| From 8d90833e4c079e4a1c576eb858ccd0aa95f80b4c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 16 Feb 2022 12:15:03 -0800 |
| Subject: lkdtm/usercopy: Expand size of "out of frame" object |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| [ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ] |
| |
| To be sufficiently out of range for the usercopy test to see the lifetime |
| mismatch, expand the size of the "bad" buffer, which will let it be |
| beyond current_stack_pointer regardless of stack growth direction. |
| Paired with the recent addition of stack depth checking under |
| CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again. |
| |
| Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com> |
| Cc: Arnd Bergmann <arnd@arndb.de> |
| Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com> |
| Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/ |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/misc/lkdtm_usercopy.c | 17 ++++++++++++++--- |
| 1 file changed, 14 insertions(+), 3 deletions(-) |
| |
| diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c |
| index 1dd611423d8b..36438947244d 100644 |
| --- a/drivers/misc/lkdtm_usercopy.c |
| +++ b/drivers/misc/lkdtm_usercopy.c |
| @@ -28,12 +28,12 @@ static const unsigned char test_text[] = "This is a test.\n"; |
| */ |
| static noinline unsigned char *trick_compiler(unsigned char *stack) |
| { |
| - return stack + 0; |
| + return stack + unconst; |
| } |
| |
| static noinline unsigned char *do_usercopy_stack_callee(int value) |
| { |
| - unsigned char buf[32]; |
| + unsigned char buf[128]; |
| int i; |
| |
| /* Exercise stack to avoid everything living in registers. */ |
| @@ -41,7 +41,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value) |
| buf[i] = value & 0xff; |
| } |
| |
| - return trick_compiler(buf); |
| + /* |
| + * Put the target buffer in the middle of stack allocation |
| + * so that we don't step on future stack users regardless |
| + * of stack growth direction. |
| + */ |
| + return trick_compiler(&buf[(128/2)-32]); |
| } |
| |
| static noinline void do_usercopy_stack(bool to_user, bool bad_frame) |
| @@ -64,6 +69,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame) |
| bad_stack -= sizeof(unsigned long); |
| } |
| |
| +#ifdef ARCH_HAS_CURRENT_STACK_POINTER |
| + pr_info("stack : %px\n", (void *)current_stack_pointer); |
| +#endif |
| + pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack)); |
| + pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack)); |
| + |
| user_addr = vm_mmap(NULL, 0, PAGE_SIZE, |
| PROT_READ | PROT_WRITE | PROT_EXEC, |
| MAP_ANONYMOUS | MAP_PRIVATE, 0); |
| -- |
| 2.35.1 |
| |