From patchwork Tue Nov 1 21:43:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 80413 Delivered-To: patch@linaro.org Received: by 10.140.97.247 with SMTP id m110csp840899qge; Tue, 1 Nov 2016 14:43:34 -0700 (PDT) X-Received: by 10.99.113.90 with SMTP id b26mr246394pgn.33.1478036614139; Tue, 01 Nov 2016 14:43:34 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b85si32486707pfl.136.2016.11.01.14.43.33; Tue, 01 Nov 2016 14:43:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754633AbcKAVn3 (ORCPT + 27 others); Tue, 1 Nov 2016 17:43:29 -0400 Received: from mail-pf0-f179.google.com ([209.85.192.179]:36588 "EHLO mail-pf0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753898AbcKAVn2 (ORCPT ); Tue, 1 Nov 2016 17:43:28 -0400 Received: by mail-pf0-f179.google.com with SMTP id 189so48036003pfz.3 for ; Tue, 01 Nov 2016 14:43:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=MCPyJI18MIr5IchQsD4GVqJ5wEjG2Wl6GALAQByTxyg=; b=jmx7Ho8ud/PP7dX4eAfUN/rG0g3fEm/8LktSMAQpu+qtzCm/VkUoArKgoQLcWFZ4XV ex3OImbfyMvMlFQjxNdnz8sxl5KxwKNjWgPrCu4AU/BFAp6KMBZlfJjfzb4trYq4C24z Z53Npzj2ZndFbCfJagEJzJiXzGQCKk2aWunvw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=MCPyJI18MIr5IchQsD4GVqJ5wEjG2Wl6GALAQByTxyg=; b=bz6OmfHTpyQN4BQBO6ruDQI19CjCXa2da7Xq47p0vbf+ZOTlUOIJdgY1pQ+9Dj8b58 Z/c3B+48mU3fc1BLeg3qqtgUPmRA8GTdi21/7UISaVUGUCt4YhsWqwEWj+6EPzDNq9Kf d/o4zRwn5STSjU6VDD62tkLg4oMjEbchfCxGI3/zEKZW9DrvxzNX1J0iJ88BaBXYFIUB Vk0IqKuBLXvdDFnamvJ1yY1tVOmUgujKcIIc9+uGXGe5F1L9I2tO+m3qwrIhcBp7LYHQ 5d7h1t19TS1Mxktc69CrfTFUFgx9FjEdKzUBrvYkWZArZFJZgJvLRzCXl/mbnJ24v8/d SPXg== X-Gm-Message-State: ABUngvdybYuFLkv2+iGDtbrvWN6Hql6OxadmOZQUxpx6SEaFM4QVimOzeYBdbLSqvF4OTPFl X-Received: by 10.99.121.2 with SMTP id u2mr209162pgc.141.1478036607283; Tue, 01 Nov 2016 14:43:27 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id b139sm44374904pfb.8.2016.11.01.14.43.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Nov 2016 14:43:26 -0700 (PDT) Date: Tue, 1 Nov 2016 14:43:25 -0700 From: Kees Cook To: Greg Kroah-Hartman Cc: Catalin Marinas , Andrew Morton , Arnd Bergmann , "Kirill A. Shutemov" , Michal Hocko , Jerome Marchand , Vlastimil Babka , Lorenzo Stoakes , Dan Williams , Dave Hansen , Jan Kara , Ingo Molnar , Andrey Ryabinin , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH] lkdtm: Do not use flush_icache_range() on user addresses Message-ID: <20161101214325.GA75616@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Catalin Marinas The flush_icache_range() API is meant to be used on kernel addresses only as it may not have the infrastructure (exception entries) to handle user memory faults. The lkdtm execute_user_location() function tests the kernel execution of user space addresses by mmap'ing an anonymous page, copying some code together with cache maintenance and attempting to run it. However, the cache maintenance step may fail because of the incorrect API usage described above. The patch changes lkdtm to use access_process_vm() for copying the code into user space which would take care of the necessary cache maintenance. Signed-off-by: Catalin Marinas [kees: export access_process_vm() for module use] Signed-off-by: Kees Cook --- Since this now adds an export, we should probably delay this to v4.10. (And I've fixed my build tests to actually do CONFIG_LKDTM=m instead of lying to me.) --- drivers/misc/lkdtm_perms.c | 7 +++++-- mm/memory.c | 1 + mm/nommu.c | 1 + 3 files changed, 7 insertions(+), 2 deletions(-) -- 2.7.4 -- Kees Cook Nexus Security diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c index 45f1c0f96612..c7635a79341f 100644 --- a/drivers/misc/lkdtm_perms.c +++ b/drivers/misc/lkdtm_perms.c @@ -60,15 +60,18 @@ static noinline void execute_location(void *dst, bool write) static void execute_user_location(void *dst) { + int copied; + /* Intentionally crossing kernel/user memory boundary. */ void (*func)(void) = dst; pr_info("attempting ok execution at %p\n", do_nothing); do_nothing(); - if (copy_to_user((void __user *)dst, do_nothing, EXEC_SIZE)) + copied = access_process_vm(current, (unsigned long)dst, do_nothing, + EXEC_SIZE, FOLL_WRITE); + if (copied < EXEC_SIZE) return; - flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE); pr_info("attempting bad execution at %p\n", func); func(); } diff --git a/mm/memory.c b/mm/memory.c index e18c57bdc75c..485f12d8ad5c 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3966,6 +3966,7 @@ int access_process_vm(struct task_struct *tsk, unsigned long addr, return ret; } +EXPORT_SYMBOL_GPL(access_process_vm); /* * Print the name of a VMA. diff --git a/mm/nommu.c b/mm/nommu.c index db5fd1795298..0990145054b5 100644 --- a/mm/nommu.c +++ b/mm/nommu.c @@ -1878,6 +1878,7 @@ int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, in mmput(mm); return len; } +EXPORT_SYMBOL_GPL(access_process_vm); /** * nommu_shrink_inode_mappings - Shrink the shared mappings on an inode