From: Igor Stoppa <igor.stoppa@gmail.com>
To: unlisted-recipients:; (no To-header on input)
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Andy Lutomirski <luto@amacapital.net>,
Nadav Amit <nadav.amit@gmail.com>,
Matthew Wilcox <willy@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Ahmed Soliman <ahmedsoliman@mena.vt.edu>,
linux-integrity@vger.kernel.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH v5 08/12] __wr_after_init: lkdtm test
Date: Thu, 14 Feb 2019 00:41:37 +0200 [thread overview]
Message-ID: <b739e9f8f43cb9cf5843fcb2f90b569bd560fccc.1550097697.git.igor.stoppa@huawei.com> (raw)
In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com>
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Nadav Amit <nadav.amit@gmail.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Kees Cook <keescook@chromium.org>
CC: Dave Hansen <dave.hansen@linux.intel.com>
CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
CC: Thiago Jung Bauermann <bauerman@linux.ibm.com>
CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu>
CC: linux-integrity@vger.kernel.org
CC: kernel-hardening@lists.openwall.com
CC: linux-mm@kvack.org
CC: linux-kernel@vger.kernel.org
---
drivers/misc/lkdtm/core.c | 3 +++
drivers/misc/lkdtm/lkdtm.h | 3 +++
drivers/misc/lkdtm/perms.c | 29 +++++++++++++++++++++++++++++
3 files changed, 35 insertions(+)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2837dc77478e..73c34b17c433 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(ACCESS_USERSPACE),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
+#ifdef CONFIG_PRMEM
+ CRASHTYPE(WRITE_WR_AFTER_INIT),
+#endif
CRASHTYPE(WRITE_KERN),
CRASHTYPE(REFCOUNT_INC_OVERFLOW),
CRASHTYPE(REFCOUNT_ADD_OVERFLOW),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 3c6fd327e166..abba2f52ffa6 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -38,6 +38,9 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
void __init lkdtm_perms_init(void);
void lkdtm_WRITE_RO(void);
void lkdtm_WRITE_RO_AFTER_INIT(void);
+#ifdef CONFIG_PRMEM
+void lkdtm_WRITE_WR_AFTER_INIT(void);
+#endif
void lkdtm_WRITE_KERN(void);
void lkdtm_EXEC_DATA(void);
void lkdtm_EXEC_STACK(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..f681730aa652 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -9,6 +9,7 @@
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
+#include <linux/prmem.h>
#include <asm/cacheflush.h>
/* Whether or not to fill the target memory area with do_nothing(). */
@@ -27,6 +28,10 @@ static const unsigned long rodata = 0xAA55AA55;
/* This is marked __ro_after_init, so it should ultimately be .rodata. */
static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+/* This is marked __wr_after_init, so it should be in .rodata. */
+static
+unsigned long wr_after_init __wr_after_init = 0x55AA5500;
+
/*
* This just returns to the caller. It is designed to be copied into
* non-executable memory regions.
@@ -104,6 +109,28 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
*ptr ^= 0xabcd1234;
}
+#ifdef CONFIG_PRMEM
+
+void lkdtm_WRITE_WR_AFTER_INIT(void)
+{
+ unsigned long *ptr = &wr_after_init;
+
+ /*
+ * Verify we were written to during init. Since an Oops
+ * is considered a "success", a failure is to just skip the
+ * real test.
+ */
+ if ((*ptr & 0xAA) != 0xAA) {
+ pr_info("%p was NOT written during init!?\n", ptr);
+ return;
+ }
+
+ pr_info("attempting bad wr_after_init write at %p\n", ptr);
+ *ptr ^= 0xabcd1234;
+}
+
+#endif
+
void lkdtm_WRITE_KERN(void)
{
size_t size;
@@ -200,4 +227,6 @@ void __init lkdtm_perms_init(void)
/* Make sure we can write to __ro_after_init values during __init */
ro_after_init |= 0xAA;
+ /* Make sure we can write to __wr_after_init during __init */
+ wr_after_init |= 0xAA;
}
--
2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@gmail.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Andy Lutomirski <luto@amacapital.net>,
Nadav Amit <nadav.amit@gmail.com>,
Matthew Wilcox <willy@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Ahmed Soliman <ahmedsoliman@mena.vt.edu>,
linux-integrity@vger.kernel.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH v5 08/12] __wr_after_init: lkdtm test
Date: Thu, 14 Feb 2019 00:41:37 +0200 [thread overview]
Message-ID: <b739e9f8f43cb9cf5843fcb2f90b569bd560fccc.1550097697.git.igor.stoppa@huawei.com> (raw)
In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com>
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Nadav Amit <nadav.amit@gmail.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Kees Cook <keescook@chromium.org>
CC: Dave Hansen <dave.hansen@linux.intel.com>
CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
CC: Thiago Jung Bauermann <bauerman@linux.ibm.com>
CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu>
CC: linux-integrity@vger.kernel.org
CC: kernel-hardening@lists.openwall.com
CC: linux-mm@kvack.org
CC: linux-kernel@vger.kernel.org
---
drivers/misc/lkdtm/core.c | 3 +++
drivers/misc/lkdtm/lkdtm.h | 3 +++
drivers/misc/lkdtm/perms.c | 29 +++++++++++++++++++++++++++++
3 files changed, 35 insertions(+)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2837dc77478e..73c34b17c433 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(ACCESS_USERSPACE),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
+#ifdef CONFIG_PRMEM
+ CRASHTYPE(WRITE_WR_AFTER_INIT),
+#endif
CRASHTYPE(WRITE_KERN),
CRASHTYPE(REFCOUNT_INC_OVERFLOW),
CRASHTYPE(REFCOUNT_ADD_OVERFLOW),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 3c6fd327e166..abba2f52ffa6 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -38,6 +38,9 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
void __init lkdtm_perms_init(void);
void lkdtm_WRITE_RO(void);
void lkdtm_WRITE_RO_AFTER_INIT(void);
+#ifdef CONFIG_PRMEM
+void lkdtm_WRITE_WR_AFTER_INIT(void);
+#endif
void lkdtm_WRITE_KERN(void);
void lkdtm_EXEC_DATA(void);
void lkdtm_EXEC_STACK(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..f681730aa652 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -9,6 +9,7 @@
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
+#include <linux/prmem.h>
#include <asm/cacheflush.h>
/* Whether or not to fill the target memory area with do_nothing(). */
@@ -27,6 +28,10 @@ static const unsigned long rodata = 0xAA55AA55;
/* This is marked __ro_after_init, so it should ultimately be .rodata. */
static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+/* This is marked __wr_after_init, so it should be in .rodata. */
+static
+unsigned long wr_after_init __wr_after_init = 0x55AA5500;
+
/*
* This just returns to the caller. It is designed to be copied into
* non-executable memory regions.
@@ -104,6 +109,28 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
*ptr ^= 0xabcd1234;
}
+#ifdef CONFIG_PRMEM
+
+void lkdtm_WRITE_WR_AFTER_INIT(void)
+{
+ unsigned long *ptr = &wr_after_init;
+
+ /*
+ * Verify we were written to during init. Since an Oops
+ * is considered a "success", a failure is to just skip the
+ * real test.
+ */
+ if ((*ptr & 0xAA) != 0xAA) {
+ pr_info("%p was NOT written during init!?\n", ptr);
+ return;
+ }
+
+ pr_info("attempting bad wr_after_init write at %p\n", ptr);
+ *ptr ^= 0xabcd1234;
+}
+
+#endif
+
void lkdtm_WRITE_KERN(void)
{
size_t size;
@@ -200,4 +227,6 @@ void __init lkdtm_perms_init(void)
/* Make sure we can write to __ro_after_init values during __init */
ro_after_init |= 0xAA;
+ /* Make sure we can write to __wr_after_init during __init */
+ wr_after_init |= 0xAA;
}
--
2.19.1
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@gmail.com>
Cc: Igor Stoppa <igor.stoppa@huawei.com>,
Andy Lutomirski <luto@amacapital.net>,
Nadav Amit <nadav.amit@gmail.com>,
Matthew Wilcox <willy@infradead.org>,
Peter Zijlstra <peterz@infradead.org>,
Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Ahmed Soliman <ahmedsoliman@mena.vt.edu>,
linux-integrity@vger.kernel.org,
kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: [RFC PATCH v5 08/12] __wr_after_init: lkdtm test
Date: Thu, 14 Feb 2019 00:41:37 +0200 [thread overview]
Message-ID: <b739e9f8f43cb9cf5843fcb2f90b569bd560fccc.1550097697.git.igor.stoppa@huawei.com> (raw)
In-Reply-To: <cover.1550097697.git.igor.stoppa@huawei.com>
Verify that trying to modify a variable with the __wr_after_init
attribute will cause a crash.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
CC: Andy Lutomirski <luto@amacapital.net>
CC: Nadav Amit <nadav.amit@gmail.com>
CC: Matthew Wilcox <willy@infradead.org>
CC: Peter Zijlstra <peterz@infradead.org>
CC: Kees Cook <keescook@chromium.org>
CC: Dave Hansen <dave.hansen@linux.intel.com>
CC: Mimi Zohar <zohar@linux.vnet.ibm.com>
CC: Thiago Jung Bauermann <bauerman@linux.ibm.com>
CC: Ahmed Soliman <ahmedsoliman@mena.vt.edu>
CC: linux-integrity@vger.kernel.org
CC: kernel-hardening@lists.openwall.com
CC: linux-mm@kvack.org
CC: linux-kernel@vger.kernel.org
---
drivers/misc/lkdtm/core.c | 3 +++
drivers/misc/lkdtm/lkdtm.h | 3 +++
drivers/misc/lkdtm/perms.c | 29 +++++++++++++++++++++++++++++
3 files changed, 35 insertions(+)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2837dc77478e..73c34b17c433 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(ACCESS_USERSPACE),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
+#ifdef CONFIG_PRMEM
+ CRASHTYPE(WRITE_WR_AFTER_INIT),
+#endif
CRASHTYPE(WRITE_KERN),
CRASHTYPE(REFCOUNT_INC_OVERFLOW),
CRASHTYPE(REFCOUNT_ADD_OVERFLOW),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 3c6fd327e166..abba2f52ffa6 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -38,6 +38,9 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
void __init lkdtm_perms_init(void);
void lkdtm_WRITE_RO(void);
void lkdtm_WRITE_RO_AFTER_INIT(void);
+#ifdef CONFIG_PRMEM
+void lkdtm_WRITE_WR_AFTER_INIT(void);
+#endif
void lkdtm_WRITE_KERN(void);
void lkdtm_EXEC_DATA(void);
void lkdtm_EXEC_STACK(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..f681730aa652 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -9,6 +9,7 @@
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
+#include <linux/prmem.h>
#include <asm/cacheflush.h>
/* Whether or not to fill the target memory area with do_nothing(). */
@@ -27,6 +28,10 @@ static const unsigned long rodata = 0xAA55AA55;
/* This is marked __ro_after_init, so it should ultimately be .rodata. */
static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+/* This is marked __wr_after_init, so it should be in .rodata. */
+static
+unsigned long wr_after_init __wr_after_init = 0x55AA5500;
+
/*
* This just returns to the caller. It is designed to be copied into
* non-executable memory regions.
@@ -104,6 +109,28 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
*ptr ^= 0xabcd1234;
}
+#ifdef CONFIG_PRMEM
+
+void lkdtm_WRITE_WR_AFTER_INIT(void)
+{
+ unsigned long *ptr = &wr_after_init;
+
+ /*
+ * Verify we were written to during init. Since an Oops
+ * is considered a "success", a failure is to just skip the
+ * real test.
+ */
+ if ((*ptr & 0xAA) != 0xAA) {
+ pr_info("%p was NOT written during init!?\n", ptr);
+ return;
+ }
+
+ pr_info("attempting bad wr_after_init write at %p\n", ptr);
+ *ptr ^= 0xabcd1234;
+}
+
+#endif
+
void lkdtm_WRITE_KERN(void)
{
size_t size;
@@ -200,4 +227,6 @@ void __init lkdtm_perms_init(void)
/* Make sure we can write to __ro_after_init values during __init */
ro_after_init |= 0xAA;
+ /* Make sure we can write to __wr_after_init during __init */
+ wr_after_init |= 0xAA;
}
--
2.19.1
next prev parent reply other threads:[~2019-02-13 22:42 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 22:41 [RFC PATCH v5 00/12] hardening: statically allocated protected memory Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 02/12] __wr_after_init: linker section and attribute Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 03/12] __wr_after_init: Core and default arch Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-14 11:28 ` Peter Zijlstra
2019-02-14 23:10 ` Igor Stoppa
2019-02-15 8:57 ` Peter Zijlstra
2019-02-16 15:15 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 04/12] __wr_after_init: x86_64: randomize mapping offset Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 05/12] __wr_after_init: x86_64: enable Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 06/12] __wr_after_init: arm64: enable Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 07/12] __wr_after_init: Documentation: self-protection Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa [this message]
2019-02-13 22:41 ` [RFC PATCH v5 08/12] __wr_after_init: lkdtm test Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 09/12] __wr_after_init: rodata_test: refactor tests Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 10/12] __wr_after_init: rodata_test: test __wr_after_init Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 11/12] __wr_after_init: test write rare functionality Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
2019-02-13 22:41 ` [RFC PATCH v5 12/12] IMA: turn ima_policy_flags into __wr_after_init Igor Stoppa
2019-02-13 22:41 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b739e9f8f43cb9cf5843fcb2f90b569bd560fccc.1550097697.git.igor.stoppa@huawei.com \
--to=igor.stoppa@gmail.com \
--cc=ahmedsoliman@mena.vt.edu \
--cc=bauerman@linux.ibm.com \
--cc=dave.hansen@linux.intel.com \
--cc=igor.stoppa@huawei.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=nadav.amit@gmail.com \
--cc=peterz@infradead.org \
--cc=willy@infradead.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.