From: Amit Daniel Kachhap <amit.kachhap@arm.com>
To: linux-arm-kernel@lists.infradead.org
Cc: Mark Rutland <mark.rutland@arm.com>,
Kees Cook <keescook@chromium.org>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Will Deacon <will.deacon@arm.com>,
Kristina Martsenko <kristina.martsenko@arm.com>,
James Morse <james.morse@arm.com>,
Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>,
Amit Daniel Kachhap <amit.kachhap@arm.com>,
Vincenzo Frascino <Vincenzo.Frascino@arm.com>,
Dave Martin <Dave.Martin@arm.com>
Subject: [PATCH v2 14/14] lkdtm: arm64: test kernel pointer authentication
Date: Tue, 19 Nov 2019 18:02:26 +0530 [thread overview]
Message-ID: <1574166746-27197-15-git-send-email-amit.kachhap@arm.com> (raw)
In-Reply-To: <1574166746-27197-1-git-send-email-amit.kachhap@arm.com>
This test is specific for arm64. When in-kernel Pointer Authentication
config is enabled, the return address stored in the stack is signed. This
feature helps in ROP kind of attack. If the matching signature is corrupted
then this will fail in authentication and lead to abort.
e.g.
echo CORRUPT_PAC > /sys/kernel/debug/provoke-crash/DIRECT
[ 13.118166] lkdtm: Performing direct entry CORRUPT_PAC
[ 13.118298] lkdtm: Clearing PAC from the return address
[ 13.118466] Unable to handle kernel paging request at virtual address bfff8000108648ec
[ 13.118626] Mem abort info:
[ 13.118666] ESR = 0x86000004
[ 13.118866] EC = 0x21: IABT (current EL), IL = 32 bits
[ 13.118966] SET = 0, FnV = 0
[ 13.119117] EA = 0, S1PTW = 0
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
---
Change since last version:
* New patch
drivers/misc/lkdtm/bugs.c | 17 +++++++++++++++++
drivers/misc/lkdtm/core.c | 1 +
drivers/misc/lkdtm/lkdtm.h | 1 +
3 files changed, 19 insertions(+)
diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index 7284a22..c9bb493 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -337,3 +337,20 @@ void lkdtm_UNSET_SMEP(void)
pr_err("FAIL: this test is x86_64-only\n");
#endif
}
+
+void lkdtm_CORRUPT_PAC(void)
+{
+#if IS_ENABLED(CONFIG_ARM64_PTR_AUTH)
+ u64 ret;
+
+ pr_info("Clearing PAC from the return address\n");
+ /*
+ * __builtin_return_address masks the PAC bits of return
+ * address, so set the same again.
+ */
+ ret = (u64)__builtin_return_address(0);
+ asm volatile("str %0, [sp, 8]" : : "r" (ret) : "memory");
+#else
+ pr_err("FAIL: For arm64 pointer authentication capable systems only\n");
+#endif
+}
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index cbc4c90..b9c9927 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -116,6 +116,7 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(STACK_GUARD_PAGE_LEADING),
CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
CRASHTYPE(UNSET_SMEP),
+ CRASHTYPE(CORRUPT_PAC),
CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
CRASHTYPE(OVERWRITE_ALLOCATION),
CRASHTYPE(WRITE_AFTER_FREE),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index ab446e0..bf12b68 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -28,6 +28,7 @@ void lkdtm_CORRUPT_USER_DS(void);
void lkdtm_STACK_GUARD_PAGE_LEADING(void);
void lkdtm_STACK_GUARD_PAGE_TRAILING(void);
void lkdtm_UNSET_SMEP(void);
+void lkdtm_CORRUPT_PAC(void);
/* lkdtm_heap.c */
void __init lkdtm_heap_init(void);
--
2.7.4
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-11-19 12:36 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-19 12:32 [PATCH v2 00/14] arm64: return address signing Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 01/14] arm64: cpufeature: add pointer auth meta-capabilities Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 02/14] arm64: install user ptrauth keys at kernel exit time Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 03/14] arm64: create macro to park cpu in an infinite loop Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 04/14] arm64: ptrauth: Add bootup/runtime flags for __cpu_setup Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 05/14] arm64: enable ptrauth earlier Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 06/14] arm64: rename ptrauth key structures to be user-specific Amit Daniel Kachhap
2019-11-22 13:28 ` Ard Biesheuvel
2019-11-25 9:22 ` Amit Kachhap
2019-11-19 12:32 ` [PATCH v2 07/14] arm64: initialize and switch ptrauth kernel keys Amit Daniel Kachhap
2019-11-22 19:19 ` Richard Henderson
2019-11-25 9:34 ` Amit Kachhap
2019-11-25 9:39 ` Ard Biesheuvel
2019-11-25 11:01 ` Amit Kachhap
2019-11-19 12:32 ` [PATCH v2 08/14] arm64: mask PAC bits of __builtin_return_address Amit Daniel Kachhap
2019-11-21 17:42 ` Ard Biesheuvel
2019-11-22 8:48 ` Richard Henderson
2019-11-22 13:27 ` Ard Biesheuvel
2019-11-25 9:18 ` Amit Kachhap
2019-11-25 9:12 ` Amit Kachhap
2019-11-25 5:42 ` Amit Kachhap
2019-11-19 12:32 ` [PATCH v2 09/14] arm64: unwind: strip PAC from kernel addresses Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 10/14] arm64: __show_regs: strip PAC from lr in printk Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 11/14] arm64: suspend: restore the kernel ptrauth keys Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 12/14] arm64: kprobe: disable probe of ptrauth instruction Amit Daniel Kachhap
2019-11-19 12:32 ` [PATCH v2 13/14] arm64: compile the kernel with ptrauth return address signing Amit Daniel Kachhap
2019-11-21 15:06 ` Mark Brown
2019-11-26 7:00 ` Amit Kachhap
2019-11-25 17:35 ` Mark Brown
2019-11-19 12:32 ` Amit Daniel Kachhap [this message]
2019-11-21 17:39 ` [PATCH v2 14/14] lkdtm: arm64: test kernel pointer authentication Ard Biesheuvel
2019-11-22 18:51 ` Richard Henderson
2019-11-25 9:25 ` Amit Kachhap
2019-11-25 5:34 ` Amit Kachhap
2019-11-20 16:05 ` [PATCH v2 00/14] arm64: return address signing Ard Biesheuvel
2019-11-21 12:15 ` Amit Kachhap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1574166746-27197-15-git-send-email-amit.kachhap@arm.com \
--to=amit.kachhap@arm.com \
--cc=Dave.Martin@arm.com \
--cc=Vincenzo.Frascino@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=james.morse@arm.com \
--cc=keescook@chromium.org \
--cc=kristina.martsenko@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=mark.rutland@arm.com \
--cc=ramana.radhakrishnan@arm.com \
--cc=suzuki.poulose@arm.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.