From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.0 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C338C433DF for ; Thu, 13 Aug 2020 15:19:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 26E98207DA for ; Thu, 13 Aug 2020 15:19:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 26E98207DA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id B4D256B0022; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AD1AF8D0002; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9C0AC6B0024; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0034.hostedemail.com [216.40.44.34]) by kanga.kvack.org (Postfix) with ESMTP id 868556B0022 for ; Thu, 13 Aug 2020 11:19:51 -0400 (EDT) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 3BC7B348D for ; Thu, 13 Aug 2020 15:19:51 +0000 (UTC) X-FDA: 77145905382.04.humor38_120ded526ff5 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin04.hostedemail.com (Postfix) with ESMTP id C99888003406 for ; Thu, 13 Aug 2020 15:19:47 +0000 (UTC) X-HE-Tag: humor38_120ded526ff5 X-Filterd-Recvd-Size: 6049 Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65]) by imf47.hostedemail.com (Postfix) with ESMTP for ; Thu, 13 Aug 2020 15:19:47 +0000 (UTC) Received: by mail-wm1-f65.google.com with SMTP id 3so5404398wmi.1 for ; Thu, 13 Aug 2020 08:19:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sWVYbnLUoQh2/bQ8PJoxS/2ocrG/gYbDVzBuksdzAMQ=; b=r4dGulmfFvUGljyDLWmuVSHbjg5rBpILYcFsc/Vt8dy3p78B5KgA1bUddm5oDJ2sgj beB/3R3oQLqa0/MLIBE0vBnnD9j2VOqGIEUg6idXAHDPGqx1UCfD0kfSFasK6gZCaYJy ZJzLHYiCLugfP9M7Y1Hk/gWffXuigcmjQoHT1jtqDMN/7xxdBPL3zat7QRbiFS0SgLWW AuwX2KZENm/mfDIAKTLvMdwUKmFmZFrOvZEhOcY4EPmDv4HJpsk0rVRWB4v2KSlyxAbK X++jQnqsdzXnuBHlGZizJoSxORmVsX+eVPfLvcKKZ83aO1SzzGFtHY73RBikiiUj75o2 XJyg== X-Gm-Message-State: AOAM530z7O+STBoGMUlMEvcm6gYlcCXuWXjM/ReB+G+TM1jlUBTW6Fzh GjjTNzXiP9pevqhK19OpZ14= X-Google-Smtp-Source: ABdhPJwKxFGbrbkYgxZpXwjaDbyI5I0M4/6XBG+VYoGVV0KtiAQ9ydy+etzJBWJI2Bu24vC6GiUcYw== X-Received: by 2002:a1c:de88:: with SMTP id v130mr4675656wmg.98.1597331986347; Thu, 13 Aug 2020 08:19:46 -0700 (PDT) Received: from localhost.localdomain ([185.248.161.177]) by smtp.gmail.com with ESMTPSA id d23sm10394044wmd.27.2020.08.13.08.19.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 08:19:45 -0700 (PDT) From: Alexander Popov To: Kees Cook , Jann Horn , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , kasan-dev@googlegroups.com, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alexander Popov Cc: notify@kernel.org Subject: [PATCH RFC 2/2] lkdtm: Add heap spraying test Date: Thu, 13 Aug 2020 18:19:22 +0300 Message-Id: <20200813151922.1093791-3-alex.popov@linux.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200813151922.1093791-1-alex.popov@linux.com> References: <20200813151922.1093791-1-alex.popov@linux.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: C99888003406 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam03 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Add a simple test for CONFIG_SLAB_QUARANTINE. It performs heap spraying that aims to reallocate the recently freed heap object. This technique is used for exploiting use-after-free vulnerabilities in the kernel code. This test shows that CONFIG_SLAB_QUARANTINE breaks heap spraying exploitation technique. Signed-off-by: Alexander Popov --- drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/heap.c | 40 ++++++++++++++++++++++++++++++++++++++ drivers/misc/lkdtm/lkdtm.h | 1 + 3 files changed, 42 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index a5e344df9166..78b7669c35eb 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -126,6 +126,7 @@ static const struct crashtype crashtypes[] =3D { CRASHTYPE(SLAB_FREE_DOUBLE), CRASHTYPE(SLAB_FREE_CROSS), CRASHTYPE(SLAB_FREE_PAGE), + CRASHTYPE(HEAP_SPRAY), CRASHTYPE(SOFTLOCKUP), CRASHTYPE(HARDLOCKUP), CRASHTYPE(SPINLOCKUP), diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c index 1323bc16f113..a72a241e314a 100644 --- a/drivers/misc/lkdtm/heap.c +++ b/drivers/misc/lkdtm/heap.c @@ -205,6 +205,46 @@ static void ctor_a(void *region) static void ctor_b(void *region) { } =20 +#define HEAP_SPRAY_SIZE 128 + +void lkdtm_HEAP_SPRAY(void) +{ + int *addr; + int *spray_addrs[HEAP_SPRAY_SIZE] =3D { 0 }; + unsigned long i =3D 0; + + addr =3D kmem_cache_alloc(a_cache, GFP_KERNEL); + if (!addr) { + pr_info("Unable to allocate memory in lkdtm-heap-a cache\n"); + return; + } + + *addr =3D 0x31337; + kmem_cache_free(a_cache, addr); + + pr_info("Performing heap spraying...\n"); + for (i =3D 0; i < HEAP_SPRAY_SIZE; i++) { + spray_addrs[i] =3D kmem_cache_alloc(a_cache, GFP_KERNEL); + *spray_addrs[i] =3D 0x31337; + pr_info("attempt %lu: spray alloc addr %p vs freed addr %p\n", + i, spray_addrs[i], addr); + if (spray_addrs[i] =3D=3D addr) { + pr_info("freed addr is reallocated!\n"); + break; + } + } + + if (i < HEAP_SPRAY_SIZE) + pr_info("FAIL! Heap spraying succeed :(\n"); + else + pr_info("OK! Heap spraying hasn't succeed :)\n"); + + for (i =3D 0; i < HEAP_SPRAY_SIZE; i++) { + if (spray_addrs[i]) + kmem_cache_free(a_cache, spray_addrs[i]); + } +} + void __init lkdtm_heap_init(void) { double_free_cache =3D kmem_cache_create("lkdtm-heap-double_free", diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 8878538b2c13..dfafb4ae6f3a 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -45,6 +45,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void lkdtm_SLAB_FREE_DOUBLE(void); void lkdtm_SLAB_FREE_CROSS(void); void lkdtm_SLAB_FREE_PAGE(void); +void lkdtm_HEAP_SPRAY(void); =20 /* lkdtm_perms.c */ void __init lkdtm_perms_init(void); --=20 2.26.2