| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <37ec713d-10c8-0222-f624-27815b96da7a@linux.com>
Date: Mon, 17 Aug 2020 20:54:04 +0300
From: Alexander Popov <alex.popov@...ux.com>
To: Kees Cook <keescook@...omium.org>
Cc: Jann Horn <jannh@...gle.com>, Will Deacon <will@...nel.org>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
Masahiro Yamada <masahiroy@...nel.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Steven Rostedt <rostedt@...dmis.org>,
Peter Zijlstra <peterz@...radead.org>,
Krzysztof Kozlowski <krzk@...nel.org>,
Patrick Bellasi <patrick.bellasi@....com>,
David Howells <dhowells@...hat.com>,
Eric Biederman <ebiederm@...ssion.com>,
Johannes Weiner <hannes@...xchg.org>,
Laura Abbott <labbott@...hat.com>,
Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
kasan-dev@...glegroups.com, linux-mm@...ck.org,
kernel-hardening@...ts.openwall.com, linux-kernel@...r.kernel.org,
notify@...nel.org, Andrey Konovalov <andreyknvl@...gle.com>
Subject: Re: [PATCH RFC 2/2] lkdtm: Add heap spraying test
On 15.08.2020 19:59, Kees Cook wrote:
> On Thu, Aug 13, 2020 at 06:19:22PM +0300, Alexander Popov wrote:
>> Add a simple test for CONFIG_SLAB_QUARANTINE.
>>
>> It performs heap spraying that aims to reallocate the recently freed heap
>> object. This technique is used for exploiting use-after-free
>> vulnerabilities in the kernel code.
>>
>> This test shows that CONFIG_SLAB_QUARANTINE breaks heap spraying
>> exploitation technique.
>
> Yay tests!
Yes :)
I'm going to improve it to demonstrate the quarantine security properties.
>> Signed-off-by: Alexander Popov <alex.popov@...ux.com>
>> ---
>> drivers/misc/lkdtm/core.c | 1 +
>> drivers/misc/lkdtm/heap.c | 40 ++++++++++++++++++++++++++++++++++++++
>> drivers/misc/lkdtm/lkdtm.h | 1 +
>> 3 files changed, 42 insertions(+)
>>
>> diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
>> index a5e344df9166..78b7669c35eb 100644
>> --- a/drivers/misc/lkdtm/core.c
>> +++ b/drivers/misc/lkdtm/core.c
>> @@ -126,6 +126,7 @@ static const struct crashtype crashtypes[] = {
>> CRASHTYPE(SLAB_FREE_DOUBLE),
>> CRASHTYPE(SLAB_FREE_CROSS),
>> CRASHTYPE(SLAB_FREE_PAGE),
>> + CRASHTYPE(HEAP_SPRAY),
>> CRASHTYPE(SOFTLOCKUP),
>> CRASHTYPE(HARDLOCKUP),
>> CRASHTYPE(SPINLOCKUP),
>> diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c
>> index 1323bc16f113..a72a241e314a 100644
>> --- a/drivers/misc/lkdtm/heap.c
>> +++ b/drivers/misc/lkdtm/heap.c
>> @@ -205,6 +205,46 @@ static void ctor_a(void *region)
>> static void ctor_b(void *region)
>> { }
>>
>> +#define HEAP_SPRAY_SIZE 128
>> +
>> +void lkdtm_HEAP_SPRAY(void)
>> +{
>> + int *addr;
>> + int *spray_addrs[HEAP_SPRAY_SIZE] = { 0 };
>
> (the 0 isn't needed -- and it was left there, it should be NULL)
It is used in tear-down below.
I'll change it to { NULL }.
>> + unsigned long i = 0;
>> +
>> + addr = kmem_cache_alloc(a_cache, GFP_KERNEL);
>
> I would prefer this test add its own cache (e.g. spray_cache), to avoid
> misbehaviors between tests. (e.g. the a and b caches already run the
> risk of getting corrupted weirdly.)
Ok, I'll do that.
>> + if (!addr) {
>> + pr_info("Unable to allocate memory in lkdtm-heap-a cache\n");
>> + return;
>> + }
>> +
>> + *addr = 0x31337;
>> + kmem_cache_free(a_cache, addr);
>> +
>> + pr_info("Performing heap spraying...\n");
>> + for (i = 0; i < HEAP_SPRAY_SIZE; i++) {
>> + spray_addrs[i] = kmem_cache_alloc(a_cache, GFP_KERNEL);
>> + *spray_addrs[i] = 0x31337;
>> + pr_info("attempt %lu: spray alloc addr %p vs freed addr %p\n",
>> + i, spray_addrs[i], addr);
>
> That's 128 lines spewed into dmesg... I would leave this out.
Ok.
>> + if (spray_addrs[i] == addr) {
>> + pr_info("freed addr is reallocated!\n");
>> + break;
>> + }
>> + }
>> +
>> + if (i < HEAP_SPRAY_SIZE)
>> + pr_info("FAIL! Heap spraying succeed :(\n");
>
> I'd move this into the "if (spray_addrs[i] == addr)" test instead of the
> pr_info() that is there.
>
>> + else
>> + pr_info("OK! Heap spraying hasn't succeed :)\n");
>
> And then make this an "if (i == HEAP_SPRAY_SIZE)" test
Do you mean that I need to avoid the additional line in the test output,
printing only the final result?
>> +
>> + for (i = 0; i < HEAP_SPRAY_SIZE; i++) {
>> + if (spray_addrs[i])
>> + kmem_cache_free(a_cache, spray_addrs[i]);
>> + }
>> +}
>> +
>> void __init lkdtm_heap_init(void)
>> {
>> double_free_cache = kmem_cache_create("lkdtm-heap-double_free",
>> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
>> index 8878538b2c13..dfafb4ae6f3a 100644
>> --- a/drivers/misc/lkdtm/lkdtm.h
>> +++ b/drivers/misc/lkdtm/lkdtm.h
>> @@ -45,6 +45,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void);
>> void lkdtm_SLAB_FREE_DOUBLE(void);
>> void lkdtm_SLAB_FREE_CROSS(void);
>> void lkdtm_SLAB_FREE_PAGE(void);
>> +void lkdtm_HEAP_SPRAY(void);
>>
>> /* lkdtm_perms.c */
>> void __init lkdtm_perms_init(void);
>> --
>> 2.26.2
>>
>
> I assume enabling the quarantine defense also ends up being seen in the
> SLAB_FREE_DOUBLE LKDTM test too, yes?
I'll experiment with that.
Thank you!
Best regards,
Alexander
Powered by blists - more mailing lists