* [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates
@ 2016-02-26 0:36 Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test Laura Abbott
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Laura Abbott @ 2016-02-26 0:36 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Kees Cook
Cc: Laura Abbott, linux-kernel, kernel-hardening
Hi,
This is v2 of the LKDTM test update. This is mostly taking the updates
Kees gave for the previous series and bringing it in.
Laura Abbott (3):
lkdtm: Add READ_AFTER_FREE test
lkdtm: Update WRITE_AFTER_FREE test
lkdtm: Add read/write after free tests for buddy memory
drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 95 insertions(+), 3 deletions(-)
--
2.5.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test
2016-02-26 0:36 [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates Laura Abbott
@ 2016-02-26 0:36 ` Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCH 2/3] lkdtm: Update WRITE_AFTER_FREE test Laura Abbott
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Laura Abbott @ 2016-02-26 0:36 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Kees Cook
Cc: Laura Abbott, linux-kernel, kernel-hardening
In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
test to test free poisoning features. Sample output when
no sanitization is present:
# echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
[ 17.543866] lkdtm: Value in memory before free: 12345678
[ 17.545212] lkdtm: Attempting bad read from freed memory
[ 17.546542] lkdtm: Memory was not poisoned
with slub_debug=P:
# echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
[ 22.416366] lkdtm: Value in memory before free: 12345678
[ 22.417137] lkdtm: Attempting bad read from freed memory
[ 22.417897] lkdtm: Memory correctly poisoned, calling BUG
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
v4: Tweak the output as per the suggestion of Kees. Add explicit BUG for
failure.
---
drivers/misc/lkdtm.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 11fdadc..8de4746 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -92,6 +92,7 @@ enum ctype {
CT_UNALIGNED_LOAD_STORE_WRITE,
CT_OVERWRITE_ALLOCATION,
CT_WRITE_AFTER_FREE,
+ CT_READ_AFTER_FREE,
CT_SOFTLOCKUP,
CT_HARDLOCKUP,
CT_SPINLOCKUP,
@@ -129,6 +130,7 @@ static char* cp_type[] = {
"UNALIGNED_LOAD_STORE_WRITE",
"OVERWRITE_ALLOCATION",
"WRITE_AFTER_FREE",
+ "READ_AFTER_FREE",
"SOFTLOCKUP",
"HARDLOCKUP",
"SPINLOCKUP",
@@ -417,6 +419,42 @@ static void lkdtm_do_action(enum ctype which)
memset(data, 0x78, len);
break;
}
+ case CT_READ_AFTER_FREE: {
+ int *base, *val, saw;
+ size_t len = 1024;
+ /*
+ * The slub allocator uses the first word to store the free
+ * pointer in some configurations. Use the middle of the
+ * allocation to avoid running into the freelist
+ */
+ size_t offset = (len / sizeof(*base)) / 2;
+
+ base = kmalloc(len, GFP_KERNEL);
+ if (!base)
+ break;
+
+ val = kmalloc(len, GFP_KERNEL);
+ if (!val)
+ break;
+
+ *val = 0x12345678;
+ base[offset] = *val;
+ pr_info("Value in memory before free: %x\n", base[offset]);
+
+ kfree(base);
+
+ pr_info("Attempting bad read from freed memory\n");
+ saw = base[offset];
+ if (saw != *val) {
+ /* Good! Poisoning happened, so declare a win. */
+ pr_info("Memory correctly poisoned, calling BUG\n");
+ BUG();
+ }
+ pr_info("Memory was not poisoned\n");
+
+ kfree(val);
+ break;
+ }
case CT_SOFTLOCKUP:
preempt_disable();
for (;;)
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [kernel-hardening] [PATCH 2/3] lkdtm: Update WRITE_AFTER_FREE test
2016-02-26 0:36 [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test Laura Abbott
@ 2016-02-26 0:36 ` Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv2 3/3] lkdtm: Add read/write after free tests for buddy memory Laura Abbott
2016-02-26 21:39 ` [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates Kees Cook
3 siblings, 0 replies; 7+ messages in thread
From: Laura Abbott @ 2016-02-26 0:36 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Kees Cook
Cc: Laura Abbott, linux-kernel, kernel-hardening
The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
drivers/misc/lkdtm.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 8de4746..a00a2b1 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -411,12 +411,21 @@ static void lkdtm_do_action(enum ctype which)
break;
}
case CT_WRITE_AFTER_FREE: {
+ int *base;
size_t len = 1024;
- u32 *data = kmalloc(len, GFP_KERNEL);
+ /*
+ * The slub allocator uses the first word to store the free
+ * pointer in some configurations. Use the middle of the
+ * allocation to avoid running into the freelist
+ */
+ size_t offset = (len / sizeof(*base)) / 2;
- kfree(data);
- schedule();
- memset(data, 0x78, len);
+ base = kmalloc(len, GFP_KERNEL);
+ pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
+ kfree(base);
+ pr_info("Attempting bad write to freed memory at %p\n",
+ &base[offset]);
+ base[offset] = 0x0abcdef0;
break;
}
case CT_READ_AFTER_FREE: {
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [kernel-hardening] [PATCHv2 3/3] lkdtm: Add read/write after free tests for buddy memory
2016-02-26 0:36 [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCH 2/3] lkdtm: Update WRITE_AFTER_FREE test Laura Abbott
@ 2016-02-26 0:36 ` Laura Abbott
2016-02-26 21:39 ` [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates Kees Cook
3 siblings, 0 replies; 7+ messages in thread
From: Laura Abbott @ 2016-02-26 0:36 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Kees Cook
Cc: Laura Abbott, linux-kernel, kernel-hardening
The current tests for read/write after free work on slab
allocated memory. Memory straight from the buddy allocator
may behave slightly differently and have a different set
of parameters to test. Add tests for those cases as well.
On a basic x86 boot:
# echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[ 22.292983] lkdtm: Writing to the buddy page before free
[ 22.293950] lkdtm: Attempting bad write to the buddy page after free
# echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[ 32.379896] lkdtm: Value in memory before free: 12345678
[ 32.383854] lkdtm: Attempting to read from freed memory
[ 32.389309] lkdtm: Buddy page was not poisoned
On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:
# echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[ 17.477360] lkdtm: Writing to the buddy page before free
[ 17.479089] lkdtm: Attempting bad write to the buddy page after free
[ 17.480904] BUG: unable to handle kernel paging request at
ffff88000ebd8000
# echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[ 14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[ 14.607447] lkdtm: Value in memory before free: 12345678
[ 14.608161] lkdtm: Attempting to read from freed memory
[ 14.608860] BUG: unable to handle kernel paging request at
ffff88000eba3000
Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
produce the same crash.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
v2: Output updates per the suggestion of Kees
---
drivers/misc/lkdtm.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index a00a2b1..8e00e2e 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -93,6 +93,8 @@ enum ctype {
CT_OVERWRITE_ALLOCATION,
CT_WRITE_AFTER_FREE,
CT_READ_AFTER_FREE,
+ CT_WRITE_BUDDY_AFTER_FREE,
+ CT_READ_BUDDY_AFTER_FREE,
CT_SOFTLOCKUP,
CT_HARDLOCKUP,
CT_SPINLOCKUP,
@@ -131,6 +133,8 @@ static char* cp_type[] = {
"OVERWRITE_ALLOCATION",
"WRITE_AFTER_FREE",
"READ_AFTER_FREE",
+ "WRITE_BUDDY_AFTER_FREE",
+ "READ_BUDDY_AFTER_FREE",
"SOFTLOCKUP",
"HARDLOCKUP",
"SPINLOCKUP",
@@ -464,6 +468,47 @@ static void lkdtm_do_action(enum ctype which)
kfree(val);
break;
}
+ case CT_WRITE_BUDDY_AFTER_FREE: {
+ unsigned long p = __get_free_page(GFP_KERNEL);
+ if (!p)
+ break;
+ pr_info("Writing to the buddy page before free\n");
+ memset((void *)p, 0x3, PAGE_SIZE);
+ free_page(p);
+ schedule();
+ pr_info("Attempting bad write to the buddy page after free\n");
+ memset((void *)p, 0x78, PAGE_SIZE);
+ break;
+ }
+ case CT_READ_BUDDY_AFTER_FREE: {
+ unsigned long p = __get_free_page(GFP_KERNEL);
+ int saw, *val = kmalloc(1024, GFP_KERNEL);
+ int *base;
+
+ if (!p)
+ break;
+
+ if (!val)
+ break;
+
+ base = (int *)p;
+
+ *val = 0x12345678;
+ base[0] = *val;
+ pr_info("Value in memory before free: %x\n", base[0]);
+ free_page(p);
+ pr_info("Attempting to read from freed memory\n");
+ saw = base[0];
+ if (saw != *val) {
+ /* Good! Poisoning happened, so declare a win. */
+ pr_info("Buddy page correctly poisoned, calling BUG\n");
+ BUG();
+ }
+ pr_info("Buddy page was not poisoned\n");
+
+ kfree(val);
+ break;
+ }
case CT_SOFTLOCKUP:
preempt_disable();
for (;;)
--
2.5.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates
2016-02-26 0:36 [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates Laura Abbott
` (2 preceding siblings ...)
2016-02-26 0:36 ` [kernel-hardening] [PATCHv2 3/3] lkdtm: Add read/write after free tests for buddy memory Laura Abbott
@ 2016-02-26 21:39 ` Kees Cook
2016-02-26 22:57 ` Greg Kroah-Hartman
3 siblings, 1 reply; 7+ messages in thread
From: Kees Cook @ 2016-02-26 21:39 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Arnd Bergmann, Laura Abbott, LKML, kernel-hardening
On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
> Hi,
>
> This is v2 of the LKDTM test update. This is mostly taking the updates
> Kees gave for the previous series and bringing it in.
>
> Laura Abbott (3):
> lkdtm: Add READ_AFTER_FREE test
> lkdtm: Update WRITE_AFTER_FREE test
> lkdtm: Add read/write after free tests for buddy memory
>
> drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 95 insertions(+), 3 deletions(-)
Thanks!
Please consider the series:
Acked-by: Kees Cook <keescook@chromium.org>
And, say, while we're at it... Greg, would you mind if I became the
lkdtm maintainer?
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 7+ messages in thread
* [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates
2016-02-26 21:39 ` [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates Kees Cook
@ 2016-02-26 22:57 ` Greg Kroah-Hartman
2016-02-26 22:57 ` Kees Cook
0 siblings, 1 reply; 7+ messages in thread
From: Greg Kroah-Hartman @ 2016-02-26 22:57 UTC (permalink / raw)
To: Kees Cook; +Cc: Arnd Bergmann, Laura Abbott, LKML, kernel-hardening
On Fri, Feb 26, 2016 at 01:39:14PM -0800, Kees Cook wrote:
> On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
> > Hi,
> >
> > This is v2 of the LKDTM test update. This is mostly taking the updates
> > Kees gave for the previous series and bringing it in.
> >
> > Laura Abbott (3):
> > lkdtm: Add READ_AFTER_FREE test
> > lkdtm: Update WRITE_AFTER_FREE test
> > lkdtm: Add read/write after free tests for buddy memory
> >
> > drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
> > 1 file changed, 95 insertions(+), 3 deletions(-)
>
> Thanks!
>
> Please consider the series:
>
> Acked-by: Kees Cook <keescook@chromium.org>
>
> And, say, while we're at it... Greg, would you mind if I became the
> lkdtm maintainer?
Not at all, I was treating you as one anyway, waiting till I got acks
from you before committing anything :)
Feel free to send a patch to MAINTAINERS for me to add for this.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
* [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates
2016-02-26 22:57 ` Greg Kroah-Hartman
@ 2016-02-26 22:57 ` Kees Cook
0 siblings, 0 replies; 7+ messages in thread
From: Kees Cook @ 2016-02-26 22:57 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Arnd Bergmann, Laura Abbott, LKML, kernel-hardening
On Fri, Feb 26, 2016 at 2:57 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Fri, Feb 26, 2016 at 01:39:14PM -0800, Kees Cook wrote:
>> On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
>> > Hi,
>> >
>> > This is v2 of the LKDTM test update. This is mostly taking the updates
>> > Kees gave for the previous series and bringing it in.
>> >
>> > Laura Abbott (3):
>> > lkdtm: Add READ_AFTER_FREE test
>> > lkdtm: Update WRITE_AFTER_FREE test
>> > lkdtm: Add read/write after free tests for buddy memory
>> >
>> > drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
>> > 1 file changed, 95 insertions(+), 3 deletions(-)
>>
>> Thanks!
>>
>> Please consider the series:
>>
>> Acked-by: Kees Cook <keescook@chromium.org>
>>
>> And, say, while we're at it... Greg, would you mind if I became the
>> lkdtm maintainer?
>
> Not at all, I was treating you as one anyway, waiting till I got acks
> from you before committing anything :)
>
> Feel free to send a patch to MAINTAINERS for me to add for this.
Sounds good, thanks!
-Kees
--
Kees Cook
Chrome OS & Brillo Security
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-02-26 22:57 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-26 0:36 [kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCH 2/3] lkdtm: Update WRITE_AFTER_FREE test Laura Abbott
2016-02-26 0:36 ` [kernel-hardening] [PATCHv2 3/3] lkdtm: Add read/write after free tests for buddy memory Laura Abbott
2016-02-26 21:39 ` [kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates Kees Cook
2016-02-26 22:57 ` Greg Kroah-Hartman
2016-02-26 22:57 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).