Re: [PATCH v2] lkdtm: add bad USER_DS test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 24, 2017 at 10:51 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
> return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
> trying to deal with values other than USER_DS and KERNEL_DS across all
> architectures in a safe way is not sensible, this sets KERNEL_DS, but
> since that could be extremely dangerous if the protection is not present,
> it also raises SIGKILL for current, so that no matter what, the process
> will die. A successful test will be visible with a BUG(), like all the
> other LKDTM tests.
>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>

Greg, can you add this to the drivers/misc tree when you get a moment?

Thanks!

-Kees

> ---
>  drivers/misc/lkdtm.h      |  1 +
>  drivers/misc/lkdtm_bugs.c | 11 +++++++++++
>  drivers/misc/lkdtm_core.c |  1 +
>  3 files changed, 13 insertions(+)
>
> diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
> index 67d27be60405..3b4976396ec4 100644
> --- a/drivers/misc/lkdtm.h
> +++ b/drivers/misc/lkdtm.h
> @@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void);
>  void lkdtm_REFCOUNT_ZERO_ADD(void);
>  void lkdtm_CORRUPT_LIST_ADD(void);
>  void lkdtm_CORRUPT_LIST_DEL(void);
> +void lkdtm_CORRUPT_USER_DS(void);
>
>  /* lkdtm_heap.c */
>  void lkdtm_OVERWRITE_ALLOCATION(void);
> diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
> index e3f4cd8876b5..ed4f4c56c796 100644
> --- a/drivers/misc/lkdtm_bugs.c
> +++ b/drivers/misc/lkdtm_bugs.c
> @@ -8,6 +8,8 @@
>  #include <linux/list.h>
>  #include <linux/refcount.h>
>  #include <linux/sched.h>
> +#include <linux/sched/signal.h>
> +#include <linux/uaccess.h>
>
>  struct lkdtm_list {
>         struct list_head node;
> @@ -279,3 +281,12 @@ void lkdtm_CORRUPT_LIST_DEL(void)
>         else
>                 pr_err("list_del() corruption not detected!\n");
>  }
> +
> +void lkdtm_CORRUPT_USER_DS(void)
> +{
> +       pr_info("setting bad task size limit\n");
> +       set_fs(KERNEL_DS);
> +
> +       /* Make sure we do not keep running with a KERNEL_DS! */
> +       force_sig(SIGKILL, current);
> +}
> diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
> index b9a4cd4a9b68..42d2b8e31e6b 100644
> --- a/drivers/misc/lkdtm_core.c
> +++ b/drivers/misc/lkdtm_core.c
> @@ -199,6 +199,7 @@ struct crashtype crashtypes[] = {
>         CRASHTYPE(OVERFLOW),
>         CRASHTYPE(CORRUPT_LIST_ADD),
>         CRASHTYPE(CORRUPT_LIST_DEL),
> +       CRASHTYPE(CORRUPT_USER_DS),
>         CRASHTYPE(CORRUPT_STACK),
>         CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
>         CRASHTYPE(OVERWRITE_ALLOCATION),
> --
> 2.7.4
>
>
> --
> Kees Cook
> Pixel Security



-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Kernel Development]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Info]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Linux Media]     [Device Mapper]

  Powered by Linux