* [PATCH] lkdtm: print real addresses
@ 2018-11-07 20:14 Christophe Leroy
2018-11-27 7:43 ` Greg Kroah-Hartman
0 siblings, 1 reply; 3+ messages in thread
From: Christophe Leroy @ 2018-11-07 20:14 UTC (permalink / raw)
To: Kees Cook, Arnd Bergmann, Greg Kroah-Hartman; +Cc: linux-kernel, linuxppc-dev
Today, when doing a lkdtm test before the readiness of the
random generator, (ptrval) is printed instead of the address
at which it perform the fault:
[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0)
[ 1597.344769] Unable to handle kernel paging request for instruction fetch
[ 1597.351392] Faulting instruction address: 0x77858000
[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
If the lkdtm test is done later on, it prints an hashed address.
In both cases this is pointless. The purpose of the test is to
ensure the kernel generates an Oops at the expected address,
so real addresses needs to be printed. This patch fixes that.
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
---
drivers/misc/lkdtm/perms.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..fa54add6375a 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
{
void (*func)(void) = dst;
- pr_info("attempting ok execution at %p\n", do_nothing);
+ pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
if (write == CODE_WRITE) {
@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
flush_icache_range((unsigned long)dst,
(unsigned long)dst + EXEC_SIZE);
}
- pr_info("attempting bad execution at %p\n", func);
+ pr_info("attempting bad execution at %px\n", func);
func();
}
@@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
/* Intentionally crossing kernel/user memory boundary. */
void (*func)(void) = dst;
- pr_info("attempting ok execution at %p\n", do_nothing);
+ pr_info("attempting ok execution at %px\n", do_nothing);
do_nothing();
copied = access_process_vm(current, (unsigned long)dst, do_nothing,
EXEC_SIZE, FOLL_WRITE);
if (copied < EXEC_SIZE)
return;
- pr_info("attempting bad execution at %p\n", func);
+ pr_info("attempting bad execution at %px\n", func);
func();
}
@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
/* Explicitly cast away "const" for the test. */
unsigned long *ptr = (unsigned long *)&rodata;
- pr_info("attempting bad rodata write at %p\n", ptr);
+ pr_info("attempting bad rodata write at %px\n", ptr);
*ptr ^= 0xabcd1234;
}
@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
return;
}
- pr_info("attempting bad ro_after_init write at %p\n", ptr);
+ pr_info("attempting bad ro_after_init write at %px\n", ptr);
*ptr ^= 0xabcd1234;
}
@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
ptr = (unsigned char *)do_overwritten;
- pr_info("attempting bad %zu byte write at %p\n", size, ptr);
+ pr_info("attempting bad %zu byte write at %px\n", size, ptr);
memcpy(ptr, (unsigned char *)do_nothing, size);
flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
@@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void)
ptr = (unsigned long *)user_addr;
- pr_info("attempting bad read at %p\n", ptr);
+ pr_info("attempting bad read at %px\n", ptr);
tmp = *ptr;
tmp += 0xc0dec0de;
- pr_info("attempting bad write at %p\n", ptr);
+ pr_info("attempting bad write at %px\n", ptr);
*ptr = tmp;
vm_munmap(user_addr, PAGE_SIZE);
--
2.13.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] lkdtm: print real addresses
2018-11-07 20:14 [PATCH] lkdtm: print real addresses Christophe Leroy
@ 2018-11-27 7:43 ` Greg Kroah-Hartman
2018-11-27 17:18 ` Kees Cook
0 siblings, 1 reply; 3+ messages in thread
From: Greg Kroah-Hartman @ 2018-11-27 7:43 UTC (permalink / raw)
To: Christophe Leroy; +Cc: Kees Cook, Arnd Bergmann, linux-kernel, linuxppc-dev
On Wed, Nov 07, 2018 at 08:14:10PM +0000, Christophe Leroy wrote:
> Today, when doing a lkdtm test before the readiness of the
> random generator, (ptrval) is printed instead of the address
> at which it perform the fault:
>
> [ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
> [ 1597.337142] lkdtm: attempting ok execution at (ptrval)
> [ 1597.337398] lkdtm: attempting bad execution at (ptrval)
> [ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0)
> [ 1597.344769] Unable to handle kernel paging request for instruction fetch
> [ 1597.351392] Faulting instruction address: 0x77858000
> [ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
>
> If the lkdtm test is done later on, it prints an hashed address.
>
> In both cases this is pointless. The purpose of the test is to
> ensure the kernel generates an Oops at the expected address,
> so real addresses needs to be printed. This patch fixes that.
I am pretty sure this is intentional. Kees?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] lkdtm: print real addresses
2018-11-27 7:43 ` Greg Kroah-Hartman
@ 2018-11-27 17:18 ` Kees Cook
0 siblings, 0 replies; 3+ messages in thread
From: Kees Cook @ 2018-11-27 17:18 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Christophe Leroy, Arnd Bergmann, LKML, PowerPC
On Mon, Nov 26, 2018 at 11:43 PM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Wed, Nov 07, 2018 at 08:14:10PM +0000, Christophe Leroy wrote:
>> Today, when doing a lkdtm test before the readiness of the
>> random generator, (ptrval) is printed instead of the address
>> at which it perform the fault:
>>
>> [ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
>> [ 1597.337142] lkdtm: attempting ok execution at (ptrval)
>> [ 1597.337398] lkdtm: attempting bad execution at (ptrval)
>> [ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0)
>> [ 1597.344769] Unable to handle kernel paging request for instruction fetch
>> [ 1597.351392] Faulting instruction address: 0x77858000
>> [ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
>>
>> If the lkdtm test is done later on, it prints an hashed address.
>>
>> In both cases this is pointless. The purpose of the test is to
>> ensure the kernel generates an Oops at the expected address,
>> so real addresses needs to be printed. This patch fixes that.
>
> I am pretty sure this is intentional. Kees?
I've gone back and forth on this and in the end I decided I'd wait and
see if anyone was bothered by it besides just me. :) But, yes, for
lkdtm do really do want a "real" view of the pointer because we're
comparing it against page tables and/or kernel section layout, etc.
I've applied this to my lkdtm -next tree. Thanks!
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-11-27 17:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-07 20:14 [PATCH] lkdtm: print real addresses Christophe Leroy
2018-11-27 7:43 ` Greg Kroah-Hartman
2018-11-27 17:18 ` Kees Cook
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).