Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1430891pxa; Thu, 13 Aug 2020 08:23:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2BO/daNl8ABBE4sIyFi68+pYvSnmOhsQxFFyofhRVvkb8SbF+qCvWO6/HboNZyDXHN94b X-Received: by 2002:a17:906:1986:: with SMTP id g6mr5469375ejd.404.1597332221819; Thu, 13 Aug 2020 08:23:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597332221; cv=none; d=google.com; s=arc-20160816; b=a8xBA3DmjF9xY253Ihf90xIKmgPv6oLgDYomaSBgjb1SAflMsHJqzgXIDxmiDqM1jK vZX2XAa0/mkYlo+oDtn7DfRRCOwWL0ZaxXWBkfi/P3AXBZXWbY6v2ibxp3FfyX8zN/Iq xT1B35jpMF/waGtcXyrVNMKr/lNt1CuVuq18paR1ZqRqZt/iHUj9f377bZ/HiwqSicuT EaE+CJXnGMFC8OAlYhAuTZ9T/wGnFztqDiiSvAsc9eGbmFLsc9+73FB+ie6dE+L+qvbO DgI6RcdfsPsYw3zM1ArRXEGe8m4LnuwypOn1TbtUXdd2zRU5/gF6qkfzKMR3ZNrCvLZt IAUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=sWVYbnLUoQh2/bQ8PJoxS/2ocrG/gYbDVzBuksdzAMQ=; b=MYOdzAxlGefBT4zvzDJZtulOQjtsbR4Uqc+ff2wOIftNFtbQc1aBHDu4aIgbbjLgql uJUDDELUQYgyLXMacNx3Nyp9BzRXXH6YU4JdSPMqEPaM1vNGhra+2+8zdbgDIrEAuxnw spki/xnZRU1eCFrrE8hxc8LHg2eByGZMiKLl4DAmOdnk24RALRhLsJcher+6bpNH6kAt dzAqL8WijgMLbW/OEvvPHjxUy8uWiSIQ4e/SfS/6WOA1BFTM12bAzMFRXLuTpHZE/qOR +6+oJ+rMThXv2sZ2v5ECcp+EGyIq+dlypajmO56dSuGp6UEYUOTNYxBj3GgA1c4uosVG f/rA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p10si3542312edy.86.2020.08.13.08.23.18; Thu, 13 Aug 2020 08:23:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726807AbgHMPTy (ORCPT + 99 others); Thu, 13 Aug 2020 11:19:54 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:36947 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726334AbgHMPTs (ORCPT ); Thu, 13 Aug 2020 11:19:48 -0400 Received: by mail-wm1-f66.google.com with SMTP id k8so5397500wma.2 for ; Thu, 13 Aug 2020 08:19:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sWVYbnLUoQh2/bQ8PJoxS/2ocrG/gYbDVzBuksdzAMQ=; b=fwKa9tq/kj43Esimh7kXdizIyHU8WFQoxI5LEVmwhsM8T+okPPcxDoBUWDFd8PnkKE lrLi6bhISXpzEKhTHOZjGRywZqwBQHyP7pWmw4Ys5EST/0/lcp7n2XuVZ4JGO3WubagH VRQ5UbylkLGDUAJRllUPkXxoyGLKnCw9/jTip1H7GHLt+xh6j/Up+xKzTOU+fq4s3AkH QlTTjO0+aL0tb8sfDVzwW4tg4+FE02vWEGXxvL9LjLsdafnyohy93PsxQT7uvmbqYBkG yZ/n9BCrWcUpcgnLOkdGjhi+vykx+iwdhYIi7ZXTJGXp6P6DGy1azdeW4YzQq9aoXlLY VnLw== X-Gm-Message-State: AOAM531QMYOLSZ1R0qKO4VeaFq2mtqYLBdBLxnRxS9vNNS0TkKyLRsNH wKCFz/Kt50Sqthuf8JJ8aE4= X-Received: by 2002:a1c:de88:: with SMTP id v130mr4675656wmg.98.1597331986347; Thu, 13 Aug 2020 08:19:46 -0700 (PDT) Received: from localhost.localdomain ([185.248.161.177]) by smtp.gmail.com with ESMTPSA id d23sm10394044wmd.27.2020.08.13.08.19.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Aug 2020 08:19:45 -0700 (PDT) From: Alexander Popov To: Kees Cook , Jann Horn , Will Deacon , Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Masahiro Yamada , Masami Hiramatsu , Steven Rostedt , Peter Zijlstra , Krzysztof Kozlowski , Patrick Bellasi , David Howells , Eric Biederman , Johannes Weiner , Laura Abbott , Arnd Bergmann , Greg Kroah-Hartman , kasan-dev@googlegroups.com, linux-mm@kvack.org, kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, Alexander Popov Cc: notify@kernel.org Subject: [PATCH RFC 2/2] lkdtm: Add heap spraying test Date: Thu, 13 Aug 2020 18:19:22 +0300 Message-Id: <20200813151922.1093791-3-alex.popov@linux.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200813151922.1093791-1-alex.popov@linux.com> References: <20200813151922.1093791-1-alex.popov@linux.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a simple test for CONFIG_SLAB_QUARANTINE. It performs heap spraying that aims to reallocate the recently freed heap object. This technique is used for exploiting use-after-free vulnerabilities in the kernel code. This test shows that CONFIG_SLAB_QUARANTINE breaks heap spraying exploitation technique. Signed-off-by: Alexander Popov --- drivers/misc/lkdtm/core.c | 1 + drivers/misc/lkdtm/heap.c | 40 ++++++++++++++++++++++++++++++++++++++ drivers/misc/lkdtm/lkdtm.h | 1 + 3 files changed, 42 insertions(+) diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index a5e344df9166..78b7669c35eb 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c @@ -126,6 +126,7 @@ static const struct crashtype crashtypes[] = { CRASHTYPE(SLAB_FREE_DOUBLE), CRASHTYPE(SLAB_FREE_CROSS), CRASHTYPE(SLAB_FREE_PAGE), + CRASHTYPE(HEAP_SPRAY), CRASHTYPE(SOFTLOCKUP), CRASHTYPE(HARDLOCKUP), CRASHTYPE(SPINLOCKUP), diff --git a/drivers/misc/lkdtm/heap.c b/drivers/misc/lkdtm/heap.c index 1323bc16f113..a72a241e314a 100644 --- a/drivers/misc/lkdtm/heap.c +++ b/drivers/misc/lkdtm/heap.c @@ -205,6 +205,46 @@ static void ctor_a(void *region) static void ctor_b(void *region) { } +#define HEAP_SPRAY_SIZE 128 + +void lkdtm_HEAP_SPRAY(void) +{ + int *addr; + int *spray_addrs[HEAP_SPRAY_SIZE] = { 0 }; + unsigned long i = 0; + + addr = kmem_cache_alloc(a_cache, GFP_KERNEL); + if (!addr) { + pr_info("Unable to allocate memory in lkdtm-heap-a cache\n"); + return; + } + + *addr = 0x31337; + kmem_cache_free(a_cache, addr); + + pr_info("Performing heap spraying...\n"); + for (i = 0; i < HEAP_SPRAY_SIZE; i++) { + spray_addrs[i] = kmem_cache_alloc(a_cache, GFP_KERNEL); + *spray_addrs[i] = 0x31337; + pr_info("attempt %lu: spray alloc addr %p vs freed addr %p\n", + i, spray_addrs[i], addr); + if (spray_addrs[i] == addr) { + pr_info("freed addr is reallocated!\n"); + break; + } + } + + if (i < HEAP_SPRAY_SIZE) + pr_info("FAIL! Heap spraying succeed :(\n"); + else + pr_info("OK! Heap spraying hasn't succeed :)\n"); + + for (i = 0; i < HEAP_SPRAY_SIZE; i++) { + if (spray_addrs[i]) + kmem_cache_free(a_cache, spray_addrs[i]); + } +} + void __init lkdtm_heap_init(void) { double_free_cache = kmem_cache_create("lkdtm-heap-double_free", diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 8878538b2c13..dfafb4ae6f3a 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h @@ -45,6 +45,7 @@ void lkdtm_READ_BUDDY_AFTER_FREE(void); void lkdtm_SLAB_FREE_DOUBLE(void); void lkdtm_SLAB_FREE_CROSS(void); void lkdtm_SLAB_FREE_PAGE(void); +void lkdtm_HEAP_SPRAY(void); /* lkdtm_perms.c */ void __init lkdtm_perms_init(void); -- 2.26.2