From patchwork Thu Jan 11 02:02:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10156459 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 49F2E605BA for ; Thu, 11 Jan 2018 02:04:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 38F51286D3 for ; Thu, 11 Jan 2018 02:04:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2D9F1286DA; Thu, 11 Jan 2018 02:04:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 29513286D3 for ; Thu, 11 Jan 2018 02:04:04 +0000 (UTC) Received: (qmail 30061 invoked by uid 550); 11 Jan 2018 02:03:42 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 30019 invoked from network); 11 Jan 2018 02:03:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iCW828Iz1H8xnzRGZ37wSq4TwDEyLu2rRR4zRnRxwss=; b=lhzj1EPuqvDfAdQofGsjZtKZwlCJchXzHYLqwsL5uo7YDHxh/ZGnGMf98wNShxugGj yp+Raydi85Ul0i8YwSEd3jlyuZie0z/Loy5gHJlOKM+DS+elXqfb/dITgHwklsiUoQbd KI61+u1FM/lhTSW0vNmDkYFLRwxD+W5jBRvw4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iCW828Iz1H8xnzRGZ37wSq4TwDEyLu2rRR4zRnRxwss=; b=dt29ZcnFrfHX0mmlYUpTJazqNubd+03VU19fl+OH0ZwCQkrHpszkieKdZM3glya2H0 hhZBCgEDmpoa97LTsQAiI8prUPKkj58/R+9YdEYkcHeGP7HCeMMp6GT04+v5G4mk7Zpv T/UJn3hA/TESXYEgU2iqvJ6S5FowWDq4Abgrlz0FPxTJj5h1lXNLOmChSQyLVTb3gqgW TKJQxr7lEwL55ZJJNEZEiPaWCuFLq+icL9KRJwIt0epDwoNSllCpe8THBDvscMxbbq6w DE1Q1LZe2MqsPo2ilMT7VWThLhuk0z7jS3ip3T4R/wZLAK5WOOFQWhqPD6F4FS0pUwAY /t5Q== X-Gm-Message-State: AKGB3mLGreyTCyiKZMTw/rllrXHH0nHU/RLCfjWoXND1pAmTU2bVBlO2 79xK7+wA1PIf6+MF1nr88f6bYg== X-Google-Smtp-Source: ACJfBovqm9Fb/VCaejK3gq3qEphGZfzRSgpOEjyGqCTkhUmMS4ysCpr9sX5ajyGE8qXHLk1JoKmSVQ== X-Received: by 10.99.173.79 with SMTP id y15mr16478038pgo.444.1515636200326; Wed, 10 Jan 2018 18:03:20 -0800 (PST) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Linus Torvalds , David Windsor , Alexander Viro , Andrew Morton , Andy Lutomirski , Christoph Hellwig , Christoph Lameter , "David S. Miller" , Laura Abbott , Mark Rutland , "Martin K. Petersen" , Paolo Bonzini , Christian Borntraeger , Christoffer Dall , Dave Kleikamp , Jan Kara , Luis de Bethencourt , Marc Zyngier , Rik van Riel , Matthew Garrett , linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, netdev@vger.kernel.org, linux-mm@kvack.org, kernel-hardening@lists.openwall.com Date: Wed, 10 Jan 2018 18:02:36 -0800 Message-Id: <1515636190-24061-5-git-send-email-keescook@chromium.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1515636190-24061-1-git-send-email-keescook@chromium.org> References: <1515636190-24061-1-git-send-email-keescook@chromium.org> Subject: [kernel-hardening] [PATCH 04/38] lkdtm/usercopy: Adjust test to include an offset to check reporting X-Virus-Scanned: ClamAV using ClamSMTP Instead of doubling the size, push the start position up by 16 bytes to still trigger an overflow. This allows to verify that offset reporting is working correctly. Signed-off-by: Kees Cook --- drivers/misc/lkdtm_usercopy.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c index a64372cc148d..9ebbb031e5e3 100644 --- a/drivers/misc/lkdtm_usercopy.c +++ b/drivers/misc/lkdtm_usercopy.c @@ -119,6 +119,8 @@ static void do_usercopy_heap_size(bool to_user) { unsigned long user_addr; unsigned char *one, *two; + void __user *test_user_addr; + void *test_kern_addr; size_t size = unconst + 1024; one = kmalloc(size, GFP_KERNEL); @@ -139,27 +141,30 @@ static void do_usercopy_heap_size(bool to_user) memset(one, 'A', size); memset(two, 'B', size); + test_user_addr = (void __user *)(user_addr + 16); + test_kern_addr = one + 16; + if (to_user) { pr_info("attempting good copy_to_user of correct size\n"); - if (copy_to_user((void __user *)user_addr, one, size)) { + if (copy_to_user(test_user_addr, test_kern_addr, size / 2)) { pr_warn("copy_to_user failed unexpectedly?!\n"); goto free_user; } pr_info("attempting bad copy_to_user of too large size\n"); - if (copy_to_user((void __user *)user_addr, one, 2 * size)) { + if (copy_to_user(test_user_addr, test_kern_addr, size)) { pr_warn("copy_to_user failed, but lacked Oops\n"); goto free_user; } } else { pr_info("attempting good copy_from_user of correct size\n"); - if (copy_from_user(one, (void __user *)user_addr, size)) { + if (copy_from_user(test_kern_addr, test_user_addr, size / 2)) { pr_warn("copy_from_user failed unexpectedly?!\n"); goto free_user; } pr_info("attempting bad copy_from_user of too large size\n"); - if (copy_from_user(one, (void __user *)user_addr, 2 * size)) { + if (copy_from_user(test_kern_addr, test_user_addr, size)) { pr_warn("copy_from_user failed, but lacked Oops\n"); goto free_user; }