Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp922374imu; Wed, 9 Jan 2019 08:33:23 -0800 (PST) X-Google-Smtp-Source: ALg8bN7tlNGw+gOvrqHmIFqCTl0hHPLZq44JJxSihFsdbdigAe9L4WeYB/9+w++6BsdSCqyYSQlo X-Received: by 2002:a63:66c6:: with SMTP id a189mr6013071pgc.167.1547051603115; Wed, 09 Jan 2019 08:33:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547051603; cv=none; d=google.com; s=arc-20160816; b=y577hArQztpdqJknLnhbfP+n/BWdULWRu/pGUshLhudmGjM/c18FrI4GEb/HPI6tcq R1e/TtE2BE0KFX399hffNfEyxqrTppI17RCb0g85zOxzxkFdceR8hyJblb8EXXdHxfxE bxlMHcjInVRwE4DpX8cf1wMjWekhc5C15oiWQ0EQFuSa1FUavzOX4mH7ob8Eb1fTvfVI 7zIj2RKYgGmdsg05xCKJ3a9qkVWiTBMalMZRi8diNUXDIm+Lvt5d0sdE0kGhm2kbFmWu Ljy/O4V8sosJq6EF3J5Snvms6niu8/gfFZo3oLiTUSzyMdkbe3aYuX0uanYHnqkQm77c QIQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=wQyqmC0gu61Qarv1hQhLAtGsvcLURGacNluwzCkEZB0=; b=MNG7CxzAV1QRcTSm9FAJpBn/FfCAsKj0Oz3jpfDBJLVD1/0WHZinsz+NeYcXq1gq/c fpytFGs8dbzwRnJmIDUxg/fpME3zx/xHcGVTF2fV7Ru2txNFh7fix+RqqfzTqkSnGNOz xkGd87c386bJWmU+G2QhYeIOT81uDwzdMItOncWOzFnajrsYciSrinVvMxEJU/0mChIz jaNPqlfQZP+71HL6f2ImnD06AE+841/U6NEVoaK4otBxiPYvWbsJa1Eci3fcQ5HIqPby 9HDgZ48jcysiuH7ZClZLOdNFiYFYladqI2fIKzmSbVYgA1IfVmHqGNIEKW1YB01y47gZ zUCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=VLI1IOjL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 59si13718978ple.291.2019.01.09.08.33.06; Wed, 09 Jan 2019 08:33:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=VLI1IOjL; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732205AbfAIPRL (ORCPT + 99 others); Wed, 9 Jan 2019 10:17:11 -0500 Received: from mail-vk1-f195.google.com ([209.85.221.195]:41477 "EHLO mail-vk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730725AbfAIPRK (ORCPT ); Wed, 9 Jan 2019 10:17:10 -0500 Received: by mail-vk1-f195.google.com with SMTP id t127so1732125vke.8 for ; Wed, 09 Jan 2019 07:17:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wQyqmC0gu61Qarv1hQhLAtGsvcLURGacNluwzCkEZB0=; b=VLI1IOjLXvqruH3GGhbDAxUssjVcLPNDHV1Sxeo1aWKVJClMYuwbgsEacK2It5QT25 vgQhF6AxLYK4B+Ep90NS4VVylbzey3+I8PkaclGMpKVDaZ8ms4cHw7HBvSCZF4ogW0MJ pswXBtnEST6VZhAlWdjNRTY6aI6ttFLo2qW1Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wQyqmC0gu61Qarv1hQhLAtGsvcLURGacNluwzCkEZB0=; b=m1gfnSfUx/wwozFROedGS3qyLMyoZmSh6uc48+EItV9a+KgYsTsqkPdHf7tzZXjENs JlEl0ksjvgrJJjo6E27vqgj8G3z9WLgg92clwNKkinR+TMg92kA72pT1KcN2MzkrIqaW b/7sWQ/qTR209UdHyjwwga5ZdQsIXCDIOrEBYbvSLeyauw7kDpDsvj9EL2uldq1KoSi/ QAvRMuBx0XLs5INIrS+SXT4GYq0pq7Pm9ddFKGcgxFeeFOnR9iYve/zRval4ZAlAQ5g1 SrmaDOuRWGV6+49deVPjCFwLF/BoWdltCjYt9UPpUKJnPKy46xsdf0zFthzR/ftXNxVg rEFQ== X-Gm-Message-State: AJcUukftU6OWm2ao+KdXgfIsNiBoq4xcZd/s/7DKfsgSetXNrNr4s9gm METrxRjTlLaEuE1AGJSrHqMFnu3WbmA= X-Received: by 2002:a1f:9ec9:: with SMTP id h192mr2407019vke.68.1547047028319; Wed, 09 Jan 2019 07:17:08 -0800 (PST) Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com. [209.85.217.43]) by smtp.gmail.com with ESMTPSA id r8sm20935709uan.0.2019.01.09.07.17.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Jan 2019 07:17:07 -0800 (PST) Received: by mail-vs1-f43.google.com with SMTP id v205so4958631vsc.3 for ; Wed, 09 Jan 2019 07:17:06 -0800 (PST) X-Received: by 2002:a67:2c13:: with SMTP id s19mr2629580vss.172.1547047026185; Wed, 09 Jan 2019 07:17:06 -0800 (PST) MIME-Version: 1.0 References: <8593f7faf89812a9987d44d9ae615d64dca4d77f.1544800744.git.christophe.leroy@c-s.fr> <2d2e8cef-dd12-75e8-4779-fe4437e2169c@c-s.fr> In-Reply-To: <2d2e8cef-dd12-75e8-4779-fe4437e2169c@c-s.fr> From: Kees Cook Date: Wed, 9 Jan 2019 07:16:55 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] lkdtm: Add a tests for NULL pointer dereference To: Christophe Leroy Cc: Arnd Bergmann , Greg Kroah-Hartman , LKML , PowerPC Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 8, 2019 at 10:31 PM Christophe Leroy wrote: > > > > Le 09/01/2019 =C3=A0 02:14, Kees Cook a =C3=A9crit : > > On Fri, Dec 14, 2018 at 7:26 AM Christophe Leroy > > wrote: > >> > >> Introduce lkdtm tests for NULL pointer dereference: check > >> access or exec at NULL address. > > > > Why is this not already covered by the existing tests? (Is there > > something special about NULL that is being missed?) I'd expect SMAP > > and SMEP to cover NULL as well. > > Most arches print a different message whether the faulty address is > above or under PAGE_SIZE. Below is exemple from x86: > > pr_alert("BUG: unable to handle kernel %s at %px\n", > address < PAGE_SIZE ? "NULL pointer dereference" : "pagi= ng request", > (void *)address); > > > Until recently, the powerpc arch didn't do it. When I implemented it > (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commi= t/?id=3D49a502ea23bf9dec47f8f3c3960909ff409cd1bb), > I needed a way to test it and couldn't find an existing one, hence this > new LKDTM test. > > But maybe I missed something ? Okay, gotcha. You're getting more complete reporting coverage. Sounds good to me. Thanks! Acked-by: Kees Cook -Kees > > Christophe > > > > > -Kees > > > >> > >> Signed-off-by: Christophe Leroy > >> --- > >> drivers/misc/lkdtm/core.c | 2 ++ > >> drivers/misc/lkdtm/lkdtm.h | 2 ++ > >> drivers/misc/lkdtm/perms.c | 18 ++++++++++++++++++ > >> 3 files changed, 22 insertions(+) > >> > >> diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c > >> index bc76756b7eda..36910e1d5c09 100644 > >> --- a/drivers/misc/lkdtm/core.c > >> +++ b/drivers/misc/lkdtm/core.c > >> @@ -157,7 +157,9 @@ static const struct crashtype crashtypes[] =3D { > >> CRASHTYPE(EXEC_VMALLOC), > >> CRASHTYPE(EXEC_RODATA), > >> CRASHTYPE(EXEC_USERSPACE), > >> + CRASHTYPE(EXEC_NULL), > >> CRASHTYPE(ACCESS_USERSPACE), > >> + CRASHTYPE(ACCESS_NULL), > >> CRASHTYPE(WRITE_RO), > >> CRASHTYPE(WRITE_RO_AFTER_INIT), > >> CRASHTYPE(WRITE_KERN), > >> diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h > >> index 3c6fd327e166..b69ee004a3f7 100644 > >> --- a/drivers/misc/lkdtm/lkdtm.h > >> +++ b/drivers/misc/lkdtm/lkdtm.h > >> @@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void); > >> void lkdtm_EXEC_VMALLOC(void); > >> void lkdtm_EXEC_RODATA(void); > >> void lkdtm_EXEC_USERSPACE(void); > >> +void lkdtm_EXEC_NULL(void); > >> void lkdtm_ACCESS_USERSPACE(void); > >> +void lkdtm_ACCESS_NULL(void); > >> > >> /* lkdtm_refcount.c */ > >> void lkdtm_REFCOUNT_INC_OVERFLOW(void); > >> diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c > >> index fa54add6375a..62f76d506f04 100644 > >> --- a/drivers/misc/lkdtm/perms.c > >> +++ b/drivers/misc/lkdtm/perms.c > >> @@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void) > >> vm_munmap(user_addr, PAGE_SIZE); > >> } > >> > >> +void lkdtm_EXEC_NULL(void) > >> +{ > >> + execute_location(NULL, CODE_AS_IS); > >> +} > >> + > >> void lkdtm_ACCESS_USERSPACE(void) > >> { > >> unsigned long user_addr, tmp =3D 0; > >> @@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void) > >> vm_munmap(user_addr, PAGE_SIZE); > >> } > >> > >> +void lkdtm_ACCESS_NULL(void) > >> +{ > >> + unsigned long tmp; > >> + unsigned long *ptr =3D (unsigned long *)NULL; > >> + > >> + pr_info("attempting bad read at %px\n", ptr); > >> + tmp =3D *ptr; > >> + tmp +=3D 0xc0dec0de; > >> + > >> + pr_info("attempting bad write at %px\n", ptr); > >> + *ptr =3D tmp; > >> +} > >> + > >> void __init lkdtm_perms_init(void) > >> { > >> /* Make sure we can write to __ro_after_init values during __= init */ > >> -- > >> 2.13.3 > >> > > > > --=20 Kees Cook