From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1795FC433F5 for ; Fri, 11 Feb 2022 01:09:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 729446B0071; Thu, 10 Feb 2022 20:09:24 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6D7F76B0074; Thu, 10 Feb 2022 20:09:24 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 579BB6B0078; Thu, 10 Feb 2022 20:09:24 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.27]) by kanga.kvack.org (Postfix) with ESMTP id 48AA96B0071 for ; Thu, 10 Feb 2022 20:09:24 -0500 (EST) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 091BF238E6 for ; Fri, 11 Feb 2022 01:09:24 +0000 (UTC) X-FDA: 79128715848.02.6E8F007 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) by imf30.hostedemail.com (Postfix) with ESMTP id 71AEA80008 for ; Fri, 11 Feb 2022 01:09:23 +0000 (UTC) Received: by mail-pf1-f171.google.com with SMTP id 9so10519327pfx.12 for ; Thu, 10 Feb 2022 17:09:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=5F/YGzVmxucCV2w+SE7XEhbRoXDDpQToobLbIhWaHYc=; b=O7Cni19xFycNNK4IUy1daQ4E99VFUDXm8NRv0PVumWB3oOLgQHBSvi4/VQ3YmmUfKM i1ZA07f5QkAcyXONb8QxwlzHG2SF5Dcy4mwDq1Qo6muqtRFYHUYCLe1JM3RnvTyI3INV RyyyWu81uFVEx/hxuyhPODN9C1WQGzlVWJIMs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=5F/YGzVmxucCV2w+SE7XEhbRoXDDpQToobLbIhWaHYc=; b=fcbEBajmll5nIt0xL4AojYz6ISkZC/+iwUEWWHehv5Tju8CKg+7hFipzV6LenIjMIo ftN6Z6SkmF+3swafNl8yjx98WNyaaFp6WgTeoZgyImayYrHFoB8PG5x/pbVxxe8NBZQ3 Bysu3tNxcW0yxR+IR67sPLtkUAtIxyU4+YhfYpMzxB3QNvLdvRVNOWuRkJHuuqOzfQZJ L10uRjTXh6IAzL051h2PZZpGa/UsaG8utcOr3PlS8UAqhRkAnoHhobqbAZjUrKRyKzh+ jkPYw2mSQuzHlQRo4R0tHgVwtl4MGHEjRUrQTzTSqQWUPxLJm32QbjkaLGx7GuntMXvz Nxww== X-Gm-Message-State: AOAM533Fzi36YuNe3wtfpO0HguQwgR2QhvPL3z0gd1frzmxEq89GtUX7 bBIppoSy/6WYy/lBcllU+nqcHQ== X-Google-Smtp-Source: ABdhPJwvw0DfYnLU4ASZ7YxnRfLhjmjJWmRRXYFhu4Zcr1DUaXzi6LQObbQCgkweT4gdbKfWrpGQUQ== X-Received: by 2002:aa7:9486:: with SMTP id z6mr10192650pfk.76.1644541762433; Thu, 10 Feb 2022 17:09:22 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 10sm24234252pfm.56.2022.02.10.17.09.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Feb 2022 17:09:22 -0800 (PST) Date: Thu, 10 Feb 2022 17:09:21 -0800 From: Kees Cook To: Christophe Leroy Cc: Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Andrew Morton , "James E.J. Bottomley" , Helge Deller , Arnd Bergmann , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-ia64@vger.kernel.org, linux-parisc@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org Subject: Re: [PATCH v3 12/12] lkdtm: Add a test for function descriptors protection Message-ID: <202202101703.993CA9BC@keescook> References: <67f9545c9ad15048bfe0104278ef9595d051dbc8.1634457599.git.christophe.leroy@csgroup.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67f9545c9ad15048bfe0104278ef9595d051dbc8.1634457599.git.christophe.leroy@csgroup.eu> X-Rspamd-Queue-Id: 71AEA80008 X-Stat-Signature: ztzdkqmk7sc6ywdwik9t6eurzfd1n6wd X-Rspam-User: Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=O7Cni19x; spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.171 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Rspamd-Server: rspam06 X-HE-Tag: 1644541763-818922 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sun, Oct 17, 2021 at 02:38:25PM +0200, Christophe Leroy wrote: > Add WRITE_OPD to check that you can't modify function > descriptors. > > Gives the following result when function descriptors are > not protected: > > lkdtm: Performing direct entry WRITE_OPD > lkdtm: attempting bad 16 bytes write at c00000000269b358 > lkdtm: FAIL: survived bad write > lkdtm: do_nothing was hijacked! > > Looks like a standard compiler barrier() is not enough to force > GCC to use the modified function descriptor. Had to add a fake empty > inline assembly to force GCC to reload the function descriptor. > > Signed-off-by: Christophe Leroy > --- > drivers/misc/lkdtm/core.c | 1 + > drivers/misc/lkdtm/lkdtm.h | 1 + > drivers/misc/lkdtm/perms.c | 22 ++++++++++++++++++++++ > 3 files changed, 24 insertions(+) > > diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c > index fe6fd34b8caf..de092aa03b5d 100644 > --- a/drivers/misc/lkdtm/core.c > +++ b/drivers/misc/lkdtm/core.c > @@ -148,6 +148,7 @@ static const struct crashtype crashtypes[] = { > CRASHTYPE(WRITE_RO), > CRASHTYPE(WRITE_RO_AFTER_INIT), > CRASHTYPE(WRITE_KERN), > + CRASHTYPE(WRITE_OPD), > CRASHTYPE(REFCOUNT_INC_OVERFLOW), > CRASHTYPE(REFCOUNT_ADD_OVERFLOW), > CRASHTYPE(REFCOUNT_INC_NOT_ZERO_OVERFLOW), > diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h > index c212a253edde..188bd0fd6575 100644 > --- a/drivers/misc/lkdtm/lkdtm.h > +++ b/drivers/misc/lkdtm/lkdtm.h > @@ -105,6 +105,7 @@ void __init lkdtm_perms_init(void); > void lkdtm_WRITE_RO(void); > void lkdtm_WRITE_RO_AFTER_INIT(void); > void lkdtm_WRITE_KERN(void); > +void lkdtm_WRITE_OPD(void); > void lkdtm_EXEC_DATA(void); > void lkdtm_EXEC_STACK(void); > void lkdtm_EXEC_KMALLOC(void); > diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c > index 1cf24c4a79e9..2c6aba3ff32b 100644 > --- a/drivers/misc/lkdtm/perms.c > +++ b/drivers/misc/lkdtm/perms.c > @@ -44,6 +44,11 @@ static noinline void do_overwritten(void) > return; > } > > +static noinline void do_almost_nothing(void) > +{ > + pr_info("do_nothing was hijacked!\n"); > +} > + > static void *setup_function_descriptor(func_desc_t *fdesc, void *dst) > { > if (!have_function_descriptors()) > @@ -144,6 +149,23 @@ void lkdtm_WRITE_KERN(void) > do_overwritten(); > } > > +void lkdtm_WRITE_OPD(void) > +{ > + size_t size = sizeof(func_desc_t); > + void (*func)(void) = do_nothing; > + > + if (!have_function_descriptors()) { > + pr_info("XFAIL: Platform doesn't use function descriptors.\n"); > + return; > + } > + pr_info("attempting bad %zu bytes write at %px\n", size, do_nothing); > + memcpy(do_nothing, do_almost_nothing, size); > + pr_err("FAIL: survived bad write\n"); Non-function-descriptor architectures would successfully crash at the memcpy too, right? (i.e. for them this is just repeating WRITE_KERN) I'm pondering the utility of the XFAIL vs just letting is succeed, but I think it more accurate to say "hey, no OPD" as you have it. > + > + asm("" : "=m"(func)); > + func(); > +} > + > void lkdtm_EXEC_DATA(void) > { > execute_location(data_area, CODE_WRITE); > -- > 2.31.1 > One tiny suggestion, since I think you need to respin for the EXPORT_SYMBOL_GPL() anyway. Please update the selftests too: diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/selftests/lkdtm/tests.txt index 6b36b7f5dcf9..243c781f0780 100644 --- a/tools/testing/selftests/lkdtm/tests.txt +++ b/tools/testing/selftests/lkdtm/tests.txt @@ -44,6 +44,7 @@ ACCESS_NULL WRITE_RO WRITE_RO_AFTER_INIT WRITE_KERN +WRITE_OPD REFCOUNT_INC_OVERFLOW REFCOUNT_ADD_OVERFLOW REFCOUNT_INC_NOT_ZERO_OVERFLOW (Though for the future I've been considering making the selftests an opt-out list so the "normal" stuff doesn't need to keep getting added there.) Thanks! Acked-by: Kees Cook -Kees -- Kees Cook