| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <134b968f-f65f-cd74-3db1-fff60e5ebeb8@csgroup.eu>
Date: Wed, 13 Oct 2021 09:48:54 +0200
From: Christophe Leroy <christophe.leroy@...roup.eu>
To: Kees Cook <keescook@...omium.org>
Cc: Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Paul Mackerras <paulus@...ba.org>,
Michael Ellerman <mpe@...erman.id.au>,
Andrew Morton <akpm@...ux-foundation.org>,
"James E.J. Bottomley" <James.Bottomley@...senpartnership.com>,
Helge Deller <deller@....de>, Arnd Bergmann <arnd@...db.de>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-ia64@...r.kernel.org, linux-parisc@...r.kernel.org,
linux-arch@...r.kernel.org, linux-mm@...ck.org
Subject: Re: [PATCH v1 09/10] lkdtm: Fix lkdtm_EXEC_RODATA()
Le 13/10/2021 à 09:39, Christophe Leroy a écrit :
>
>
> Le 13/10/2021 à 09:23, Kees Cook a écrit :
>> On Mon, Oct 11, 2021 at 05:25:36PM +0200, Christophe Leroy wrote:
>>> Behind a location, lkdtm_EXEC_RODATA() executes a real function,
>>> not a copy of do_nothing().
>>>
>>> So do it directly instead of using execute_location().
>>>
>>> And fix displayed addresses by dereferencing the function descriptors.
>>>
>>> Signed-off-by: Christophe Leroy <christophe.leroy@...roup.eu>
>>> ---
>>> drivers/misc/lkdtm/perms.c | 9 ++++++++-
>>> 1 file changed, 8 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
>>> index 442d60ed25ef..da16564e1ecd 100644
>>> --- a/drivers/misc/lkdtm/perms.c
>>> +++ b/drivers/misc/lkdtm/perms.c
>>> @@ -153,7 +153,14 @@ void lkdtm_EXEC_VMALLOC(void)
>>>
>>> void lkdtm_EXEC_RODATA(void)
>>> {
>>> - execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS);
>>> + pr_info("attempting ok execution at %px\n",
>>> + dereference_symbol_descriptor(do_nothing));
>>> + do_nothing();
>>> +
>>> + pr_info("attempting bad execution at %px\n",
>>> + dereference_symbol_descriptor(lkdtm_rodata_do_nothing));
>>> + lkdtm_rodata_do_nothing();
>>> + pr_err("FAIL: func returned\n");
>>> }
>>
>> (In re-reading this more carefully, I see now why kallsyms.h is used
>> earlier: _function_ vs _symbol_ descriptor.)
>>
>> In the next patch:
>>
>> static noinline void execute_location(void *dst, bool write)
>> {
>> ...
>> func = setup_function_descriptor(&fdesc, dst);
>> if (IS_ERR(func))
>> return;
>>
>> pr_info("attempting bad execution at %px\n", dst);
>> func();
>> pr_err("FAIL: func returned\n");
>> }
>>
>> What are the conditions for which dereference_symbol_descriptor works
>> but dereference _function_descriptor doesn't?
>>
>
> When LKDTM is built as a module I guess ?
>
To be more precise, dereference_symbol_descriptor() calls either
dereference_kernel_function_descriptor() or
dereference_module_function_descriptor()
Both functions call dereference_function_descriptor() after checking
that we want to dereference something that is in the OPD section.
If we call dereference_function_descriptor() directly instead of
dereference_symbol_descriptor() we skip the range verification and may
dereference something that is not a function descriptor.
Should we do that ?
Christophe
Powered by blists - more mailing lists