From: Igor Stoppa <igor.stoppa@gmail.com> To: willy@infradead.org, keescook@chromium.org, mhocko@kernel.org, corbet@lwn.net Cc: david@fromorbit.com, rppt@linux.vnet.ibm.com, labbott@redhat.com, linux-security-module@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com, Igor Stoppa <igor.stoppa@huawei.com> Subject: [PATCH 6/6] lkdtm: crash on overwriting protected pmalloc var Date: Fri, 13 Apr 2018 17:41:31 +0400 [thread overview] Message-ID: <20180413134131.4651-7-igor.stoppa@huawei.com> (raw) In-Reply-To: <20180413134131.4651-1-igor.stoppa@huawei.com> Verify that pmalloc read-only protection is in place: trying to overwrite a protected variable will crash the kernel. Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> --- drivers/misc/lkdtm/core.c | 3 +++ drivers/misc/lkdtm/lkdtm.h | 1 + drivers/misc/lkdtm/perms.c | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index 2154d1bfd18b..c9fd42bda6ee 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(ACCESS_USERSPACE), CRASHTYPE(WRITE_RO), CRASHTYPE(WRITE_RO_AFTER_INIT), +#ifdef CONFIG_PROTECTABLE_MEMORY + CRASHTYPE(WRITE_RO_PMALLOC), +#endif CRASHTYPE(WRITE_KERN), CRASHTYPE(REFCOUNT_INC_OVERFLOW), CRASHTYPE(REFCOUNT_ADD_OVERFLOW), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 9e513dcfd809..dcda3ae76ceb 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -38,6 +38,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void __init lkdtm_perms_init(void); void lkdtm_WRITE_RO(void); void lkdtm_WRITE_RO_AFTER_INIT(void); +void lkdtm_WRITE_RO_PMALLOC(void); void lkdtm_WRITE_KERN(void); void lkdtm_EXEC_DATA(void); void lkdtm_EXEC_STACK(void); diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c index 53b85c9d16b8..4660ff0bfa44 100644 --- a/drivers/misc/lkdtm/perms.c +++ b/drivers/misc/lkdtm/perms.c @@ -9,6 +9,7 @@ #include <linux/vmalloc.h> #include <linux/mman.h> #include <linux/uaccess.h> +#include <linux/pmalloc.h> #include <asm/cacheflush.h> /* Whether or not to fill the target memory area with do_nothing(). */ @@ -104,6 +105,30 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) *ptr ^= 0xabcd1234; } +#ifdef CONFIG_PROTECTABLE_MEMORY +void lkdtm_WRITE_RO_PMALLOC(void) +{ + struct pmalloc_pool *pool; + int *i; + + pool = pmalloc_create_pool(); + if (WARN(!pool, "Failed preparing pool for pmalloc test.")) + return; + + i = (int *)pmalloc(pool, sizeof(int)); + if (WARN(!i, "Failed allocating memory for pmalloc test.")) { + pmalloc_destroy_pool(pool); + return; + } + + *i = INT_MAX; + pmalloc_protect_pool(pool); + + pr_info("attempting bad pmalloc write at %p\n", i); + *i = 0; +} +#endif + void lkdtm_WRITE_KERN(void) { size_t size; -- 2.14.1
WARNING: multiple messages have this Message-ID (diff)
From: igor.stoppa@gmail.com (Igor Stoppa) To: linux-security-module@vger.kernel.org Subject: [PATCH 6/6] lkdtm: crash on overwriting protected pmalloc var Date: Fri, 13 Apr 2018 17:41:31 +0400 [thread overview] Message-ID: <20180413134131.4651-7-igor.stoppa@huawei.com> (raw) In-Reply-To: <20180413134131.4651-1-igor.stoppa@huawei.com> Verify that pmalloc read-only protection is in place: trying to overwrite a protected variable will crash the kernel. Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> --- drivers/misc/lkdtm/core.c | 3 +++ drivers/misc/lkdtm/lkdtm.h | 1 + drivers/misc/lkdtm/perms.c | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index 2154d1bfd18b..c9fd42bda6ee 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(ACCESS_USERSPACE), CRASHTYPE(WRITE_RO), CRASHTYPE(WRITE_RO_AFTER_INIT), +#ifdef CONFIG_PROTECTABLE_MEMORY + CRASHTYPE(WRITE_RO_PMALLOC), +#endif CRASHTYPE(WRITE_KERN), CRASHTYPE(REFCOUNT_INC_OVERFLOW), CRASHTYPE(REFCOUNT_ADD_OVERFLOW), diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 9e513dcfd809..dcda3ae76ceb 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -38,6 +38,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void __init lkdtm_perms_init(void); void lkdtm_WRITE_RO(void); void lkdtm_WRITE_RO_AFTER_INIT(void); +void lkdtm_WRITE_RO_PMALLOC(void); void lkdtm_WRITE_KERN(void); void lkdtm_EXEC_DATA(void); void lkdtm_EXEC_STACK(void); diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c index 53b85c9d16b8..4660ff0bfa44 100644 --- a/drivers/misc/lkdtm/perms.c +++ b/drivers/misc/lkdtm/perms.c @@ -9,6 +9,7 @@ #include <linux/vmalloc.h> #include <linux/mman.h> #include <linux/uaccess.h> +#include <linux/pmalloc.h> #include <asm/cacheflush.h> /* Whether or not to fill the target memory area with do_nothing(). */ @@ -104,6 +105,30 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) *ptr ^= 0xabcd1234; } +#ifdef CONFIG_PROTECTABLE_MEMORY +void lkdtm_WRITE_RO_PMALLOC(void) +{ + struct pmalloc_pool *pool; + int *i; + + pool = pmalloc_create_pool(); + if (WARN(!pool, "Failed preparing pool for pmalloc test.")) + return; + + i = (int *)pmalloc(pool, sizeof(int)); + if (WARN(!i, "Failed allocating memory for pmalloc test.")) { + pmalloc_destroy_pool(pool); + return; + } + + *i = INT_MAX; + pmalloc_protect_pool(pool); + + pr_info("attempting bad pmalloc write at %p\n", i); + *i = 0; +} +#endif + void lkdtm_WRITE_KERN(void) { size_t size; -- 2.14.1 -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2018-04-13 13:41 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-04-13 13:41 [RFC PATCH v22 0/6] mm: security: ro protection for dynamic data Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` [PATCH 1/6] struct page: add field for vm_struct Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` [PATCH 2/6] vmalloc: rename llist field in vmap_area Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` [PATCH 3/6] Protectable Memory Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` [PATCH 4/6] Documentation for Pmalloc Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` [PATCH 5/6] Pmalloc selftest Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa 2018-04-13 13:41 ` Igor Stoppa [this message] 2018-04-13 13:41 ` [PATCH 6/6] lkdtm: crash on overwriting protected pmalloc var Igor Stoppa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20180413134131.4651-7-igor.stoppa@huawei.com \ --to=igor.stoppa@gmail.com \ --cc=corbet@lwn.net \ --cc=david@fromorbit.com \ --cc=igor.stoppa@huawei.com \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=labbott@redhat.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=linux-security-module@vger.kernel.org \ --cc=mhocko@kernel.org \ --cc=rppt@linux.vnet.ibm.com \ --cc=willy@infradead.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.