Commit f387e86d authored by Kees Cook's avatar Kees Cook
Browse files

lkdtm/usercopy: Expand size of "out of frame" object 



To be sufficiently out of range for the usercopy test to see the lifetime
mismatch, expand the size of the "bad" buffer, which will let it be
beyond current_stack_pointer regardless of stack growth direction.
Paired with the recent addition of stack depth checking under
CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again.

Reported-by: default avatarMuhammad Usama Anjum <usama.anjum@collabora.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: default avatarMuhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/


Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 42db2594

drivers/misc/lkdtm/usercopy.c

+14 −3
Original line number Diff line number Diff line
@@ -30,12 +30,12 @@ static const unsigned char test_text[] = "This is a test.\n"; 
 */

static noinline unsigned char *trick_compiler(unsigned char *stack)

{

	return stack + 0;

	return stack + unconst;

}



static noinline unsigned char *do_usercopy_stack_callee(int value)

{

	unsigned char buf[32];

	unsigned char buf[128];

	int i;



	/* Exercise stack to avoid everything living in registers. */
@@ -43,7 +43,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value) 
		buf[i] = value & 0xff;

	}



	return trick_compiler(buf);

	/*

	 * Put the target buffer in the middle of stack allocation

	 * so that we don't step on future stack users regardless

	 * of stack growth direction.

	 */

	return trick_compiler(&buf[(128/2)-32]);

}



static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
@@ -66,6 +71,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame) 
		bad_stack -= sizeof(unsigned long);

	}



#ifdef ARCH_HAS_CURRENT_STACK_POINTER

	pr_info("stack     : %px\n", (void *)current_stack_pointer);

#endif

	pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));

	pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));



	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,

			    PROT_READ | PROT_WRITE | PROT_EXEC,

			    MAP_ANONYMOUS | MAP_PRIVATE, 0);