diff options
| author | Christophe Leroy <christophe.leroy@c-s.fr> | 2018-11-07 15:14:10 -0500 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2019-01-09 14:58:51 -0500 |
| commit | 4c411157a42f122051ae3469bee0b5cabe89e139 (patch) | |
| tree | f11f88defffb09d4ceaaf1e8521047289eec0448 /drivers/misc/lkdtm | |
| parent | a77d087fd566f576da1f5b8726dd9d9f0f164e1f (diff) | |
lkdtm: Print real addresses
Today, when doing a lkdtm test before the readiness of the
random generator, (ptrval) is printed instead of the address
at which it perform the fault:
[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
[ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0)
[ 1597.344769] Unable to handle kernel paging request for instruction fetch
[ 1597.351392] Faulting instruction address: 0x77858000
[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
If the lkdtm test is done later on, it prints an hashed address.
In both cases this is pointless. The purpose of the test is to
ensure the kernel generates an Oops at the expected address,
so real addresses needs to be printed. This patch fixes that.
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'drivers/misc/lkdtm')
| -rw-r--r-- | drivers/misc/lkdtm/perms.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c index 53b85c9d16b8..fa54add6375a 100644 --- a/drivers/misc/lkdtm/perms.c +++ b/drivers/misc/lkdtm/perms.c | |||
| @@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write) | |||
| 47 | { | 47 | { |
| 48 | void (*func)(void) = dst; | 48 | void (*func)(void) = dst; |
| 49 | 49 | ||
| 50 | pr_info("attempting ok execution at %p\n", do_nothing); | 50 | pr_info("attempting ok execution at %px\n", do_nothing); |
| 51 | do_nothing(); | 51 | do_nothing(); |
| 52 | 52 | ||
| 53 | if (write == CODE_WRITE) { | 53 | if (write == CODE_WRITE) { |
| @@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write) | |||
| 55 | flush_icache_range((unsigned long)dst, | 55 | flush_icache_range((unsigned long)dst, |
| 56 | (unsigned long)dst + EXEC_SIZE); | 56 | (unsigned long)dst + EXEC_SIZE); |
| 57 | } | 57 | } |
| 58 | pr_info("attempting bad execution at %p\n", func); | 58 | pr_info("attempting bad execution at %px\n", func); |
| 59 | func(); | 59 | func(); |
| 60 | } | 60 | } |
| 61 | 61 | ||
| @@ -66,14 +66,14 @@ static void execute_user_location(void *dst) | |||
| 66 | /* Intentionally crossing kernel/user memory boundary. */ | 66 | /* Intentionally crossing kernel/user memory boundary. */ |
| 67 | void (*func)(void) = dst; | 67 | void (*func)(void) = dst; |
| 68 | 68 | ||
| 69 | pr_info("attempting ok execution at %p\n", do_nothing); | 69 | pr_info("attempting ok execution at %px\n", do_nothing); |
| 70 | do_nothing(); | 70 | do_nothing(); |
| 71 | 71 | ||
| 72 | copied = access_process_vm(current, (unsigned long)dst, do_nothing, | 72 | copied = access_process_vm(current, (unsigned long)dst, do_nothing, |
| 73 | EXEC_SIZE, FOLL_WRITE); | 73 | EXEC_SIZE, FOLL_WRITE); |
| 74 | if (copied < EXEC_SIZE) | 74 | if (copied < EXEC_SIZE) |
| 75 | return; | 75 | return; |
| 76 | pr_info("attempting bad execution at %p\n", func); | 76 | pr_info("attempting bad execution at %px\n", func); |
| 77 | func(); | 77 | func(); |
| 78 | } | 78 | } |
| 79 | 79 | ||
| @@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void) | |||
| 82 | /* Explicitly cast away "const" for the test. */ | 82 | /* Explicitly cast away "const" for the test. */ |
| 83 | unsigned long *ptr = (unsigned long *)&rodata; | 83 | unsigned long *ptr = (unsigned long *)&rodata; |
| 84 | 84 | ||
| 85 | pr_info("attempting bad rodata write at %p\n", ptr); | 85 | pr_info("attempting bad rodata write at %px\n", ptr); |
| 86 | *ptr ^= 0xabcd1234; | 86 | *ptr ^= 0xabcd1234; |
| 87 | } | 87 | } |
| 88 | 88 | ||
| @@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) | |||
| 100 | return; | 100 | return; |
| 101 | } | 101 | } |
| 102 | 102 | ||
| 103 | pr_info("attempting bad ro_after_init write at %p\n", ptr); | 103 | pr_info("attempting bad ro_after_init write at %px\n", ptr); |
| 104 | *ptr ^= 0xabcd1234; | 104 | *ptr ^= 0xabcd1234; |
| 105 | } | 105 | } |
| 106 | 106 | ||
| @@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void) | |||
| 112 | size = (unsigned long)do_overwritten - (unsigned long)do_nothing; | 112 | size = (unsigned long)do_overwritten - (unsigned long)do_nothing; |
| 113 | ptr = (unsigned char *)do_overwritten; | 113 | ptr = (unsigned char *)do_overwritten; |
| 114 | 114 | ||
| 115 | pr_info("attempting bad %zu byte write at %p\n", size, ptr); | 115 | pr_info("attempting bad %zu byte write at %px\n", size, ptr); |
| 116 | memcpy(ptr, (unsigned char *)do_nothing, size); | 116 | memcpy(ptr, (unsigned char *)do_nothing, size); |
| 117 | flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size)); | 117 | flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size)); |
| 118 | 118 | ||
| @@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void) | |||
| 185 | 185 | ||
| 186 | ptr = (unsigned long *)user_addr; | 186 | ptr = (unsigned long *)user_addr; |
| 187 | 187 | ||
| 188 | pr_info("attempting bad read at %p\n", ptr); | 188 | pr_info("attempting bad read at %px\n", ptr); |
| 189 | tmp = *ptr; | 189 | tmp = *ptr; |
| 190 | tmp += 0xc0dec0de; | 190 | tmp += 0xc0dec0de; |
| 191 | 191 | ||
| 192 | pr_info("attempting bad write at %p\n", ptr); | 192 | pr_info("attempting bad write at %px\n", ptr); |
| 193 | *ptr = tmp; | 193 | *ptr = tmp; |
| 194 | 194 | ||
| 195 | vm_munmap(user_addr, PAGE_SIZE); | 195 | vm_munmap(user_addr, PAGE_SIZE); |