summaryrefslogtreecommitdiffstats
path: root/drivers/misc
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2015-10-27 16:47:53 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2015-10-29 09:02:16 +0900
commit2cb202c1886ca363305fba82e340bdbd71387079 (patch)
tree0308d07d1ea45f7ac9d0dac94ea1b4a5cde83348 /drivers/misc
parent169883a63eb7e34e8e1c92fd451f34a5635c29ad (diff)
downloadlinux-stable-2cb202c1886ca363305fba82e340bdbd71387079.tar.gz
linux-stable-2cb202c1886ca363305fba82e340bdbd71387079.tar.bz2
linux-stable-2cb202c1886ca363305fba82e340bdbd71387079.zip
lkdtm: fix ACCESS_USERSPACE test
Add a copy_to_user() call to the ACCESS_USERSPACE test prior to attempting direct dereferencing of the user address to ensure the page is present. Otherwise, a fault occurs on arm kernels even prior to the introduction of CONFIG_CPU_SW_DOMAIN_PAN, and there is no difference in behavior for CONFIG_CPU_SW_DOMAIN_PAN=n vs CONFIG_CPU_SW_DOMAIN_PAN=y. Before this change, for any value of CONFIG_CPU_SW_DOMAIN_PAN: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6fe8000 Unable to handle kernel paging request at virtual address b6fe8000 After this change, for CONFIG_CPU_SW_DOMAIN_PAN=n: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6efc000 lkdtm: attempting bad write at b6efc000 After this change, for CONFIG_CPU_SW_DOMAIN_PAN=y: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6f7d000 Unhandled fault: page domain fault (0x01b) at 0xb6f7d000 ... Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc')
-rw-r--r--drivers/misc/lkdtm.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index b5abe34120b8..11fdadc68e53 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -472,7 +472,7 @@ static void lkdtm_do_action(enum ctype which)
break;
}
case CT_ACCESS_USERSPACE: {
- unsigned long user_addr, tmp;
+ unsigned long user_addr, tmp = 0;
unsigned long *ptr;
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
@@ -483,6 +483,12 @@ static void lkdtm_do_action(enum ctype which)
return;
}
+ if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) {
+ pr_warn("copy_to_user failed\n");
+ vm_munmap(user_addr, PAGE_SIZE);
+ return;
+ }
+
ptr = (unsigned long *)user_addr;
pr_info("attempting bad read at %p\n", ptr);