From: Igor Stoppa <igor.stoppa@gmail.com>
To: willy@infradead.org, keescook@chromium.org, paul@paul-moore.com,
sds@tycho.nsa.gov, mhocko@kernel.org, corbet@lwn.net
Cc: labbott@redhat.com, linux-cc=david@fromorbit.com,
--cc=rppt@linux.vnet.ibm.com, --security-module@vger.kernel.org,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, igor.stoppa@gmail.com,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH 6/9] lkdtm: crash on overwriting protected pmalloc var
Date: Mon, 23 Apr 2018 16:54:55 +0400 [thread overview]
Message-ID: <20180423125458.5338-7-igor.stoppa@huawei.com> (raw)
In-Reply-To: <20180423125458.5338-1-igor.stoppa@huawei.com>
Verify that pmalloc read-only protection is in place: trying to
overwrite a protected variable will crash the kernel.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
---
drivers/misc/lkdtm/core.c | 3 +++
drivers/misc/lkdtm/lkdtm.h | 1 +
drivers/misc/lkdtm/perms.c | 25 +++++++++++++++++++++++++
3 files changed, 29 insertions(+)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2154d1bfd18b..c9fd42bda6ee 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(ACCESS_USERSPACE),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
+#ifdef CONFIG_PROTECTABLE_MEMORY
+ CRASHTYPE(WRITE_RO_PMALLOC),
+#endif
CRASHTYPE(WRITE_KERN),
CRASHTYPE(REFCOUNT_INC_OVERFLOW),
CRASHTYPE(REFCOUNT_ADD_OVERFLOW),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 9e513dcfd809..dcda3ae76ceb 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -38,6 +38,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
void __init lkdtm_perms_init(void);
void lkdtm_WRITE_RO(void);
void lkdtm_WRITE_RO_AFTER_INIT(void);
+void lkdtm_WRITE_RO_PMALLOC(void);
void lkdtm_WRITE_KERN(void);
void lkdtm_EXEC_DATA(void);
void lkdtm_EXEC_STACK(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index 53b85c9d16b8..3c81e59f9d9d 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -9,6 +9,7 @@
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
+#include <linux/pmalloc.h>
#include <asm/cacheflush.h>
/* Whether or not to fill the target memory area with do_nothing(). */
@@ -104,6 +105,30 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
*ptr ^= 0xabcd1234;
}
+#ifdef CONFIG_PROTECTABLE_MEMORY
+void lkdtm_WRITE_RO_PMALLOC(void)
+{
+ struct pmalloc_pool *pool;
+ int *i;
+
+ pool = pmalloc_create_pool();
+ if (WARN(!pool, "Failed preparing pool for pmalloc test."))
+ return;
+
+ i = pmalloc(pool, sizeof(int));
+ if (WARN(!i, "Failed allocating memory for pmalloc test.")) {
+ pmalloc_destroy_pool(pool);
+ return;
+ }
+
+ *i = INT_MAX;
+ pmalloc_protect_pool(pool);
+
+ pr_info("attempting bad pmalloc write at %p\n", i);
+ *i = 0;
+}
+#endif
+
void lkdtm_WRITE_KERN(void)
{
size_t size;
--
2.14.1
next prev parent reply other threads:[~2018-04-23 12:54 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-23 12:54 [RFC PATCH v23 0/6] mm: security: write protection for dynamic data Igor Stoppa
2018-04-23 12:54 ` [PATCH 1/9] struct page: add field for vm_struct Igor Stoppa
2018-04-23 12:54 ` [PATCH 2/9] vmalloc: rename llist field in vmap_area Igor Stoppa
2018-04-23 12:54 ` [PATCH 3/9] Protectable Memory Igor Stoppa
2018-04-23 12:54 ` [PATCH 4/9] Documentation for Pmalloc Igor Stoppa
2018-04-23 12:54 ` [PATCH 5/9] Pmalloc selftest Igor Stoppa
2018-04-23 12:54 ` Igor Stoppa [this message]
2018-04-23 12:54 ` [PATCH 7/9] Pmalloc Rare Write: modify selected pools Igor Stoppa
2018-04-24 11:50 ` Matthew Wilcox
2018-04-24 12:32 ` lazytyped
2018-04-24 12:32 ` lazytyped
2018-04-24 12:39 ` Igor Stoppa
2018-04-24 12:39 ` Igor Stoppa
2018-04-24 14:44 ` Matthew Wilcox
2018-04-24 15:03 ` lazytyped
2018-04-24 15:03 ` lazytyped
2018-04-24 15:29 ` Igor Stoppa
2018-04-25 20:58 ` Igor Stoppa
2018-04-25 20:58 ` Igor Stoppa
2018-04-24 12:33 ` Igor Stoppa
2018-04-24 12:33 ` Igor Stoppa
2018-04-24 17:04 ` Igor Stoppa
2018-04-24 17:04 ` Igor Stoppa
2018-04-24 17:04 ` Igor Stoppa
2018-05-03 21:52 ` Correct way to access the physmap? - Was: " Igor Stoppa
2018-05-03 21:52 ` Igor Stoppa
2018-05-03 21:55 ` Dave Hansen
2018-05-03 21:55 ` Dave Hansen
2018-05-03 22:52 ` Igor Stoppa
2018-05-03 22:52 ` Igor Stoppa
2018-04-23 12:54 ` [PATCH 8/9] Preliminary self test for pmalloc rare write Igor Stoppa
2018-04-23 12:54 ` [PATCH 9/9] Protect SELinux initialized state with pmalloc Igor Stoppa
2018-04-24 5:58 ` kbuild test robot
2018-04-24 5:58 ` kbuild test robot
2018-04-24 12:49 ` Stephen Smalley
2018-04-24 12:49 ` Stephen Smalley
2018-04-24 14:35 ` Igor Stoppa
2018-04-24 14:35 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180423125458.5338-7-igor.stoppa@huawei.com \
--to=igor.stoppa@gmail.com \
--cc=--cc=rppt@linux.vnet.ibm.com \
--cc=--security-module@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=igor.stoppa@huawei.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-cc=david@fromorbit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.