From: Alexander Popov <alex.popov@linux.com>
To: kernel-hardening@lists.openwall.com,
Kees Cook <keescook@chromium.org>,
PaX Team <pageexec@freemail.hu>,
Brad Spengler <spender@grsecurity.net>,
Ingo Molnar <mingo@kernel.org>, Andy Lutomirski <luto@kernel.org>,
Tycho Andersen <tycho@tycho.ws>,
Laura Abbott <labbott@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Borislav Petkov <bp@alien8.de>,
Richard Sandiford <richard.sandiford@arm.com>,
Thomas Gleixner <tglx@linutronix.de>,
"H . Peter Anvin" <hpa@zytor.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
"Dmitry V . Levin" <ldv@altlinux.org>,
Emese Revfy <re.emese@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
Thomas Garnier <thgarnie@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Alexei Starovoitov <ast@kernel.org>, Josef Bacik <jbacik@fb.com>,
Masami Hiramatsu <mhiramat@kernel.org>,
Nicholas Piggin <npiggin@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
"David S . Miller" <davem@davemloft.net>,
Ding Tianhong <dingtianhong@huawei.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Dominik Brodowski <linux@dominikbrodowski.net>,
Juergen Gross <jgross@suse.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mathias Krause <minipli@googlemail.com>,
Vikas Shivappa <vikas.shivappa@linux.intel.com>,
Kyle Huey <me@kylehuey.com>,
Dmitry Safonov <dsafonov@virtuozzo.com>,
Will Deacon <will.deacon@arm.com>, Arnd Bergmann <arnd@arndb.de>,
Florian Weimer <fweimer@redhat.com>,
Boris Lukashev <blukashev@sempervictus.com>,
x86@kernel.org, linux-kernel@vger.kernel.org,
alex.popov@linux.com
Subject: [PATCH RFC v10 4/6] lkdtm: Add a test for STACKLEAK
Date: Wed, 28 Mar 2018 22:57:10 +0300 [thread overview]
Message-ID: <1522267032-6603-5-git-send-email-alex.popov@linux.com> (raw)
In-Reply-To: <1522267032-6603-1-git-send-email-alex.popov@linux.com>
Introduce two lkdtm tests for the STACKLEAK feature: STACKLEAK_ALLOCA
and STACKLEAK_DEEP_RECURSION. Both of them check that the current task
stack is properly erased (filled with STACKLEAK_POISON).
STACKLEAK_ALLOCA tests that:
- check_alloca() allows alloca calls which don't exhaust the kernel stack;
- alloca calls which exhaust/overflow the kernel stack hit BUG() in
check_alloca().
STACKLEAK_DEEP_RECURSION tests that exhausting the current task stack
with a deep recursion is detected by CONFIG_VMAP_STACK (which is implied
by CONFIG_GCC_PLUGIN_STACKLEAK).
Signed-off-by: Tycho Andersen <tycho@tycho.ws>
Signed-off-by: Alexander Popov <alex.popov@linux.com>
---
drivers/misc/Makefile | 3 +
drivers/misc/lkdtm.h | 4 ++
drivers/misc/lkdtm_core.c | 2 +
drivers/misc/lkdtm_stackleak.c | 141 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 150 insertions(+)
create mode 100644 drivers/misc/lkdtm_stackleak.c
diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile
index c3c8624..2b11823 100644
--- a/drivers/misc/Makefile
+++ b/drivers/misc/Makefile
@@ -65,6 +65,9 @@ lkdtm-$(CONFIG_LKDTM) += lkdtm_perms.o
lkdtm-$(CONFIG_LKDTM) += lkdtm_refcount.o
lkdtm-$(CONFIG_LKDTM) += lkdtm_rodata_objcopy.o
lkdtm-$(CONFIG_LKDTM) += lkdtm_usercopy.o
+lkdtm-$(CONFIG_LKDTM) += lkdtm_stackleak.o
+
+KASAN_SANITIZE_lkdtm_stackleak.o := n
KCOV_INSTRUMENT_lkdtm_rodata.o := n
diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index 9e513dc..4b2b8e3 100644
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -83,4 +83,8 @@ void lkdtm_USERCOPY_STACK_FRAME_FROM(void);
void lkdtm_USERCOPY_STACK_BEYOND(void);
void lkdtm_USERCOPY_KERNEL(void);
+/* lkdtm_stackleak.c */
+void lkdtm_STACKLEAK_ALLOCA(void);
+void lkdtm_STACKLEAK_DEEP_RECURSION(void);
+
#endif
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index 2154d1b..c37fd85 100644
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -183,6 +183,8 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(USERCOPY_STACK_FRAME_FROM),
CRASHTYPE(USERCOPY_STACK_BEYOND),
CRASHTYPE(USERCOPY_KERNEL),
+ CRASHTYPE(STACKLEAK_ALLOCA),
+ CRASHTYPE(STACKLEAK_DEEP_RECURSION),
};
diff --git a/drivers/misc/lkdtm_stackleak.c b/drivers/misc/lkdtm_stackleak.c
new file mode 100644
index 0000000..4706595
--- /dev/null
+++ b/drivers/misc/lkdtm_stackleak.c
@@ -0,0 +1,141 @@
+/*
+ * This code tests several aspects of the STACKLEAK feature:
+ * - the current task stack is properly erased (filled with STACKLEAK_POISON);
+ * - check_alloca() allows alloca calls which don't exhaust the kernel stack;
+ * - alloca calls which exhaust/overflow the kernel stack hit BUG() in
+ * check_alloca();
+ * - exhausting the current task stack with a deep recursion is detected by
+ * CONFIG_VMAP_STACK (which is implied by CONFIG_GCC_PLUGIN_STACKLEAK).
+ *
+ * Authors:
+ * Tycho Andersen <tycho@tycho.ws>
+ * Alexander Popov <alex.popov@linux.com>
+ */
+
+#include "lkdtm.h"
+#include <linux/sched.h>
+#include <linux/compiler.h>
+
+#ifndef CONFIG_STACKLEAK_TRACK_MIN_SIZE
+# define CONFIG_STACKLEAK_TRACK_MIN_SIZE 0
+#endif
+
+static noinline bool stack_is_erased(void)
+{
+ unsigned long *sp, left, found, i;
+ const unsigned long check_depth = STACKLEAK_POISON_CHECK_DEPTH /
+ sizeof(unsigned long);
+
+ /*
+ * For the details about the alignment of the poison values, see
+ * the comment in track_stack().
+ */
+ sp = PTR_ALIGN(&i, sizeof(unsigned long));
+
+ left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long);
+ sp--;
+
+ /*
+ * One long int at the bottom of the thread stack is reserved
+ * and not poisoned.
+ */
+ if (left > 1)
+ left--;
+ else
+ return false;
+
+ pr_info("checking unused part of the thread stack (%lu bytes)...\n",
+ left * sizeof(unsigned long));
+
+ /*
+ * Search for check_depth poison values in a row (just like
+ * erase_kstack() does).
+ */
+ for (i = 0, found = 0; i < left && found <= check_depth; i++) {
+ if (*(sp - i) == STACKLEAK_POISON)
+ found++;
+ else
+ found = 0;
+ }
+
+ if (found <= check_depth) {
+ pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n",
+ i * sizeof(unsigned long));
+ return false;
+ }
+
+ pr_info("first %lu bytes are unpoisoned\n",
+ (i - found) * sizeof(unsigned long));
+
+ /* The rest of thread stack should be erased */
+ for (; i < left; i++) {
+ if (*(sp - i) != STACKLEAK_POISON) {
+ pr_err("FAIL: thread stack is NOT properly erased\n");
+ return false;
+ }
+ }
+
+ pr_info("the rest of the thread stack is properly erased\n");
+ return true;
+}
+
+static noinline void do_alloca(unsigned long size)
+{
+ char buf[size];
+
+ /* So this doesn't get inlined or optimized out */
+ snprintf(buf, size, "testing alloca...\n");
+}
+
+void lkdtm_STACKLEAK_ALLOCA(void)
+{
+ unsigned long left = (unsigned long)&left & (THREAD_SIZE - 1);
+
+ if (!stack_is_erased())
+ return;
+
+ /* Try a small alloca to see if it works */
+ pr_info("try a small alloca of 16 bytes...\n");
+ do_alloca(16);
+ pr_info("small alloca is successful\n");
+
+ /* Try to hit the BUG() in check_alloca() */
+ pr_info("try a large alloca of %lu bytes (stack overflow)...\n", left);
+ do_alloca(left);
+ pr_err("FAIL: large alloca overstepped the thread stack boundary\n");
+}
+
+/*
+ * The stack frame size of recursion() is bigger than the
+ * CONFIG_STACKLEAK_TRACK_MIN_SIZE, hence that function is instrumented
+ * by the STACKLEAK gcc plugin and it calls track_stack() at the beginning.
+ */
+static noinline unsigned long recursion(unsigned long prev_sp)
+{
+ char buf[CONFIG_STACKLEAK_TRACK_MIN_SIZE + 42];
+ unsigned long sp = (unsigned long)&sp;
+
+ snprintf(buf, sizeof(buf), "testing deep recursion...\n");
+
+ if (prev_sp < sp + THREAD_SIZE)
+ sp = recursion(prev_sp);
+
+ return sp;
+}
+
+void lkdtm_STACKLEAK_DEEP_RECURSION(void)
+{
+ unsigned long sp = (unsigned long)&sp;
+
+ if (!stack_is_erased())
+ return;
+
+ /*
+ * Exhaust the thread stack with a deep recursion. It should hit the
+ * guard page provided by CONFIG_VMAP_STACK (which is implied by
+ * CONFIG_GCC_PLUGIN_STACKLEAK).
+ */
+ pr_info("try to exhaust the thread stack with a deep recursion...\n");
+ pr_err("FAIL: thread stack exhaustion (%lu bytes) is not detected\n",
+ sp - recursion(sp));
+}
--
2.7.4
next prev parent reply other threads:[~2018-03-28 19:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-28 19:57 [PATCH RFC v10 0/6] Introduce the STACKLEAK feature and a test for it Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 1/6] gcc-plugins: Clean up the cgraph_create_edge* macros Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 2/6] x86/entry: Add STACKLEAK erasing the kernel stack at the end of syscalls Alexander Popov
2018-03-28 22:55 ` Dave Hansen
2018-03-29 6:58 ` Alexander Popov
2018-03-29 13:51 ` Dave Hansen
[not found] ` <CAFUG7Cd7cSqSHCrqxKUFwBBQLuix0Mi5-=V6pq_U7KtFh20Kqg@mail.gmail.com>
2018-03-29 20:56 ` Alexander Popov
2018-03-29 21:00 ` Dave Hansen
[not found] ` <alpine.DEB.2.10.1803291137150.27913@vshiva-Udesk>
2018-03-29 21:34 ` Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 3/6] gcc-plugins: Add STACKLEAK plugin for tracking the kernel stack Alexander Popov
2018-03-28 19:57 ` Alexander Popov [this message]
2018-03-28 19:57 ` [PATCH RFC v10 5/6] fs/proc: Show STACKLEAK metrics in the /proc file system Alexander Popov
2018-03-28 19:57 ` [PATCH RFC v10 6/6] doc: self-protection: Add information about STACKLEAK feature Alexander Popov
2018-03-28 20:13 ` [PATCH RFC v10 0/6] Introduce the STACKLEAK feature and a test for it Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522267032-6603-5-git-send-email-alex.popov@linux.com \
--to=alex.popov@linux.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=aryabinin@virtuozzo.com \
--cc=ast@kernel.org \
--cc=blukashev@sempervictus.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=davem@davemloft.net \
--cc=dingtianhong@huawei.com \
--cc=dsafonov@virtuozzo.com \
--cc=dwmw@amazon.co.uk \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jbacik@fb.com \
--cc=jgross@suse.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=labbott@redhat.com \
--cc=ldv@altlinux.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mhiramat@kernel.org \
--cc=mingo@kernel.org \
--cc=minipli@googlemail.com \
--cc=npiggin@gmail.com \
--cc=pageexec@freemail.hu \
--cc=re.emese@gmail.com \
--cc=richard.sandiford@arm.com \
--cc=rostedt@goodmis.org \
--cc=spender@grsecurity.net \
--cc=tglx@linutronix.de \
--cc=thgarnie@google.com \
--cc=tycho@tycho.ws \
--cc=vikas.shivappa@linux.intel.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox