[kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates

[kernel-hardening] [PATCHv2 0/3] LKDTM use after free test updates

[Laura Abbott]

Hi,

This is v2 of the LKDTM test update. This is mostly taking the updates
Kees gave for the previous series and bringing it in.

Laura Abbott (3):
  lkdtm: Add READ_AFTER_FREE test
  lkdtm: Update WRITE_AFTER_FREE test
  lkdtm: Add read/write after free tests for buddy memory

 drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 95 insertions(+), 3 deletions(-)

-- 
2.5.0

[kernel-hardening] [PATCHv4 1/3] lkdtm: Add READ_AFTER_FREE test

[Laura Abbott]

In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
test to test free poisoning features. Sample output when
no sanitization is present:

 # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
[   17.543866] lkdtm: Value in memory before free: 12345678
[   17.545212] lkdtm: Attempting bad read from freed memory
[   17.546542] lkdtm: Memory was not poisoned

with slub_debug=P:

 # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
[   22.416366] lkdtm: Value in memory before free: 12345678
[   22.417137] lkdtm: Attempting bad read from freed memory
[   22.417897] lkdtm: Memory correctly poisoned, calling BUG

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
v4: Tweak the output as per the suggestion of Kees. Add explicit BUG for
failure.
---
 drivers/misc/lkdtm.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 11fdadc..8de4746 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -92,6 +92,7 @@ enum ctype {
 	CT_UNALIGNED_LOAD_STORE_WRITE,
 	CT_OVERWRITE_ALLOCATION,
 	CT_WRITE_AFTER_FREE,
+	CT_READ_AFTER_FREE,
 	CT_SOFTLOCKUP,
 	CT_HARDLOCKUP,
 	CT_SPINLOCKUP,
@@ -129,6 +130,7 @@ static char* cp_type[] = {
 	"UNALIGNED_LOAD_STORE_WRITE",
 	"OVERWRITE_ALLOCATION",
 	"WRITE_AFTER_FREE",
+	"READ_AFTER_FREE",
 	"SOFTLOCKUP",
 	"HARDLOCKUP",
 	"SPINLOCKUP",
@@ -417,6 +419,42 @@ static void lkdtm_do_action(enum ctype which)
 		memset(data, 0x78, len);
 		break;
 	}
+	case CT_READ_AFTER_FREE: {
+		int *base, *val, saw;
+		size_t len = 1024;
+		/*
+		 * The slub allocator uses the first word to store the free
+		 * pointer in some configurations. Use the middle of the
+		 * allocation to avoid running into the freelist
+		 */
+		size_t offset = (len / sizeof(*base)) / 2;
+
+		base = kmalloc(len, GFP_KERNEL);
+		if (!base)
+			break;
+
+		val = kmalloc(len, GFP_KERNEL);
+		if (!val)
+			break;
+
+		*val = 0x12345678;
+		base[offset] = *val;
+		pr_info("Value in memory before free: %x\n", base[offset]);
+
+		kfree(base);
+
+		pr_info("Attempting bad read from freed memory\n");
+		saw = base[offset];
+		if (saw != *val) {
+			/* Good! Poisoning happened, so declare a win. */
+			pr_info("Memory correctly poisoned, calling BUG\n");
+			BUG();
+		}
+		pr_info("Memory was not poisoned\n");
+
+		kfree(val);
+		break;
+	}
 	case CT_SOFTLOCKUP:
 		preempt_disable();
 		for (;;)
-- 
2.5.0

[kernel-hardening] [PATCH 2/3] lkdtm: Update WRITE_AFTER_FREE test

[Laura Abbott]

The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
 drivers/misc/lkdtm.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 8de4746..a00a2b1 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -411,12 +411,21 @@ static void lkdtm_do_action(enum ctype which)
 		break;
 	}
 	case CT_WRITE_AFTER_FREE: {
+		int *base;
 		size_t len = 1024;
-		u32 *data = kmalloc(len, GFP_KERNEL);
+		/*
+		 * The slub allocator uses the first word to store the free
+		 * pointer in some configurations. Use the middle of the
+		 * allocation to avoid running into the freelist
+		 */
+		size_t offset = (len / sizeof(*base)) / 2;
 
-		kfree(data);
-		schedule();
-		memset(data, 0x78, len);
+		base = kmalloc(len, GFP_KERNEL);
+		pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);
+		kfree(base);
+		pr_info("Attempting bad write to freed memory at %p\n",
+			&base[offset]);
+		base[offset] = 0x0abcdef0;
 		break;
 	}
 	case CT_READ_AFTER_FREE: {
-- 
2.5.0

[kernel-hardening] [PATCHv2 3/3] lkdtm: Add read/write after free tests for buddy memory

[Laura Abbott]

The current tests for read/write after free work on slab
allocated memory. Memory straight from the buddy allocator
may behave slightly differently and have a different set
of parameters to test. Add tests for those cases as well.

On a basic x86 boot:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   22.292983] lkdtm: Writing to the buddy page before free
[   22.293950] lkdtm: Attempting bad write to the buddy page after free

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   32.379896] lkdtm: Value in memory before free: 12345678
[   32.383854] lkdtm: Attempting to read from freed memory
[   32.389309] lkdtm: Buddy page was not poisoned

On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   17.477360] lkdtm: Writing to the buddy page before free
[   17.479089] lkdtm: Attempting bad write to the buddy page after free
[   17.480904] BUG: unable to handle kernel paging request at
ffff88000ebd8000

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   14.607447] lkdtm: Value in memory before free: 12345678
[   14.608161] lkdtm: Attempting to read from freed memory
[   14.608860] BUG: unable to handle kernel paging request at
ffff88000eba3000

Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
produce the same crash.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
---
v2: Output updates per the suggestion of Kees
---
 drivers/misc/lkdtm.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index a00a2b1..8e00e2e 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -93,6 +93,8 @@ enum ctype {
 	CT_OVERWRITE_ALLOCATION,
 	CT_WRITE_AFTER_FREE,
 	CT_READ_AFTER_FREE,
+	CT_WRITE_BUDDY_AFTER_FREE,
+	CT_READ_BUDDY_AFTER_FREE,
 	CT_SOFTLOCKUP,
 	CT_HARDLOCKUP,
 	CT_SPINLOCKUP,
@@ -131,6 +133,8 @@ static char* cp_type[] = {
 	"OVERWRITE_ALLOCATION",
 	"WRITE_AFTER_FREE",
 	"READ_AFTER_FREE",
+	"WRITE_BUDDY_AFTER_FREE",
+	"READ_BUDDY_AFTER_FREE",
 	"SOFTLOCKUP",
 	"HARDLOCKUP",
 	"SPINLOCKUP",
@@ -464,6 +468,47 @@ static void lkdtm_do_action(enum ctype which)
 		kfree(val);
 		break;
 	}
+	case CT_WRITE_BUDDY_AFTER_FREE: {
+		unsigned long p = __get_free_page(GFP_KERNEL);
+		if (!p)
+			break;
+		pr_info("Writing to the buddy page before free\n");
+		memset((void *)p, 0x3, PAGE_SIZE);
+		free_page(p);
+		schedule();
+		pr_info("Attempting bad write to the buddy page after free\n");
+		memset((void *)p, 0x78, PAGE_SIZE);
+		break;
+	}
+	case CT_READ_BUDDY_AFTER_FREE: {
+		unsigned long p = __get_free_page(GFP_KERNEL);
+		int saw, *val = kmalloc(1024, GFP_KERNEL);
+		int *base;
+
+		if (!p)
+			break;
+
+		if (!val)
+			break;
+
+		base = (int *)p;
+
+		*val = 0x12345678;
+		base[0] = *val;
+		pr_info("Value in memory before free: %x\n", base[0]);
+		free_page(p);
+		pr_info("Attempting to read from freed memory\n");
+		saw = base[0];
+		if (saw != *val) {
+			/* Good! Poisoning happened, so declare a win. */
+			pr_info("Buddy page correctly poisoned, calling BUG\n");
+			BUG();
+		}
+		pr_info("Buddy page was not poisoned\n");
+
+		kfree(val);
+		break;
+	}
 	case CT_SOFTLOCKUP:
 		preempt_disable();
 		for (;;)
-- 
2.5.0

[kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates

[Kees Cook]

On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
> Hi,
>
> This is v2 of the LKDTM test update. This is mostly taking the updates
> Kees gave for the previous series and bringing it in.
>
> Laura Abbott (3):
>   lkdtm: Add READ_AFTER_FREE test
>   lkdtm: Update WRITE_AFTER_FREE test
>   lkdtm: Add read/write after free tests for buddy memory
>
>  drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 95 insertions(+), 3 deletions(-)

Thanks!

Please consider the series:

Acked-by: Kees Cook <keescook@chromium.org>

And, say, while we're at it... Greg, would you mind if I became the
lkdtm maintainer?

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security

[kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates

[Greg Kroah-Hartman]

On Fri, Feb 26, 2016 at 01:39:14PM -0800, Kees Cook wrote:
> On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
> > Hi,
> >
> > This is v2 of the LKDTM test update. This is mostly taking the updates
> > Kees gave for the previous series and bringing it in.
> >
> > Laura Abbott (3):
> >   lkdtm: Add READ_AFTER_FREE test
> >   lkdtm: Update WRITE_AFTER_FREE test
> >   lkdtm: Add read/write after free tests for buddy memory
> >
> >  drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
> >  1 file changed, 95 insertions(+), 3 deletions(-)
> 
> Thanks!
> 
> Please consider the series:
> 
> Acked-by: Kees Cook <keescook@chromium.org>
> 
> And, say, while we're at it... Greg, would you mind if I became the
> lkdtm maintainer?

Not at all, I was treating you as one anyway, waiting till I got acks
from you before committing anything :)

Feel free to send a patch to MAINTAINERS for me to add for this.

thanks,

greg k-h

[kernel-hardening] Re: [PATCHv2 0/3] LKDTM use after free test updates

[Kees Cook]

On Fri, Feb 26, 2016 at 2:57 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Fri, Feb 26, 2016 at 01:39:14PM -0800, Kees Cook wrote:
>> On Thu, Feb 25, 2016 at 4:36 PM, Laura Abbott <labbott@fedoraproject.org> wrote:
>> > Hi,
>> >
>> > This is v2 of the LKDTM test update. This is mostly taking the updates
>> > Kees gave for the previous series and bringing it in.
>> >
>> > Laura Abbott (3):
>> >   lkdtm: Add READ_AFTER_FREE test
>> >   lkdtm: Update WRITE_AFTER_FREE test
>> >   lkdtm: Add read/write after free tests for buddy memory
>> >
>> >  drivers/misc/lkdtm.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++--
>> >  1 file changed, 95 insertions(+), 3 deletions(-)
>>
>> Thanks!
>>
>> Please consider the series:
>>
>> Acked-by: Kees Cook <keescook@chromium.org>
>>
>> And, say, while we're at it... Greg, would you mind if I became the
>> lkdtm maintainer?
>
> Not at all, I was treating you as one anyway, waiting till I got acks
> from you before committing anything :)
>
> Feel free to send a patch to MAINTAINERS for me to add for this.

Sounds good, thanks!

-Kees

-- 
Kees Cook
Chrome OS & Brillo Security