From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Kees Cook <keescook@chromium.org>,
Muhammad Usama Anjum <usama.anjum@collabora.com>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.14 02/25] lkdtm/usercopy: Expand size of "out of frame" object
Date: Tue, 7 Jun 2022 14:02:03 -0400 [thread overview]
Message-ID: <20220607180229.482040-2-sashal@kernel.org> (raw)
In-Reply-To: <20220607180229.482040-1-sashal@kernel.org>
From: Kees Cook <keescook@chromium.org>
[ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ]
To be sufficiently out of range for the usercopy test to see the lifetime
mismatch, expand the size of the "bad" buffer, which will let it be
beyond current_stack_pointer regardless of stack growth direction.
Paired with the recent addition of stack depth checking under
CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again.
Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/lkdtm_usercopy.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c
index a64372cc148d..178b55141772 100644
--- a/drivers/misc/lkdtm_usercopy.c
+++ b/drivers/misc/lkdtm_usercopy.c
@@ -30,12 +30,12 @@ static const unsigned char test_text[] = "This is a test.\n";
*/
static noinline unsigned char *trick_compiler(unsigned char *stack)
{
- return stack + 0;
+ return stack + unconst;
}
static noinline unsigned char *do_usercopy_stack_callee(int value)
{
- unsigned char buf[32];
+ unsigned char buf[128];
int i;
/* Exercise stack to avoid everything living in registers. */
@@ -43,7 +43,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value)
buf[i] = value & 0xff;
}
- return trick_compiler(buf);
+ /*
+ * Put the target buffer in the middle of stack allocation
+ * so that we don't step on future stack users regardless
+ * of stack growth direction.
+ */
+ return trick_compiler(&buf[(128/2)-32]);
}
static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
@@ -66,6 +71,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
bad_stack -= sizeof(unsigned long);
}
+#ifdef ARCH_HAS_CURRENT_STACK_POINTER
+ pr_info("stack : %px\n", (void *)current_stack_pointer);
+#endif
+ pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
+ pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
+
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE, 0);
--
2.35.1
next prev parent reply other threads:[~2022-06-07 18:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 18:02 [PATCH AUTOSEL 4.14 01/25] iio: dummy: iio_simple_dummy: check the return value of kstrdup() Sasha Levin
2022-06-07 18:02 ` Sasha Levin [this message]
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 03/25] tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 04/25] tty: Fix a possible resource leak in icom_probe Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 05/25] drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 06/25] USB: host: isp116x: check return value after calling platform_get_resource() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 07/25] drivers: tty: serial: Fix deadlock in sa1100_set_termios() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 08/25] drivers: usb: host: Fix deadlock in oxu_bus_suspend() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 09/25] USB: hcd-pci: Fully suspend across freeze/thaw cycle Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 10/25] usb: dwc2: gadget: don't reset gadget's driver->bus Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 11/25] misc: rtsx: set NULL intfdata when probe fails Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 12/25] extcon: Modify extcon device to be created after driver data is set Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 13/25] clocksource/drivers/sp804: Avoid error on multiple instances Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 14/25] staging: rtl8712: fix uninit-value in r871xu_drv_init() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 15/25] serial: msm_serial: disable interrupts in __msm_console_write() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 16/25] kernfs: Separate kernfs_pr_cont_buf and rename_lock Sasha Levin
2022-06-07 18:02 ` [dm-devel] [PATCH AUTOSEL 4.14 17/25] md: don't unregister sync_thread with reconfig_mutex held Sasha Levin
2022-06-07 18:02 ` Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 18/25] md: protect md_unregister_thread from reentrancy Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 19/25] Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 20/25] drm/radeon: fix a possible null pointer dereference Sasha Levin
2022-06-07 18:02 ` Sasha Levin
2022-06-07 18:02 ` Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 21/25] modpost: fix undefined behavior of is_arm_mapping_symbol() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 22/25] nbd: call genl_unregister_family() first in nbd_cleanup() Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 23/25] nbd: fix race between nbd_alloc_config() and module removal Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 24/25] nbd: fix io hung while disconnecting device Sasha Levin
2022-06-07 18:02 ` [PATCH AUTOSEL 4.14 25/25] nodemask: Fix return values to be unsigned Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607180229.482040-2-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=usama.anjum@collabora.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.