From: kernel test robot <lkp@intel.com>
To: Kees Cook <keescook@chromium.org>,
Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: kbuild-all@lists.01.org, Kees Cook <keescook@chromium.org>,
Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH] lkdtm/usercopy: Expand size of "out of frame" object
Date: Thu, 17 Feb 2022 06:06:04 +0800 [thread overview]
Message-ID: <202202170604.hO1q7HZU-lkp@intel.com> (raw)
In-Reply-To: <20220216201743.2088344-1-keescook@chromium.org>
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on char-misc/char-misc-testing]
[also build test ERROR on soc/for-next kees/for-next/pstore v5.17-rc4 next-20220216]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git e6cb9c167eeb8f90ab924666c573e69e85e700a0
config: riscv-allmodconfig (https://download.01.org/0day-ci/archive/20220217/202202170604.hO1q7HZU-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Kees-Cook/lkdtm-usercopy-Expand-size-of-out-of-frame-object/20220217-041936
git checkout aa676e88f535bd79a3e22a1cc70c9b6cc51dbbfe
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=riscv SHELL=/bin/bash drivers/misc/lkdtm/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from include/linux/kernel.h:29,
from drivers/misc/lkdtm/lkdtm.h:7,
from drivers/misc/lkdtm/usercopy.c:6:
drivers/misc/lkdtm/usercopy.c: In function 'do_usercopy_stack':
>> drivers/misc/lkdtm/usercopy.c:74:46: error: 'current_stack_pointer' undeclared (first use in this function); did you mean 'kernel_stack_pointer'?
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:418:33: note: in definition of macro 'printk_index_wrap'
418 | _p_func(_fmt, ##__VA_ARGS__); \
| ^~~~~~~~~~~
include/linux/printk.h:519:9: note: in expansion of macro 'printk'
519 | printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~
drivers/misc/lkdtm/usercopy.c:74:9: note: in expansion of macro 'pr_info'
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~
drivers/misc/lkdtm/usercopy.c:74:46: note: each undeclared identifier is reported only once for each function it appears in
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~~~~~~~~~~~~~~~
include/linux/printk.h:418:33: note: in definition of macro 'printk_index_wrap'
418 | _p_func(_fmt, ##__VA_ARGS__); \
| ^~~~~~~~~~~
include/linux/printk.h:519:9: note: in expansion of macro 'printk'
519 | printk(KERN_INFO pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~
drivers/misc/lkdtm/usercopy.c:74:9: note: in expansion of macro 'pr_info'
74 | pr_info("stack : %px\n", (void *)current_stack_pointer);
| ^~~~~~~
vim +74 drivers/misc/lkdtm/usercopy.c
> 6 #include "lkdtm.h"
7 #include <linux/slab.h>
8 #include <linux/vmalloc.h>
9 #include <linux/sched/task_stack.h>
10 #include <linux/mman.h>
11 #include <linux/uaccess.h>
12 #include <asm/cacheflush.h>
13
14 /*
15 * Many of the tests here end up using const sizes, but those would
16 * normally be ignored by hardened usercopy, so force the compiler
17 * into choosing the non-const path to make sure we trigger the
18 * hardened usercopy checks by added "unconst" to all the const copies,
19 * and making sure "cache_size" isn't optimized into a const.
20 */
21 static volatile size_t unconst;
22 static volatile size_t cache_size = 1024;
23 static struct kmem_cache *whitelist_cache;
24
25 static const unsigned char test_text[] = "This is a test.\n";
26
27 /*
28 * Instead of adding -Wno-return-local-addr, just pass the stack address
29 * through a function to obfuscate it from the compiler.
30 */
31 static noinline unsigned char *trick_compiler(unsigned char *stack)
32 {
33 return stack + unconst;
34 }
35
36 static noinline unsigned char *do_usercopy_stack_callee(int value)
37 {
38 unsigned char buf[128];
39 int i;
40
41 /* Exercise stack to avoid everything living in registers. */
42 for (i = 0; i < sizeof(buf); i++) {
43 buf[i] = value & 0xff;
44 }
45
46 /*
47 * Put the target buffer in the middle of stack allocation
48 * so that we don't step on future stack users regardless
49 * of stack growth direction.
50 */
51 return trick_compiler(&buf[(128/2)-32]);
52 }
53
54 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
55 {
56 unsigned long user_addr;
57 unsigned char good_stack[32];
58 unsigned char *bad_stack;
59 int i;
60
61 /* Exercise stack to avoid everything living in registers. */
62 for (i = 0; i < sizeof(good_stack); i++)
63 good_stack[i] = test_text[i % sizeof(test_text)];
64
65 /* This is a pointer to outside our current stack frame. */
66 if (bad_frame) {
67 bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
68 } else {
69 /* Put start address just inside stack. */
70 bad_stack = task_stack_page(current) + THREAD_SIZE;
71 bad_stack -= sizeof(unsigned long);
72 }
73
> 74 pr_info("stack : %px\n", (void *)current_stack_pointer);
75 pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
76 pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
77
78 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
79 PROT_READ | PROT_WRITE | PROT_EXEC,
80 MAP_ANONYMOUS | MAP_PRIVATE, 0);
81 if (user_addr >= TASK_SIZE) {
82 pr_warn("Failed to allocate user memory\n");
83 return;
84 }
85
86 if (to_user) {
87 pr_info("attempting good copy_to_user of local stack\n");
88 if (copy_to_user((void __user *)user_addr, good_stack,
89 unconst + sizeof(good_stack))) {
90 pr_warn("copy_to_user failed unexpectedly?!\n");
91 goto free_user;
92 }
93
94 pr_info("attempting bad copy_to_user of distant stack\n");
95 if (copy_to_user((void __user *)user_addr, bad_stack,
96 unconst + sizeof(good_stack))) {
97 pr_warn("copy_to_user failed, but lacked Oops\n");
98 goto free_user;
99 }
100 } else {
101 /*
102 * There isn't a safe way to not be protected by usercopy
103 * if we're going to write to another thread's stack.
104 */
105 if (!bad_frame)
106 goto free_user;
107
108 pr_info("attempting good copy_from_user of local stack\n");
109 if (copy_from_user(good_stack, (void __user *)user_addr,
110 unconst + sizeof(good_stack))) {
111 pr_warn("copy_from_user failed unexpectedly?!\n");
112 goto free_user;
113 }
114
115 pr_info("attempting bad copy_from_user of distant stack\n");
116 if (copy_from_user(bad_stack, (void __user *)user_addr,
117 unconst + sizeof(good_stack))) {
118 pr_warn("copy_from_user failed, but lacked Oops\n");
119 goto free_user;
120 }
121 }
122
123 free_user:
124 vm_munmap(user_addr, PAGE_SIZE);
125 }
126
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next prev parent reply other threads:[~2022-02-16 22:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-16 20:17 [PATCH] lkdtm/usercopy: Expand size of "out of frame" object Kees Cook
2022-02-16 22:06 ` kernel test robot [this message]
2022-02-16 22:56 ` kernel test robot
2022-02-18 10:30 ` Muhammad Usama Anjum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202202170604.hO1q7HZU-lkp@intel.com \
--to=lkp@intel.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=kbuild-all@lists.01.org \
--cc=keescook@chromium.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=usama.anjum@collabora.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).