPE(STACK_GUARD_PAGE_TRAILING), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), CRASHTYPE(OVERWRITE_ALLOCATION), CRASHTYPE(WRITE_AFTER_FREE),