From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BE7FFC433EF
	for <linux-mm@archiver.kernel.org>; Wed, 19 Jan 2022 19:29:00 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 16B686B0071; Wed, 19 Jan 2022 14:29:00 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0F3C16B0073; Wed, 19 Jan 2022 14:29:00 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id EAE306B0074; Wed, 19 Jan 2022 14:28:59 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0100.hostedemail.com [216.40.44.100])
	by kanga.kvack.org (Postfix) with ESMTP id D42016B0071
	for <linux-mm@kvack.org>; Wed, 19 Jan 2022 14:28:59 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 992DE824C431
	for <linux-mm@kvack.org>; Wed, 19 Jan 2022 19:28:59 +0000 (UTC)
X-FDA: 79048024398.14.AC92D85
Received: from pegase2.c-s.fr (pegase2.c-s.fr [93.17.235.10])
	by imf29.hostedemail.com (Postfix) with ESMTP id 3DE11120005
	for <linux-mm@kvack.org>; Wed, 19 Jan 2022 19:28:57 +0000 (UTC)
Received: from localhost (mailhub3.si.c-s.fr [172.26.127.67])
	by localhost (Postfix) with ESMTP id 4JfG0R2Jr1z9sT0;
	Wed, 19 Jan 2022 20:28:55 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from pegase2.c-s.fr ([172.26.127.65])
	by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id VomG4PXD1d1F; Wed, 19 Jan 2022 20:28:55 +0100 (CET)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
	by pegase2.c-s.fr (Postfix) with ESMTP id 4JfG0R0h6xz9sSy;
	Wed, 19 Jan 2022 20:28:55 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id DB6AB8B781;
	Wed, 19 Jan 2022 20:28:54 +0100 (CET)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
	by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id DY-vqUvxFL90; Wed, 19 Jan 2022 20:28:54 +0100 (CET)
Received: from [192.168.4.44] (unknown [192.168.4.44])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id 2296E8B768;
	Wed, 19 Jan 2022 20:28:54 +0100 (CET)
Message-ID: <c635dff6-2bca-3486-014f-12ae00bd1777@csgroup.eu>
Date: Wed, 19 Jan 2022 20:28:54 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.4.0
Subject: Re: [PATCH v3 11/12] lkdtm: Fix execute_[user]_location()
Content-Language: fr-FR
From: Christophe Leroy <christophe.leroy@csgroup.eu>
To: Kees Cook <keescook@chromium.org>
Cc: Helge Deller <deller@gmx.de>,
 Benjamin Herrenschmidt <benh@kernel.crashing.org>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 linux-kernel@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
 linuxppc-dev@lists.ozlabs.org, linux-ia64@vger.kernel.org,
 linux-parisc@vger.kernel.org, linux-arch@vger.kernel.org,
 linux-mm@kvack.org,
 "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
 Paul Mackerras <paulus@samba.org>, Arnd Bergmann <arnd@arndb.de>,
 Michael Ellerman <mpe@ellerman.id.au>
References: <cover.1634457599.git.christophe.leroy@csgroup.eu>
 <d4688c2af08dda706d3b6786ae5ec5a74e6171f1.1634457599.git.christophe.leroy@csgroup.eu>
 <e7793192-6879-490d-1f37-3d6d6908a121@csgroup.eu>
In-Reply-To: <e7793192-6879-490d-1f37-3d6d6908a121@csgroup.eu>
Content-Type: text/plain; charset=UTF-8; format=flowed
X-Stat-Signature: 9f31fgmgmxwmydxjk5zqeesw6ik6waqw
Authentication-Results: imf29.hostedemail.com;
	dkim=none;
	dmarc=none;
	spf=pass (imf29.hostedemail.com: domain of christophe.leroy@csgroup.eu designates 93.17.235.10 as permitted sender) smtp.mailfrom=christophe.leroy@csgroup.eu
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 3DE11120005
X-HE-Tag: 1642620537-353922
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Hi Kees,


Le 17/12/2021 =C3=A0 12:49, Christophe Leroy a =C3=A9crit=C2=A0:
> Hi Kees,
>=20
> Le 17/10/2021 =C3=A0 14:38, Christophe Leroy a =C3=A9crit=C2=A0:
>> execute_location() and execute_user_location() intent
>> to copy do_nothing() text and execute it at a new location.
>> However, at the time being it doesn't copy do_nothing() function
>> but do_nothing() function descriptor which still points to the
>> original text. So at the end it still executes do_nothing() at
>> its original location allthough using a copied function descriptor.
>>
>> So, fix that by really copying do_nothing() text and build a new
>> function descriptor by copying do_nothing() function descriptor and
>> updating the target address with the new location.
>>
>> Also fix the displayed addresses by dereferencing do_nothing()
>> function descriptor.
>>
>> Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
>=20
> Do you have any comment to this patch and to patch 12 ?
>=20
> If not, is it ok to get your acked-by ?

Any feedback please, even if it's to say no feedback ?

Many thanks,
Christophe

>=20
> Thanks
> Christophe
>=20
>> ---
>> =C2=A0 drivers/misc/lkdtm/perms.c | 37 ++++++++++++++++++++++++++++---=
------
>> =C2=A0 1 file changed, 28 insertions(+), 9 deletions(-)
>>
>> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
>> index 035fcca441f0..1cf24c4a79e9 100644
>> --- a/drivers/misc/lkdtm/perms.c
>> +++ b/drivers/misc/lkdtm/perms.c
>> @@ -44,19 +44,34 @@ static noinline void do_overwritten(void)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return;
>> =C2=A0 }
>> +static void *setup_function_descriptor(func_desc_t *fdesc, void *dst)
>> +{
>> +=C2=A0=C2=A0=C2=A0 if (!have_function_descriptors())
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return dst;
>> +
>> +=C2=A0=C2=A0=C2=A0 memcpy(fdesc, do_nothing, sizeof(*fdesc));
>> +=C2=A0=C2=A0=C2=A0 fdesc->addr =3D (unsigned long)dst;
>> +=C2=A0=C2=A0=C2=A0 barrier();
>> +
>> +=C2=A0=C2=A0=C2=A0 return fdesc;
>> +}
>> +
>> =C2=A0 static noinline void execute_location(void *dst, bool write)
>> =C2=A0 {
>> -=C2=A0=C2=A0=C2=A0 void (*func)(void) =3D dst;
>> +=C2=A0=C2=A0=C2=A0 void (*func)(void);
>> +=C2=A0=C2=A0=C2=A0 func_desc_t fdesc;
>> +=C2=A0=C2=A0=C2=A0 void *do_nothing_text =3D dereference_function_des=
criptor(do_nothing);
>> -=C2=A0=C2=A0=C2=A0 pr_info("attempting ok execution at %px\n", do_not=
hing);
>> +=C2=A0=C2=A0=C2=A0 pr_info("attempting ok execution at %px\n", do_not=
hing_text);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 do_nothing();
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (write =3D=3D CODE_WRITE) {
>> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(dst, do_nothing, EX=
EC_SIZE);
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 memcpy(dst, do_nothing_tex=
t, EXEC_SIZE);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 flush_icache_ra=
nge((unsigned long)dst,
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (unsigned long)dst + EXE=
C_SIZE);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
>> -=C2=A0=C2=A0=C2=A0 pr_info("attempting bad execution at %px\n", func)=
;
>> +=C2=A0=C2=A0=C2=A0 pr_info("attempting bad execution at %px\n", dst);
>> +=C2=A0=C2=A0=C2=A0 func =3D setup_function_descriptor(&fdesc, dst);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 func();
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pr_err("FAIL: func returned\n");
>> =C2=A0 }
>> @@ -66,16 +81,19 @@ static void execute_user_location(void *dst)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 int copied;
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /* Intentionally crossing kernel/user m=
emory boundary. */
>> -=C2=A0=C2=A0=C2=A0 void (*func)(void) =3D dst;
>> +=C2=A0=C2=A0=C2=A0 void (*func)(void);
>> +=C2=A0=C2=A0=C2=A0 func_desc_t fdesc;
>> +=C2=A0=C2=A0=C2=A0 void *do_nothing_text =3D dereference_function_des=
criptor(do_nothing);
>> -=C2=A0=C2=A0=C2=A0 pr_info("attempting ok execution at %px\n", do_not=
hing);
>> +=C2=A0=C2=A0=C2=A0 pr_info("attempting ok execution at %px\n", do_not=
hing_text);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 do_nothing();
>> -=C2=A0=C2=A0=C2=A0 copied =3D access_process_vm(current, (unsigned lo=
ng)dst, do_nothing,
>> +=C2=A0=C2=A0=C2=A0 copied =3D access_process_vm(current, (unsigned lo=
ng)dst,=20
>> do_nothing_text,
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 EXEC_SIZE, FOLL_WRITE);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (copied < EXEC_SIZE)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return;
>> -=C2=A0=C2=A0=C2=A0 pr_info("attempting bad execution at %px\n", func)=
;
>> +=C2=A0=C2=A0=C2=A0 pr_info("attempting bad execution at %px\n", dst);
>> +=C2=A0=C2=A0=C2=A0 func =3D setup_function_descriptor(&fdesc, dst);
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 func();
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pr_err("FAIL: func returned\n");
>> =C2=A0 }
>> @@ -153,7 +171,8 @@ void lkdtm_EXEC_VMALLOC(void)
>> =C2=A0 void lkdtm_EXEC_RODATA(void)
>> =C2=A0 {
>> -=C2=A0=C2=A0=C2=A0 execute_location(lkdtm_rodata_do_nothing, CODE_AS_=
IS);
>> +   =20
>> execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothi=
ng),=20
>>
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0 CODE_AS_IS);
>> =C2=A0 }
>> =C2=A0 void lkdtm_EXEC_USERSPACE(void)
>>