[PATCH 6/7] lkdtm: crash on overwriting protected pmalloc var
J Freyensee
why2jjj.linux at gmail.com
Tue Mar 6 17:20:04 UTC 2018
On 2/28/18 12:06 PM, Igor Stoppa wrote:
> Verify that pmalloc read-only protection is in place: trying to
> overwrite a protected variable will crash the kernel.
>
> Signed-off-by: Igor Stoppa <igor.stoppa at huawei.com>
> ---
> drivers/misc/lkdtm.h | 1 +
> drivers/misc/lkdtm_core.c | 3 +++
> drivers/misc/lkdtm_perms.c | 28 ++++++++++++++++++++++++++++
> 3 files changed, 32 insertions(+)
>
> diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
> index 9e513dcfd809..dcda3ae76ceb 100644
> --- a/drivers/misc/lkdtm.h
> +++ b/drivers/misc/lkdtm.h
> @@ -38,6 +38,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
> void __init lkdtm_perms_init(void);
> void lkdtm_WRITE_RO(void);
> void lkdtm_WRITE_RO_AFTER_INIT(void);
> +void lkdtm_WRITE_RO_PMALLOC(void);
Does this need some sort of #ifdef too?
> void lkdtm_WRITE_KERN(void);
> void lkdtm_EXEC_DATA(void);
> void lkdtm_EXEC_STACK(void);
> diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
> index 2154d1bfd18b..c9fd42bda6ee 100644
> --- a/drivers/misc/lkdtm_core.c
> +++ b/drivers/misc/lkdtm_core.c
> @@ -155,6 +155,9 @@ static const struct crashtype crashtypes[] = {
> CRASHTYPE(ACCESS_USERSPACE),
> CRASHTYPE(WRITE_RO),
> CRASHTYPE(WRITE_RO_AFTER_INIT),
> +#ifdef CONFIG_PROTECTABLE_MEMORY
> + CRASHTYPE(WRITE_RO_PMALLOC),
> +#endif
> CRASHTYPE(WRITE_KERN),
> CRASHTYPE(REFCOUNT_INC_OVERFLOW),
> CRASHTYPE(REFCOUNT_ADD_OVERFLOW),
> diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
> index 53b85c9d16b8..0ac9023fd2b0 100644
> --- a/drivers/misc/lkdtm_perms.c
> +++ b/drivers/misc/lkdtm_perms.c
> @@ -9,6 +9,7 @@
> #include <linux/vmalloc.h>
> #include <linux/mman.h>
> #include <linux/uaccess.h>
> +#include <linux/pmalloc.h>
> #include <asm/cacheflush.h>
>
> /* Whether or not to fill the target memory area with do_nothing(). */
> @@ -104,6 +105,33 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
> *ptr ^= 0xabcd1234;
> }
>
> +#ifdef CONFIG_PROTECTABLE_MEMORY
> +void lkdtm_WRITE_RO_PMALLOC(void)
> +{
> + struct gen_pool *pool;
> + int *i;
> +
> + pool = pmalloc_create_pool("pool", 0);
> + if (unlikely(!pool)) {
> + pr_info("Failed preparing pool for pmalloc test.");
> + return;
> + }
> +
> + i = (int *)pmalloc(pool, sizeof(int), GFP_KERNEL);
> + if (unlikely(!i)) {
> + pr_info("Failed allocating memory for pmalloc test.");
> + pmalloc_destroy_pool(pool);
> + return;
> + }
> +
> + *i = INT_MAX;
> + pmalloc_protect_pool(pool);
> +
> + pr_info("attempting bad pmalloc write at %p\n", i);
> + *i = 0;
OK, now I'm on the right version of this patch series, same comment
applies. I don't get the local *i assignment at the end of the
function, but seems harmless.
Except the two minor comments, otherwise,
Reviewed-by: Jay Freyensee <why2jjj.linux at gmail.com>
> +}
> +#endif
> +
> void lkdtm_WRITE_KERN(void)
> {
> size_t size;
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list