Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXu5jJH7KCONQfkV_ZZE6Q2N9AMix7CnXu3sY++fxweiWJD=g@mail.gmail.com>
Date: Fri, 31 Mar 2017 09:35:25 -0700
From: Kees Cook <keescook@...omium.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: Thomas Garnier <thgarnie@...gle.com>, Heiko Carstens <heiko.carstens@...ibm.com>, 
	Christian Borntraeger <borntraeger@...ibm.com>, 
	"linux-s390@...r.kernel.org" <linux-s390@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	"x86@...nel.org" <x86@...nel.org>, 
	"linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>
Subject: Re: [PATCH v2] lkdtm: add bad USER_DS test

On Fri, Mar 24, 2017 at 10:51 AM, Kees Cook <keescook@...omium.org> wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
> return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
> trying to deal with values other than USER_DS and KERNEL_DS across all
> architectures in a safe way is not sensible, this sets KERNEL_DS, but
> since that could be extremely dangerous if the protection is not present,
> it also raises SIGKILL for current, so that no matter what, the process
> will die. A successful test will be visible with a BUG(), like all the
> other LKDTM tests.
>
> Signed-off-by: Kees Cook <keescook@...omium.org>

Greg, can you add this to the drivers/misc tree when you get a moment?

Thanks!

-Kees

> ---
>  drivers/misc/lkdtm.h      |  1 +
>  drivers/misc/lkdtm_bugs.c | 11 +++++++++++
>  drivers/misc/lkdtm_core.c |  1 +
>  3 files changed, 13 insertions(+)
>
> diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
> index 67d27be60405..3b4976396ec4 100644
> --- a/drivers/misc/lkdtm.h
> +++ b/drivers/misc/lkdtm.h
> @@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void);
>  void lkdtm_REFCOUNT_ZERO_ADD(void);
>  void lkdtm_CORRUPT_LIST_ADD(void);
>  void lkdtm_CORRUPT_LIST_DEL(void);
> +void lkdtm_CORRUPT_USER_DS(void);
>
>  /* lkdtm_heap.c */
>  void lkdtm_OVERWRITE_ALLOCATION(void);
> diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
> index e3f4cd8876b5..ed4f4c56c796 100644
> --- a/drivers/misc/lkdtm_bugs.c
> +++ b/drivers/misc/lkdtm_bugs.c
> @@ -8,6 +8,8 @@
>  #include <linux/list.h>
>  #include <linux/refcount.h>
>  #include <linux/sched.h>
> +#include <linux/sched/signal.h>
> +#include <linux/uaccess.h>
>
>  struct lkdtm_list {
>         struct list_head node;
> @@ -279,3 +281,12 @@ void lkdtm_CORRUPT_LIST_DEL(void)
>         else
>                 pr_err("list_del() corruption not detected!\n");
>  }
> +
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> +       pr_info("setting bad task size limit\n");
> +       set_fs(KERNEL_DS);
> +
> +       /* Make sure we do not keep running with a KERNEL_DS! */
> +       force_sig(SIGKILL, current);
> +}
> diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
> index b9a4cd4a9b68..42d2b8e31e6b 100644
> --- a/drivers/misc/lkdtm_core.c
> +++ b/drivers/misc/lkdtm_core.c
> @@ -199,6 +199,7 @@ struct crashtype crashtypes[] = {
>         CRASHTYPE(OVERFLOW),
>         CRASHTYPE(CORRUPT_LIST_ADD),
>         CRASHTYPE(CORRUPT_LIST_DEL),
> +       CRASHTYPE(CORRUPT_USER_DS),
>         CRASHTYPE(CORRUPT_STACK),
>         CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
>         CRASHTYPE(OVERWRITE_ALLOCATION),
> --
> 2.7.4
>
>
> --
> Kees Cook
> Pixel Security



-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.