From patchwork Mon Jan 20 04:54:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 11341013 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 46C72139A for ; Mon, 20 Jan 2020 04:54:51 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 79258207FD for ; Mon, 20 Jan 2020 04:54:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=axtens.net header.i=@axtens.net header.b="HErB6DHE" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 79258207FD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17591-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 20362 invoked by uid 550); 20 Jan 2020 04:54:47 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 20263 invoked from network); 20 Jan 2020 04:54:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Q4BdOeTArsFeOLkWOltqSDzbsVTMB1DhmfQ/wMwlBh8=; b=HErB6DHEz05P7HfbSHsadDt8p5fu0zb0K6lg8oXEJnO41RWGDIlURmCpHZMTZ1p2RD 01u3IvBgZfq1nalGmcYXCjIz9gSELXL+VnGjSurFstSztcmbs5HpPdgXgOHP+YQKzkfM KVCbFl4TYZfxOxvs8kOGuWPANzXITXNZiP9UA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Q4BdOeTArsFeOLkWOltqSDzbsVTMB1DhmfQ/wMwlBh8=; b=ohXhvU387BirsWGNo1txjd9uD6aZ4X2k9Dvz7OU/JHFOy9+bZuG5aPCOsZIqag4P58 Yad3Wr8OAf0XGiNX/gxZUfgJSDjXe+VOe3m7ecal8qne0TRkbUt6pcermPkdOI160vMz D0DY5QebRd1RHMZhsbwbWeATVAkRoIOA8ufbE5oczlsc2uOZsLNCqxMCPrQFv7QGutdd OPCjIGFnyKQs+bEs0hK73NGvKCx+Q6DIzQTugZciaOIwDdngdUwRH8uIRlt+jvC0tNFR 7Z9+j/4U64x/AWE/dpaH2YzjwiG8k3dbrPpEiX5Qm80epJIJDV6L0tx5k5dvToLgOOmY uh7g== X-Gm-Message-State: APjAAAX1aZ+AeQlUBNyUJHBU07ls/qYWdsq1CMQ/Zwh3ogtGmrt0BwAm tSB+5d1LJqGbq6HzkRlqYImFU5F2YZo= X-Google-Smtp-Source: APXvYqxxSXSgIxfhFcLiHJlvxq3iD1FqCPObTaUjZE58C8mVflHN8qdOZfOJ60P3mb5NTZuthE/ttA== X-Received: by 2002:a17:90a:e2ce:: with SMTP id fr14mr20743857pjb.99.1579496074078; Sun, 19 Jan 2020 20:54:34 -0800 (PST) From: Daniel Axtens To: kernel-hardening@lists.openwall.com, akpm@linux-foundation.org, keescook@chromium.org Cc: linux-kernel@vger.kernel.org, Daniel Axtens , Daniel Micay Subject: [PATCH v2 1/2] string.h: detect intra-object overflow in fortified string functions Date: Mon, 20 Jan 2020 15:54:23 +1100 Message-Id: <20200120045424.16147-2-dja@axtens.net> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200120045424.16147-1-dja@axtens.net> References: <20200120045424.16147-1-dja@axtens.net> MIME-Version: 1.0 When the fortify feature was first introduced in commit 6974f0c4555e ("include/linux/string.h: add the option of fortified string.h functions"), Daniel Micay observed: * It should be possible to optionally use __builtin_object_size(x, 1) for some functions (C strings) to detect intra-object overflows (like glibc's _FORTIFY_SOURCE=2), but for now this takes the conservative approach to avoid likely compatibility issues. This is a case that often cannot be caught by KASAN. Consider: struct foo { char a[10]; char b[10]; } void test() { char *msg; struct foo foo; msg = kmalloc(16, GFP_KERNEL); strcpy(msg, "Hello world!!"); // this copy overwrites foo.b strcpy(foo.a, msg); } The questionable copy overflows foo.a and writes to foo.b as well. It cannot be detected by KASAN. Currently it is also not detected by fortify, because strcpy considers __builtin_object_size(x, 0), which considers the size of the surrounding object (here, struct foo). However, if we switch the string functions over to use __builtin_object_size(x, 1), the compiler will measure the size of the closest surrounding subobject (here, foo.a), rather than the size of the surrounding object as a whole. See https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html for more info. Only do this for string functions: we cannot use it on things like memcpy, memmove, memcmp and memchr_inv due to code like this which purposefully operates on multiple structure members: (arch/x86/kernel/traps.c) /* * regs->sp points to the failing IRET frame on the * ESPFIX64 stack. Copy it to the entry stack. This fills * in gpregs->ss through gpregs->ip. * */ memmove(&gpregs->ip, (void *)regs->sp, 5*8); This change passes an allyesconfig on powerpc and x86, and an x86 kernel built with it survives running with syz-stress from syzkaller, so it seems safe so far. Cc: Daniel Micay Cc: Kees Cook Reviewed-by: Kees Cook Signed-off-by: Daniel Axtens --- include/linux/string.h | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/include/linux/string.h b/include/linux/string.h index 3b8e8b12dd37..e7f34c3113f8 100644 --- a/include/linux/string.h +++ b/include/linux/string.h @@ -319,7 +319,7 @@ void __write_overflow(void) __compiletime_error("detected write beyond size of o #if !defined(__NO_FORTIFY) && defined(__OPTIMIZE__) && defined(CONFIG_FORTIFY_SOURCE) __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) { - size_t p_size = __builtin_object_size(p, 0); + size_t p_size = __builtin_object_size(p, 1); if (__builtin_constant_p(size) && p_size < size) __write_overflow(); if (p_size < size) @@ -329,7 +329,7 @@ __FORTIFY_INLINE char *strncpy(char *p, const char *q, __kernel_size_t size) __FORTIFY_INLINE char *strcat(char *p, const char *q) { - size_t p_size = __builtin_object_size(p, 0); + size_t p_size = __builtin_object_size(p, 1); if (p_size == (size_t)-1) return __builtin_strcat(p, q); if (strlcat(p, q, p_size) >= p_size) @@ -340,7 +340,7 @@ __FORTIFY_INLINE char *strcat(char *p, const char *q) __FORTIFY_INLINE __kernel_size_t strlen(const char *p) { __kernel_size_t ret; - size_t p_size = __builtin_object_size(p, 0); + size_t p_size = __builtin_object_size(p, 1); /* Work around gcc excess stack consumption issue */ if (p_size == (size_t)-1 || @@ -355,7 +355,7 @@ __FORTIFY_INLINE __kernel_size_t strlen(const char *p) extern __kernel_size_t __real_strnlen(const char *, __kernel_size_t) __RENAME(strnlen); __FORTIFY_INLINE __kernel_size_t strnlen(const char *p, __kernel_size_t maxlen) { - size_t p_size = __builtin_object_size(p, 0); + size_t p_size = __builtin_object_size(p, 1); __kernel_size_t ret = __real_strnlen(p, maxlen < p_size ? maxlen : p_size); if (p_size <= ret && maxlen != ret) fortify_panic(__func__); @@ -367,8 +367,8 @@ extern size_t __real_strlcpy(char *, const char *, size_t) __RENAME(strlcpy); __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) { size_t ret; - size_t p_size = __builtin_object_size(p, 0); - size_t q_size = __builtin_object_size(q, 0); + size_t p_size = __builtin_object_size(p, 1); + size_t q_size = __builtin_object_size(q, 1); if (p_size == (size_t)-1 && q_size == (size_t)-1) return __real_strlcpy(p, q, size); ret = strlen(q); @@ -388,8 +388,8 @@ __FORTIFY_INLINE size_t strlcpy(char *p, const char *q, size_t size) __FORTIFY_INLINE char *strncat(char *p, const char *q, __kernel_size_t count) { size_t p_len, copy_len; - size_t p_size = __builtin_object_size(p, 0); - size_t q_size = __builtin_object_size(q, 0); + size_t p_size = __builtin_object_size(p, 1); + size_t q_size = __builtin_object_size(q, 1); if (p_size == (size_t)-1 && q_size == (size_t)-1) return __builtin_strncat(p, q, count); p_len = strlen(p); @@ -502,11 +502,16 @@ __FORTIFY_INLINE void *kmemdup(const void *p, size_t size, gfp_t gfp) /* defined after fortified strlen and memcpy to reuse them */ __FORTIFY_INLINE char *strcpy(char *p, const char *q) { - size_t p_size = __builtin_object_size(p, 0); - size_t q_size = __builtin_object_size(q, 0); + size_t p_size = __builtin_object_size(p, 1); + size_t q_size = __builtin_object_size(q, 1); + size_t size; if (p_size == (size_t)-1 && q_size == (size_t)-1) return __builtin_strcpy(p, q); - memcpy(p, q, strlen(q) + 1); + size = strlen(q) + 1; + /* test here to use the more stringent object size */ + if (p_size < size) + fortify_panic(__func__); + memcpy(p, q, size); return p; } From patchwork Mon Jan 20 04:54:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 11341015 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ECEC0921 for ; Mon, 20 Jan 2020 04:54:57 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 570F1207FD for ; Mon, 20 Jan 2020 04:54:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=axtens.net header.i=@axtens.net header.b="oHxM02Cr" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 570F1207FD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-17592-patchwork-kernel-hardening=patchwork.kernel.org@lists.openwall.com Received: (qmail 21860 invoked by uid 550); 20 Jan 2020 04:54:51 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 21716 invoked from network); 20 Jan 2020 04:54:50 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=pOmFCBblhkqj3gkmP+37nPe0hJ5NkRyIggkMoZ1sHnY=; b=oHxM02Cr48GBC2n2ErbUXAGiQbp9a9tIcZ01GW7OKYJz7SZdJx/qhAqSqjyNPLtZHc iXgHOE9I9QQlka8lEeceHuV/2cuIprxB8oep2Vgu9GlkUbjY9SELUov3xaKqMu7+FpNS NJ3D9mZpMq9jHjQyR1ePY6oL3wPxcf7nalshU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pOmFCBblhkqj3gkmP+37nPe0hJ5NkRyIggkMoZ1sHnY=; b=sCnXbU4JQ73RuPUj3b5zKVErXd3ps5BkYv0sPE2D0IehYOh/WUXW2aRR8buG5NBmZg eWXdynrWb8ctUpdPrgZZsDEfG0oHhsVeFhdUDfzyFmzCTqjZjIR6DNNF62H2VKRCQcrN 4U8BUIP9uRKpU6nDEgPWGDJaM27OIMv5kot+88Q7RMH7bYBx22R3CjmTPfI/ywZWzu5c l70NRySVlCKaCMESjAE4QmnFGMiqfLkrxPpUaKtfIAt+yTF21hz+FsnBE07fG6/7EQt3 u8LBU7eQZ1Px2M07Wx/rnruVzlMzY7tzrHMNqpH6CtuEfvRXhnpLv0C5b9V9Cimv6bFJ P3hQ== X-Gm-Message-State: APjAAAX5Uk+16S0zrcGJq9dyD81PW3UB1ha88MK1uVE7Duc0j3OfPeSs qsHxMV8nAoimo1Mzm8MMYF+lo70wf1o= X-Google-Smtp-Source: APXvYqx7MFbc9YXjaXN7u01v6rADAHDuX6xKBxQb86CEcWZHxmIXyxvsRMsN6v83PEIaZCaoJ+1MrA== X-Received: by 2002:a63:a4b:: with SMTP id z11mr56030367pgk.97.1579496078651; Sun, 19 Jan 2020 20:54:38 -0800 (PST) From: Daniel Axtens To: kernel-hardening@lists.openwall.com, akpm@linux-foundation.org, keescook@chromium.org Cc: linux-kernel@vger.kernel.org, Daniel Axtens Subject: [PATCH v2 2/2] lkdtm: tests for FORTIFY_SOURCE Date: Mon, 20 Jan 2020 15:54:24 +1100 Message-Id: <20200120045424.16147-3-dja@axtens.net> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200120045424.16147-1-dja@axtens.net> References: <20200120045424.16147-1-dja@axtens.net> MIME-Version: 1.0 Add code to test both: - runtime detection of the overrun of a structure. This covers the __builtin_object_size(x, 0) case. This test is called FORTIFY_OBJECT. - runtime detection of the overrun of a char array within a structure. This covers the __builtin_object_size(x, 1) case which can be used for some string functions. This test is called FORTIFY_SUBOBJECT. Suggested-by: Kees Cook Reviewed-by: Kees Cook Signed-off-by: Daniel Axtens --- drivers/misc/lkdtm/bugs.c | 51 ++++++++++++++++++++++++++++++++++++++ drivers/misc/lkdtm/core.c | 2 ++ drivers/misc/lkdtm/lkdtm.h | 2 ++ 3 files changed, 55 insertions(+) diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c index a4fdad04809a..77bf01ce7e0c 100644 --- a/drivers/misc/lkdtm/bugs.c +++ b/drivers/misc/lkdtm/bugs.c @@ -11,6 +11,7 @@ #include #include #include +#include #ifdef CONFIG_X86_32 #include @@ -376,3 +377,53 @@ void lkdtm_DOUBLE_FAULT(void) panic("tried to double fault but didn't die\n"); } #endif + +void lkdtm_FORTIFY_OBJECT(void) +{ + struct target { + char a[10]; + } target[2] = {}; + int result; + + /* + * Using volatile prevents the compiler from determining the value of + * 'size' at compile time. Without that, we would get a compile error + * rather than a runtime error. + */ + volatile int size = 11; + + pr_info("trying to read past the end of a struct\n"); + + result = memcmp(&target[0], &target[1], size); + + /* Print result to prevent the code from being eliminated */ + pr_err("FAIL: fortify did not catch an object overread!\n" + "\"%d\" was the memcmp result.\n", result); +} + +void lkdtm_FORTIFY_SUBOBJECT(void) +{ + struct target { + char a[10]; + char b[10]; + } target; + char *src; + + src = kmalloc(20, GFP_KERNEL); + strscpy(src, "over ten bytes", 20); + + pr_info("trying to strcpy past the end of a member of a struct\n"); + + /* + * strncpy(target.a, src, 20); will hit a compile error because the + * compiler knows at build time that target.a < 20 bytes. Use strcpy() + * to force a runtime error. + */ + strcpy(target.a, src); + + /* Use target.a to prevent the code from being eliminated */ + pr_err("FAIL: fortify did not catch an sub-object overrun!\n" + "\"%s\" was copied.\n", target.a); + + kfree(src); +} diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index ee0d6e721441..78d22a23b4f9 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -117,6 +117,8 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(STACK_GUARD_PAGE_TRAILING), CRASHTYPE(UNSET_SMEP), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), + CRASHTYPE(FORTIFY_OBJECT), + CRASHTYPE(FORTIFY_SUBOBJECT), CRASHTYPE(OVERWRITE_ALLOCATION), CRASHTYPE(WRITE_AFTER_FREE), CRASHTYPE(READ_AFTER_FREE), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index c56d23e37643..13f13421dc19 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -31,6 +31,8 @@ void lkdtm_UNSET_SMEP(void); #ifdef CONFIG_X86_32 void lkdtm_DOUBLE_FAULT(void); #endif +void lkdtm_FORTIFY_OBJECT(void); +void lkdtm_FORTIFY_SUBOBJECT(void); /* lkdtm_heap.c */ void __init lkdtm_heap_init(void);