All of lore.kernel.org
 help / color / mirror / Atom feed
From: Keun-O Park <kpark3469@gmail.com>
To: Kees Cook <keescook@chromium.org>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>,
	Will Deacon <will.deacon@arm.com>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>,
	Catalin Marinas <catalin.marinas@arm.com>,
	Mark Rutland <mark.rutland@arm.com>,
	James Morse <james.morse@arm.com>,
	Pratyush Anand <panand@redhat.com>,
	keun-o.park@darkmatter.ae
Subject: [kernel-hardening] Re: [PATCH] arm64: usercopy: Implement stack frame object validation
Date: Tue, 31 Jan 2017 13:10:12 +0400	[thread overview]
Message-ID: <CA+KhAHamqhzzjs+vvPs3UbioFxvwz-OmW12Djhi+6hdy5D_phQ@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+PjVG-KQJwMke4X3=Vmr1ECjU0s2v-S0d3a+BotOrC_Q@mail.gmail.com>

On Tue, Jan 31, 2017 at 2:19 AM, Kees Cook <keescook@chromium.org> wrote:
> On Mon, Jan 30, 2017 at 4:42 AM, Keun-O Park <kpark3469@gmail.com> wrote:
>> Thanks so much for the example code. Basically I totally missed this case.
>> I modified do_usercopy_stack() slightly following your code snippet.
>> Like your comment, I could see the similar result.
>> ....
>>         array_size = get_random_int() & 0x0F;
>>         if (to_user) {
>>                 unsigned char array[array_size];
>> ....
>>                 pr_info("attempting bad copy_to_user of distant stack 2\n");
>>                 if (copy_to_user((void __user *)user_addr, array,
>>                                  unconst + sizeof(array))) {
>>                         pr_warn("copy_to_user failed, but lacked Oops\n");
>>                         goto free_user;
>>                 }
>> ....
>> # echo USERCOPY_STACK_FRAME_TO > DIRECT
>> [ 1999.832209] Before dynamic alloc: ffffffc079013d40
>> [ 1999.832309] After dynamic alloc: ffffffc079013d40
>> [ 1999.832370] lkdtm: attempting good copy_to_user of local stack
>> [ 1999.832476] lkdtm: attempting bad copy_to_user of distant stack
>> [ 1999.832562] usercopy: kernel memory exposure attempt detected from
>> ffffffc079013d20 (<process stack>) (32 bytes)
>> [ 1999.832636] usercopy: BUG()!!!
>> [ 1999.832693] lkdtm: attempting bad copy_to_user of distant stack 2
>> [ 1999.832779] usercopy: kernel memory exposure attempt detected from
>> ffffffc079013d30 (<process stack>) (6 bytes)
>> [ 1999.832853] usercopy: BUG()!!!
>>
>> This is output of GCC 4.9, so maybe the sp value is not expected one.
>> Anyway it looks to me that the object should be scanned from oldframe.
>
> Am I correct in understanding that your code worked correctly? I.e.
> Access to "array" worked, but stepping beyond it failed? (Does
> sizeof() work with dynamic stack allocations?)

My implementation can not detect this case. LKDTM stack test regards
that this array is out of stackframe.
So BUG() is called.

sizeof() works fine with dynamic stack allocations for me.

Thanks.

BR
Sahara

  reply	other threads:[~2017-01-31  9:10 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-25 13:46 [kernel-hardening] [PATCH] arm64: usercopy: Implement stack frame object validation kpark3469
2017-01-25 13:54 ` [kernel-hardening] " Will Deacon
2017-01-25 14:44   ` Keun-O Park
2017-01-26  0:58     ` Kees Cook
2017-01-30 11:26       ` Keun-O Park
2017-01-30 22:15         ` Kees Cook
2017-01-26  7:10   ` AKASHI Takahiro
2017-01-30 12:42     ` Keun-O Park
2017-01-30 22:19       ` Kees Cook
2017-01-31  9:10         ` Keun-O Park [this message]
2017-01-31 17:56           ` Kees Cook
2017-01-26 16:40   ` Yann Droneaud
2017-01-26 17:36     ` Kees Cook
2017-01-26 17:47       ` Will Deacon
2017-01-26 15:23 ` James Morse
2017-02-02 13:34   ` Keun-O Park

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+KhAHamqhzzjs+vvPs3UbioFxvwz-OmW12Djhi+6hdy5D_phQ@mail.gmail.com \
    --to=kpark3469@gmail.com \
    --cc=catalin.marinas@arm.com \
    --cc=james.morse@arm.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=keun-o.park@darkmatter.ae \
    --cc=mark.rutland@arm.com \
    --cc=panand@redhat.com \
    --cc=takahiro.akashi@linaro.org \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.