]>
Commit | Line | Data |
---|---|---|
39f3dcdc SLM |
1 | From 3f84077621cc679528f815fc968b0c76fa3b8e8f Mon Sep 17 00:00:00 2001 |
2 | From: Christophe Leroy <christophe.leroy@c-s.fr> | |
3 | Date: Wed, 7 Nov 2018 20:14:10 +0000 | |
4 | Subject: lkdtm: Print real addresses | |
5 | ||
6 | [ Upstream commit 4c411157a42f122051ae3469bee0b5cabe89e139 ] | |
7 | ||
8 | Today, when doing a lkdtm test before the readiness of the | |
9 | random generator, (ptrval) is printed instead of the address | |
10 | at which it perform the fault: | |
11 | ||
12 | [ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE | |
13 | [ 1597.337142] lkdtm: attempting ok execution at (ptrval) | |
14 | [ 1597.337398] lkdtm: attempting bad execution at (ptrval) | |
15 | [ 1597.337460] kernel tried to execute user page (77858000) -exploit attempt? (uid: 0) | |
16 | [ 1597.344769] Unable to handle kernel paging request for instruction fetch | |
17 | [ 1597.351392] Faulting instruction address: 0x77858000 | |
18 | [ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1] | |
19 | ||
20 | If the lkdtm test is done later on, it prints an hashed address. | |
21 | ||
22 | In both cases this is pointless. The purpose of the test is to | |
23 | ensure the kernel generates an Oops at the expected address, | |
24 | so real addresses needs to be printed. This patch fixes that. | |
25 | ||
26 | Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> | |
27 | Signed-off-by: Kees Cook <keescook@chromium.org> | |
28 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
29 | --- | |
30 | drivers/misc/lkdtm_perms.c | 18 +++++++++--------- | |
31 | 1 file changed, 9 insertions(+), 9 deletions(-) | |
32 | ||
33 | diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c | |
34 | index 53b85c9d16b8..fa54add6375a 100644 | |
35 | --- a/drivers/misc/lkdtm_perms.c | |
36 | +++ b/drivers/misc/lkdtm_perms.c | |
37 | @@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write) | |
38 | { | |
39 | void (*func)(void) = dst; | |
40 | ||
41 | - pr_info("attempting ok execution at %p\n", do_nothing); | |
42 | + pr_info("attempting ok execution at %px\n", do_nothing); | |
43 | do_nothing(); | |
44 | ||
45 | if (write == CODE_WRITE) { | |
46 | @@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write) | |
47 | flush_icache_range((unsigned long)dst, | |
48 | (unsigned long)dst + EXEC_SIZE); | |
49 | } | |
50 | - pr_info("attempting bad execution at %p\n", func); | |
51 | + pr_info("attempting bad execution at %px\n", func); | |
52 | func(); | |
53 | } | |
54 | ||
55 | @@ -66,14 +66,14 @@ static void execute_user_location(void *dst) | |
56 | /* Intentionally crossing kernel/user memory boundary. */ | |
57 | void (*func)(void) = dst; | |
58 | ||
59 | - pr_info("attempting ok execution at %p\n", do_nothing); | |
60 | + pr_info("attempting ok execution at %px\n", do_nothing); | |
61 | do_nothing(); | |
62 | ||
63 | copied = access_process_vm(current, (unsigned long)dst, do_nothing, | |
64 | EXEC_SIZE, FOLL_WRITE); | |
65 | if (copied < EXEC_SIZE) | |
66 | return; | |
67 | - pr_info("attempting bad execution at %p\n", func); | |
68 | + pr_info("attempting bad execution at %px\n", func); | |
69 | func(); | |
70 | } | |
71 | ||
72 | @@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void) | |
73 | /* Explicitly cast away "const" for the test. */ | |
74 | unsigned long *ptr = (unsigned long *)&rodata; | |
75 | ||
76 | - pr_info("attempting bad rodata write at %p\n", ptr); | |
77 | + pr_info("attempting bad rodata write at %px\n", ptr); | |
78 | *ptr ^= 0xabcd1234; | |
79 | } | |
80 | ||
81 | @@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) | |
82 | return; | |
83 | } | |
84 | ||
85 | - pr_info("attempting bad ro_after_init write at %p\n", ptr); | |
86 | + pr_info("attempting bad ro_after_init write at %px\n", ptr); | |
87 | *ptr ^= 0xabcd1234; | |
88 | } | |
89 | ||
90 | @@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void) | |
91 | size = (unsigned long)do_overwritten - (unsigned long)do_nothing; | |
92 | ptr = (unsigned char *)do_overwritten; | |
93 | ||
94 | - pr_info("attempting bad %zu byte write at %p\n", size, ptr); | |
95 | + pr_info("attempting bad %zu byte write at %px\n", size, ptr); | |
96 | memcpy(ptr, (unsigned char *)do_nothing, size); | |
97 | flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size)); | |
98 | ||
99 | @@ -185,11 +185,11 @@ void lkdtm_ACCESS_USERSPACE(void) | |
100 | ||
101 | ptr = (unsigned long *)user_addr; | |
102 | ||
103 | - pr_info("attempting bad read at %p\n", ptr); | |
104 | + pr_info("attempting bad read at %px\n", ptr); | |
105 | tmp = *ptr; | |
106 | tmp += 0xc0dec0de; | |
107 | ||
108 | - pr_info("attempting bad write at %p\n", ptr); | |
109 | + pr_info("attempting bad write at %px\n", ptr); | |
110 | *ptr = tmp; | |
111 | ||
112 | vm_munmap(user_addr, PAGE_SIZE); | |
113 | -- | |
114 | 2.19.1 | |
115 |