From patchwork Thu Aug 13 15:19:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Popov X-Patchwork-Id: 11712593 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CF74C739 for ; Thu, 13 Aug 2020 15:19:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A52A1207DA for ; Thu, 13 Aug 2020 15:19:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A52A1207DA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id B4D256B0022; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id AD1AF8D0002; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9C0AC6B0024; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0034.hostedemail.com [216.40.44.34]) by kanga.kvack.org (Postfix) with ESMTP id 868556B0022 for ; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 3BC7B348D for ; Thu, 13 Aug 2020 15:19:51 +0000 (UTC) X-FDA: 77145905382.04.humor38_120ded526ff5 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin04.hostedemail.com (Postfix) with ESMTP id C99888003406 for ; Thu, 13 Aug 2020 15:19:47 +0000 (UTC) X-Spam-Summary: 1,0,0,c70790f7aaa8ed98,d41d8cd98f00b204,a13xp0p0v88@gmail.com,,RULES_HIT:41:355:379:541:800:960:966:973:988:989:1260:1311:1314:1345:1359:1431:1437:1515:1535:1542:1711:1730:1747:1777:1792:2196:2199:2393:2559:2562:3138:3139:3140:3141:3142:3353:3865:3867:3870:3871:3872:3874:4117:4321:4385:5007:6120:6261:6737:6738:7901:7903:8531:9040:10004:11026:11473:11658:11914:12043:12048:12291:12297:12438:12517:12519:12555:12683:12895:13894:14181:14394:14721:21080:21444:21451:21627:21990:30012:30054:30056,0,RBL:209.85.128.65:@gmail.com:.lbl8.mailshell.net-66.100.201.100 62.50.0.100;04ygg3k9usz3ekex7s537oaq93atbopeko1h66okyf9iernrwcdi5dro43x5w6y.56bwr7oaq6bo5ksp6uwjnwork15xpymbo3zx4hky8x9c4yca6muyeg38qzwxj5a.a-lbl8.mailshell.net-223.238.255.100,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fp,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:24,LUA_SUMMARY:none X-HE-Tag: humor38_120ded526ff5 X-Filterd-Recvd-Size: 6049 Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65]) by imf47.hostedemail.com (Postfix) with ESMTP for ; Thu, 13 Aug 2020 15:19:47 +0000 (UTC) Received: by mail-wm1-f65.google.com with SMTP id 3so5404398wmi.1 for ; Thu, 13 Aug 2020 08:19:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sWVYbnLUoQh2/bQ8PJoxS/2ocrG/gYbDVzBuksdzAMQ=; b=r4dGulmfFvUGljyDLWmuVSHbjg5rBpILYcFsc/Vt8dy3p78B5KgA1bUddm5oDJ2sgj beB/3R3oQLqa0/MLIBE0vBnnD9j2VOqGIEUg6idXAHDPGqx1UCfD0kfSFasK6gZCaYJy ZJzLHYiCLugfP9M7Y1Hk/gWffXuigcmjQoHT1jtqDMN/7xxdBPL3zat7QRbiFS0SgLWW AuwX2KZENm/mfDIAKTLvMdwUKmFmZFrOvZEhOcY4EPmDv4HJpsk0rVRWB4v2KSlyxAbK X++jQnqsdzXnuBHlGZizJoSxORmVsX+eVPfLvcKKZ83aO1SzzGFtHY73RBikiiUj75o2 XJyg== X-Gm-Message-State: AOAM530z7O+STBoGMUlMEvcm6gYlcCXuWXjM/ReB+G+TM1jlUBTW6Fzh GjjTNzXiP9pevqhK19OpZ14= X-Google-Smtp-Source: ABdhPJwKxFGbrbkYgxZpXwjaDbyI5I0M4/6XBG+VYoGVV0KtiAQ9ydy+etzJBWJI2Bu24vC6GiUcYw== X-Received: by 2002:a1c:de88:: with SMTP id v130mr4675656wmg.98.1597331986347; Thu, 13 Aug 2020 08:19:46 -0700 (PDT) Received: from localhost.localdomain ([185.248.161.177]) by smtp.gmail.com with ESMTPSA id d23sm10394044wmd.27.2020.08.13.08.19.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 08:19:45 -0700 (PDT) From: Alexander Popov To: Kees Cook , Jann Horn , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , kasan-dev@googlegroups.com, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alexander Popov Cc: notify@kernel.org Subject: [PATCH RFC 2/2] lkdtm: Add heap spraying test Date: Thu, 13 Aug 2020 18:19:22 +0300 Message-Id: <20200813151922.1093791-3-alex.popov@linux.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200813151922.1093791-1-alex.popov@linux.com> References: <20200813151922.1093791-1-alex.popov@linux.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: C99888003406 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam03 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Add a simple test for CONFIG_SLAB_QUARANTINE. It performs heap spraying that aims to reallocate the recently freed heap object. This technique is used for exploiting use-after-free vulnerabilities in the kernel code. This test shows that CONFIG_SLAB_QUARANTINE breaks heap spraying exploitation technique. Signed-off-by: Alexander Popov --- drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/heap.c | 40 ++++++++++++++++++++++++++++++++++++++ drivers/misc/lkdtm/lkdtm.h | 1 + 3 files changed, 42 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index a5e344df9166..78b7669c35eb 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -126,6 +126,7 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(SLAB_FREE_DOUBLE), CRASHTYPE(SLAB_FREE_CROSS), CRASHTYPE(SLAB_FREE_PAGE), + CRASHTYPE(HEAP_SPRAY), CRASHTYPE(SOFTLOCKUP), CRASHTYPE(HARDLOCKUP), CRASHTYPE(SPINLOCKUP), diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c index 1323bc16f113..a72a241e314a 100644 --- a/drivers/misc/lkdtm/heap.c +++ b/drivers/misc/lkdtm/heap.c @@ -205,6 +205,46 @@ static void ctor_a(void *region) static void ctor_b(void *region) { } +#define HEAP_SPRAY_SIZE 128 + +void lkdtm_HEAP_SPRAY(void) +{ + int *addr; + int *spray_addrs[HEAP_SPRAY_SIZE] = { 0 }; + unsigned long i = 0; + + addr = kmem_cache_alloc(a_cache, GFP_KERNEL); + if (!addr) { + pr_info("Unable to allocate memory in lkdtm-heap-a cache\n"); + return; + } + + *addr = 0x31337; + kmem_cache_free(a_cache, addr); + + pr_info("Performing heap spraying...\n"); + for (i = 0; i < HEAP_SPRAY_SIZE; i++) { + spray_addrs[i] = kmem_cache_alloc(a_cache, GFP_KERNEL); + *spray_addrs[i] = 0x31337; + pr_info("attempt %lu: spray alloc addr %p vs freed addr %p\n", + i, spray_addrs[i], addr); + if (spray_addrs[i] == addr) { + pr_info("freed addr is reallocated!\n"); + break; + } + } + + if (i < HEAP_SPRAY_SIZE) + pr_info("FAIL! Heap spraying succeed :(\n"); + else + pr_info("OK! Heap spraying hasn't succeed :)\n"); + + for (i = 0; i < HEAP_SPRAY_SIZE; i++) { + if (spray_addrs[i]) + kmem_cache_free(a_cache, spray_addrs[i]); + } +} + void __init lkdtm_heap_init(void) { double_free_cache = kmem_cache_create("lkdtm-heap-double_free", diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 8878538b2c13..dfafb4ae6f3a 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -45,6 +45,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void lkdtm_SLAB_FREE_DOUBLE(void); void lkdtm_SLAB_FREE_CROSS(void); void lkdtm_SLAB_FREE_PAGE(void); +void lkdtm_HEAP_SPRAY(void); /* lkdtm_perms.c */ void __init lkdtm_perms_init(void);