From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934679AbdCWUe0 (ORCPT ); Thu, 23 Mar 2017 16:34:26 -0400 Received: from mail-pf0-f171.google.com ([209.85.192.171]:32916 "EHLO mail-pf0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754465AbdCWUeX (ORCPT ); Thu, 23 Mar 2017 16:34:23 -0400 Date: Thu, 23 Mar 2017 13:34:19 -0700 From: Kees Cook To: Thomas Garnier Cc: Martin Schwidefsky , Heiko Carstens , David Howells , Arnd Bergmann , Dave Hansen , Al Viro , Thomas Gleixner , =?iso-8859-1?Q?Ren=E9?= Nyffenegger , Andrew Morton , "Paul E . McKenney" , Ingo Molnar , Oleg Nesterov , Pavel Tikhomirov , Stephen Smalley , Ingo Molnar , "H . Peter Anvin" , Andy Lutomirski , Paolo Bonzini , Rik van Riel , Josh Poimboeuf , Borislav Petkov , Brian Gerst , "Kirill A . Shutemov" , Christian Borntraeger , Russell King , Will Deacon , Catalin Marinas , Mark Rutland , James Morse , "linux-s390@vger.kernel.org" , LKML , Linux API , "x86@kernel.org" , "linux-arm-kernel@lists.infradead.org" , "kernel-hardening@lists.openwall.com" Subject: [PATCH] lkdtm: add bad USER_DS test Message-ID: <20170323203419.GA62859@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return still sees USER_DS during the new VERIFY_PRE_USERMODE_STATE checks. Signed-off-by: Kees Cook --- drivers/misc/lkdtm.h | 1 + drivers/misc/lkdtm_bugs.c | 20 ++++++++++++++++++++ drivers/misc/lkdtm_core.c | 1 + 3 files changed, 22 insertions(+) diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 67d27be60405..3b4976396ec4 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void); void lkdtm_REFCOUNT_ZERO_ADD(void); void lkdtm_CORRUPT_LIST_ADD(void); void lkdtm_CORRUPT_LIST_DEL(void); +void lkdtm_CORRUPT_USER_DS(void); /* lkdtm_heap.c */ void lkdtm_OVERWRITE_ALLOCATION(void); diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index e3f4cd8876b5..4906e53a6df3 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -8,6 +8,7 @@ #include #include #include +#include struct lkdtm_list { struct list_head node; @@ -279,3 +280,22 @@ void lkdtm_CORRUPT_LIST_DEL(void) else pr_err("list_del() corruption not detected!\n"); } + +void lkdtm_CORRUPT_USER_DS(void) +{ + /* + * Test that USER_DS has been set correctly on exiting a syscall. + * Since setting this higher than USER_DS (TASK_SIZE) would introduce + * an exploitable condition, we lower it instead, since that should + * not create as large a problem on an unprotected system. + */ + mm_segment_t lowfs; +#ifdef MAKE_MM_SEG + lowfs = MAKE_MM_SEG(TASK_SIZE - PAGE_SIZE); +#else + lowfs = TASK_SIZE - PAGE_SIZE; +#endif + + pr_info("setting bad task size limit\n"); + set_fs(lowfs); +} diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index b9a4cd4a9b68..42d2b8e31e6b 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -199,6 +199,7 @@ struct crashtype crashtypes[] = { CRASHTYPE(OVERFLOW), CRASHTYPE(CORRUPT_LIST_ADD), CRASHTYPE(CORRUPT_LIST_DEL), + CRASHTYPE(CORRUPT_USER_DS), CRASHTYPE(CORRUPT_STACK), CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE), CRASHTYPE(OVERWRITE_ALLOCATION), -- 2.7.4 -- Kees Cook Pixel Security