|
Message-Id: <1522267032-6603-5-git-send-email-alex.popov@linux.com> Date: Wed, 28 Mar 2018 22:57:10 +0300 From: Alexander Popov <alex.popov@...ux.com> To: kernel-hardening@...ts.openwall.com, Kees Cook <keescook@...omium.org>, PaX Team <pageexec@...email.hu>, Brad Spengler <spender@...ecurity.net>, Ingo Molnar <mingo@...nel.org>, Andy Lutomirski <luto@...nel.org>, Tycho Andersen <tycho@...ho.ws>, Laura Abbott <labbott@...hat.com>, Mark Rutland <mark.rutland@....com>, Ard Biesheuvel <ard.biesheuvel@...aro.org>, Borislav Petkov <bp@...en8.de>, Richard Sandiford <richard.sandiford@....com>, Thomas Gleixner <tglx@...utronix.de>, "H . Peter Anvin" <hpa@...or.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Dmitry V . Levin" <ldv@...linux.org>, Emese Revfy <re.emese@...il.com>, Jonathan Corbet <corbet@....net>, Andrey Ryabinin <aryabinin@...tuozzo.com>, "Kirill A . Shutemov" <kirill.shutemov@...ux.intel.com>, Thomas Garnier <thgarnie@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, Alexei Starovoitov <ast@...nel.org>, Josef Bacik <jbacik@...com>, Masami Hiramatsu <mhiramat@...nel.org>, Nicholas Piggin <npiggin@...il.com>, Al Viro <viro@...iv.linux.org.uk>, "David S . Miller" <davem@...emloft.net>, Ding Tianhong <dingtianhong@...wei.com>, David Woodhouse <dwmw@...zon.co.uk>, Josh Poimboeuf <jpoimboe@...hat.com>, Steven Rostedt <rostedt@...dmis.org>, Dominik Brodowski <linux@...inikbrodowski.net>, Juergen Gross <jgross@...e.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Dan Williams <dan.j.williams@...el.com>, Dave Hansen <dave.hansen@...ux.intel.com>, Mathias Krause <minipli@...glemail.com>, Vikas Shivappa <vikas.shivappa@...ux.intel.com>, Kyle Huey <me@...ehuey.com>, Dmitry Safonov <dsafonov@...tuozzo.com>, Will Deacon <will.deacon@....com>, Arnd Bergmann <arnd@...db.de>, Florian Weimer <fweimer@...hat.com>, Boris Lukashev <blukashev@...pervictus.com>, x86@...nel.org, linux-kernel@...r.kernel.org, alex.popov@...ux.com Subject: [PATCH RFC v10 4/6] lkdtm: Add a test for STACKLEAK Introduce two lkdtm tests for the STACKLEAK feature: STACKLEAK_ALLOCA and STACKLEAK_DEEP_RECURSION. Both of them check that the current task stack is properly erased (filled with STACKLEAK_POISON). STACKLEAK_ALLOCA tests that: - check_alloca() allows alloca calls which don't exhaust the kernel stack; - alloca calls which exhaust/overflow the kernel stack hit BUG() in check_alloca(). STACKLEAK_DEEP_RECURSION tests that exhausting the current task stack with a deep recursion is detected by CONFIG_VMAP_STACK (which is implied by CONFIG_GCC_PLUGIN_STACKLEAK). Signed-off-by: Tycho Andersen <tycho@...ho.ws> Signed-off-by: Alexander Popov <alex.popov@...ux.com> --- drivers/misc/Makefile | 3 + drivers/misc/lkdtm.h | 4 ++ drivers/misc/lkdtm_core.c | 2 + drivers/misc/lkdtm_stackleak.c | 141 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 150 insertions(+) create mode 100644 drivers/misc/lkdtm_stackleak.c diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile index c3c8624..2b11823 100644 --- a/drivers/misc/Makefile +++ b/drivers/misc/Makefile @@ -65,6 +65,9 @@ lkdtm-$(CONFIG_LKDTM) += lkdtm_perms.o lkdtm-$(CONFIG_LKDTM) += lkdtm_refcount.o lkdtm-$(CONFIG_LKDTM) += lkdtm_rodata_objcopy.o lkdtm-$(CONFIG_LKDTM) += lkdtm_usercopy.o +lkdtm-$(CONFIG_LKDTM) += lkdtm_stackleak.o + +KASAN_SANITIZE_lkdtm_stackleak.o := n KCOV_INSTRUMENT_lkdtm_rodata.o := n diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h index 9e513dc..4b2b8e3 100644 --- a/drivers/misc/lkdtm.h +++ b/drivers/misc/lkdtm.h @@ -83,4 +83,8 @@ void lkdtm_USERCOPY_STACK_FRAME_FROM(void); void lkdtm_USERCOPY_STACK_BEYOND(void); void lkdtm_USERCOPY_KERNEL(void); +/* lkdtm_stackleak.c */ +void lkdtm_STACKLEAK_ALLOCA(void); +void lkdtm_STACKLEAK_DEEP_RECURSION(void); + #endif diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c index 2154d1b..c37fd85 100644 --- a/drivers/misc/lkdtm_core.c +++ b/drivers/misc/lkdtm_core.c @@ -183,6 +183,8 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(USERCOPY_STACK_FRAME_FROM), CRASHTYPE(USERCOPY_STACK_BEYOND), CRASHTYPE(USERCOPY_KERNEL), + CRASHTYPE(STACKLEAK_ALLOCA), + CRASHTYPE(STACKLEAK_DEEP_RECURSION), }; diff --git a/drivers/misc/lkdtm_stackleak.c b/drivers/misc/lkdtm_stackleak.c new file mode 100644 index 0000000..4706595 --- /dev/null +++ b/drivers/misc/lkdtm_stackleak.c @@ -0,0 +1,141 @@ +/* + * This code tests several aspects of the STACKLEAK feature: + * - the current task stack is properly erased (filled with STACKLEAK_POISON); + * - check_alloca() allows alloca calls which don't exhaust the kernel stack; + * - alloca calls which exhaust/overflow the kernel stack hit BUG() in + * check_alloca(); + * - exhausting the current task stack with a deep recursion is detected by + * CONFIG_VMAP_STACK (which is implied by CONFIG_GCC_PLUGIN_STACKLEAK). + * + * Authors: + * Tycho Andersen <tycho@...ho.ws> + * Alexander Popov <alex.popov@...ux.com> + */ + +#include "lkdtm.h" +#include <linux/sched.h> +#include <linux/compiler.h> + +#ifndef CONFIG_STACKLEAK_TRACK_MIN_SIZE +# define CONFIG_STACKLEAK_TRACK_MIN_SIZE 0 +#endif + +static noinline bool stack_is_erased(void) +{ + unsigned long *sp, left, found, i; + const unsigned long check_depth = STACKLEAK_POISON_CHECK_DEPTH / + sizeof(unsigned long); + + /* + * For the details about the alignment of the poison values, see + * the comment in track_stack(). + */ + sp = PTR_ALIGN(&i, sizeof(unsigned long)); + + left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long); + sp--; + + /* + * One long int at the bottom of the thread stack is reserved + * and not poisoned. + */ + if (left > 1) + left--; + else + return false; + + pr_info("checking unused part of the thread stack (%lu bytes)...\n", + left * sizeof(unsigned long)); + + /* + * Search for check_depth poison values in a row (just like + * erase_kstack() does). + */ + for (i = 0, found = 0; i < left && found <= check_depth; i++) { + if (*(sp - i) == STACKLEAK_POISON) + found++; + else + found = 0; + } + + if (found <= check_depth) { + pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n", + i * sizeof(unsigned long)); + return false; + } + + pr_info("first %lu bytes are unpoisoned\n", + (i - found) * sizeof(unsigned long)); + + /* The rest of thread stack should be erased */ + for (; i < left; i++) { + if (*(sp - i) != STACKLEAK_POISON) { + pr_err("FAIL: thread stack is NOT properly erased\n"); + return false; + } + } + + pr_info("the rest of the thread stack is properly erased\n"); + return true; +} + +static noinline void do_alloca(unsigned long size) +{ + char buf[size]; + + /* So this doesn't get inlined or optimized out */ + snprintf(buf, size, "testing alloca...\n"); +} + +void lkdtm_STACKLEAK_ALLOCA(void) +{ + unsigned long left = (unsigned long)&left & (THREAD_SIZE - 1); + + if (!stack_is_erased()) + return; + + /* Try a small alloca to see if it works */ + pr_info("try a small alloca of 16 bytes...\n"); + do_alloca(16); + pr_info("small alloca is successful\n"); + + /* Try to hit the BUG() in check_alloca() */ + pr_info("try a large alloca of %lu bytes (stack overflow)...\n", left); + do_alloca(left); + pr_err("FAIL: large alloca overstepped the thread stack boundary\n"); +} + +/* + * The stack frame size of recursion() is bigger than the + * CONFIG_STACKLEAK_TRACK_MIN_SIZE, hence that function is instrumented + * by the STACKLEAK gcc plugin and it calls track_stack() at the beginning. + */ +static noinline unsigned long recursion(unsigned long prev_sp) +{ + char buf[CONFIG_STACKLEAK_TRACK_MIN_SIZE + 42]; + unsigned long sp = (unsigned long)&sp; + + snprintf(buf, sizeof(buf), "testing deep recursion...\n"); + + if (prev_sp < sp + THREAD_SIZE) + sp = recursion(prev_sp); + + return sp; +} + +void lkdtm_STACKLEAK_DEEP_RECURSION(void) +{ + unsigned long sp = (unsigned long)&sp; + + if (!stack_is_erased()) + return; + + /* + * Exhaust the thread stack with a deep recursion. It should hit the + * guard page provided by CONFIG_VMAP_STACK (which is implied by + * CONFIG_GCC_PLUGIN_STACKLEAK). + */ + pr_info("try to exhaust the thread stack with a deep recursion...\n"); + pr_err("FAIL: thread stack exhaustion (%lu bytes) is not detected\n", + sp - recursion(sp)); +} -- 2.7.4
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.