diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-10-27 16:47:53 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2015-10-29 09:02:16 +0900 |
commit | 2cb202c1886ca363305fba82e340bdbd71387079 (patch) | |
tree | 0308d07d1ea45f7ac9d0dac94ea1b4a5cde83348 /drivers/misc | |
parent | 169883a63eb7e34e8e1c92fd451f34a5635c29ad (diff) | |
download | linux-stable-2cb202c1886ca363305fba82e340bdbd71387079.tar.gz linux-stable-2cb202c1886ca363305fba82e340bdbd71387079.tar.bz2 linux-stable-2cb202c1886ca363305fba82e340bdbd71387079.zip |
lkdtm: fix ACCESS_USERSPACE test
Add a copy_to_user() call to the ACCESS_USERSPACE test
prior to attempting direct dereferencing of the user
address to ensure the page is present. Otherwise,
a fault occurs on arm kernels even prior to the introduction
of CONFIG_CPU_SW_DOMAIN_PAN, and there is no difference in
behavior for CONFIG_CPU_SW_DOMAIN_PAN=n vs CONFIG_CPU_SW_DOMAIN_PAN=y.
Before this change, for any value of CONFIG_CPU_SW_DOMAIN_PAN:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6fe8000
Unable to handle kernel paging request at virtual address b6fe8000
After this change, for CONFIG_CPU_SW_DOMAIN_PAN=n:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6efc000
lkdtm: attempting bad write at b6efc000
After this change, for CONFIG_CPU_SW_DOMAIN_PAN=y:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6f7d000
Unhandled fault: page domain fault (0x01b) at 0xb6f7d000
...
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc')
-rw-r--r-- | drivers/misc/lkdtm.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index b5abe34120b8..11fdadc68e53 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -472,7 +472,7 @@ static void lkdtm_do_action(enum ctype which) break; } case CT_ACCESS_USERSPACE: { - unsigned long user_addr, tmp; + unsigned long user_addr, tmp = 0; unsigned long *ptr; user_addr = vm_mmap(NULL, 0, PAGE_SIZE, @@ -483,6 +483,12 @@ static void lkdtm_do_action(enum ctype which) return; } + if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) { + pr_warn("copy_to_user failed\n"); + vm_munmap(user_addr, PAGE_SIZE); + return; + } + ptr = (unsigned long *)user_addr; pr_info("attempting bad read at %p\n", ptr); |