From: kpark3469@gmail.com
To: kernel-hardening@lists.openwall.com
Cc: catalin.marinas@arm.com, keescook@chromium.org,
will.deacon@arm.com, mark.rutland@arm.com, james.morse@arm.com,
panand@redhat.com, keun-o.park@darkmatter.ae
Subject: [kernel-hardening] [PATCH v3 3/3] lkdtm: add tests for dynamic array in local stack
Date: Sun, 5 Feb 2017 16:14:10 +0400 [thread overview]
Message-ID: <1486296850-16045-3-git-send-email-kpark3469@gmail.com> (raw)
In-Reply-To: <1486296850-16045-2-git-send-email-kpark3469@gmail.com>
From: Sahara <keun-o.park@darkmatter.ae>
This seems an unusual case in kernel. But, when an array is
dynamically created, this variable can be placed ahead of
current frame pointer. This patch tests this dynamic array case.
Signed-off-by: Sahara <keun-o.park@darkmatter.ae>
Reported-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Suggested-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm_usercopy.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c
index 1dd6114..898a323 100644
--- a/drivers/misc/lkdtm_usercopy.c
+++ b/drivers/misc/lkdtm_usercopy.c
@@ -7,6 +7,7 @@
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
+#include <linux/random.h>
#include <asm/cacheflush.h>
/*
@@ -33,7 +34,14 @@ static noinline unsigned char *trick_compiler(unsigned char *stack)
static noinline unsigned char *do_usercopy_stack_callee(int value)
{
- unsigned char buf[32];
+ /*
+ * buf[128] is big enough to put it in the position ahead of
+ * check_stack_object()'s frame pointer. Because dynamically allocated
+ * array can be placed between check_stack_object()'s frame pointer and
+ * do_usercopy_stack()'s frame pointer, we need an object which exists
+ * ahead of check_stack_object()'s frame pointer.
+ */
+ unsigned char buf[128];
int i;
/* Exercise stack to avoid everything living in registers. */
@@ -49,6 +57,7 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
unsigned long user_addr;
unsigned char good_stack[32];
unsigned char *bad_stack;
+ unsigned int array_size;
int i;
/* Exercise stack to avoid everything living in registers. */
@@ -72,7 +81,9 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
return;
}
+ array_size = get_random_int() & 0x0f;
if (to_user) {
+ unsigned char array[array_size];
pr_info("attempting good copy_to_user of local stack\n");
if (copy_to_user((void __user *)user_addr, good_stack,
unconst + sizeof(good_stack))) {
@@ -80,6 +91,13 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
goto free_user;
}
+ pr_info("attempting good copy_to_user of callee stack\n");
+ if (copy_to_user((void __user *)user_addr, array,
+ unconst + sizeof(array))) {
+ pr_warn("copy_to_user failed unexpectedly?!\n");
+ goto free_user;
+ }
+
pr_info("attempting bad copy_to_user of distant stack\n");
if (copy_to_user((void __user *)user_addr, bad_stack,
unconst + sizeof(good_stack))) {
@@ -87,6 +105,7 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
goto free_user;
}
} else {
+ unsigned char array[array_size];
/*
* There isn't a safe way to not be protected by usercopy
* if we're going to write to another thread's stack.
@@ -101,6 +120,13 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
goto free_user;
}
+ pr_info("attempting good copy_from_user of callee stack\n");
+ if (copy_from_user(array, (void __user *)user_addr,
+ unconst + sizeof(array))) {
+ pr_warn("copy_from_user failed unexpectedly?!\n");
+ goto free_user;
+ }
+
pr_info("attempting bad copy_from_user of distant stack\n");
if (copy_from_user(bad_stack, (void __user *)user_addr,
unconst + sizeof(good_stack))) {
--
2.7.4
next prev parent reply other threads:[~2017-02-05 12:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-05 12:14 [kernel-hardening] [PATCH v3 1/3] usercopy: create enum stack_type kpark3469
2017-02-05 12:14 ` [kernel-hardening] [PATCH v3 2/3] arm64: usercopy: Implement stack frame object validation kpark3469
2017-02-05 12:14 ` kpark3469 [this message]
2017-02-06 22:22 ` [kernel-hardening] Re: [PATCH v3 3/3] lkdtm: add tests for dynamic array in local stack Kees Cook
2017-02-06 22:34 ` [kernel-hardening] Re: [PATCH v3 2/3] arm64: usercopy: Implement stack frame object validation Kees Cook
2017-02-07 10:19 ` James Morse
2017-02-07 17:03 ` James Morse
2017-02-07 18:13 ` Kees Cook
2017-02-08 11:16 ` James Morse
2017-02-08 21:38 ` Kees Cook
2017-02-16 17:38 ` James Morse
2017-02-06 22:23 ` [kernel-hardening] Re: [PATCH v3 1/3] usercopy: create enum stack_type Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1486296850-16045-3-git-send-email-kpark3469@gmail.com \
--to=kpark3469@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=keun-o.park@darkmatter.ae \
--cc=mark.rutland@arm.com \
--cc=panand@redhat.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox