From 1b451a70d46a5c4619992ad4dd2e4b8f5a84c252 Mon Sep 17 00:00:00 2001 From: Ciro Santilli Date: Sat, 5 May 2018 08:50:01 +0100 Subject: [PATCH] strlen_overflow and CONFIG_FORTIFY_SOURCE --- README.adoc | 24 ++++++++++++++++++++++-- kernel_config_fragment/default | 3 +++ kernel_module/README.adoc | 2 ++ kernel_module/strlen_overflow.c | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 kernel_module/strlen_overflow.c diff --git a/README.adoc b/README.adoc index f164af4..ff1fffa 100644 --- a/README.adoc +++ b/README.adoc @@ -952,7 +952,7 @@ Possibly asked at: The kernel calls `module_init` synchronously, therefore it is not hard to step into that call. -As of 4.16, the call happens in `do_init_module`, so we can do in shell 1: +As of 4.16, the call happens in `do_one_initcall`, so we can do in shell 1: .... ./run @@ -961,7 +961,7 @@ As of 4.16, the call happens in `do_init_module`, so we can do in shell 1: shell 2 after boot finishes (because there are other calls to `do_init_module` at boot, presumably for the built-in modules): .... -./rungdb do_init_module +./rungdb do_one_initcall .... then step until the line: @@ -2995,6 +2995,26 @@ Looks like a recompile is needed to modify the image... * https://superuser.com/questions/736423/changing-kernel-bootsplash-image * https://unix.stackexchange.com/questions/153975/how-to-change-boot-logo-in-linux-mint +=== Hardening + +Make it harder to get hacked and easier to notice that you were, at the cost of some (small?) runtime overhead. + +==== CONFIG_FORTIFY_SOURCE + +.... +insmod /strlen_overflow.ko +.... + +detects the overflow: + +.... +<4>[ 3.136382] strlen_overflow: loading out-of-tree module taints kernel. +<0>[ 3.139534] detected buffer overflow in strlen +<4>[ 3.141318] ------------[ cut here ]------------ +.... + +followed by a trace. + === Linux kernel testing https://stackoverflow.com/questions/3177338/how-is-the-linux-kernel-tested diff --git a/kernel_config_fragment/default b/kernel_config_fragment/default index d15f97d..8d8db07 100644 --- a/kernel_config_fragment/default +++ b/kernel_config_fragment/default @@ -197,3 +197,6 @@ CONFIG_ARM64_PTDUMP=y # For record and replay. CONFIG_8139CP=y + +# Hardening +CONFIG_FORTIFY_SOURCE=y diff --git a/kernel_module/README.adoc b/kernel_module/README.adoc index 4f6f37a..e901cba 100644 --- a/kernel_module/README.adoc +++ b/kernel_module/README.adoc @@ -45,6 +45,8 @@ .. link:netlink.c[] . Utilities .. link:kstrto.c[] +. Hardening +.. link:strlen_overflow.c[] . Arch .. x86 ... link:ring0.c[] diff --git a/kernel_module/strlen_overflow.c b/kernel_module/strlen_overflow.c new file mode 100644 index 0000000..3442957 --- /dev/null +++ b/kernel_module/strlen_overflow.c @@ -0,0 +1,24 @@ +#include +#include +#include + +static int myinit(void) +{ + enum { size = 256 }; + int i = 1; + char buf[size]; + char buf2[size]; + for (i = 0; i < size; i++) { + buf[i] = 'a'; + buf2[i] = 'b'; + } + /*char buf[] = {'p', 'w', 'n'};*/ + pr_info("%llu\n", (long long unsigned)strlen(buf)); + return 0; +} + +static void myexit(void) {} + +module_init(myinit) +module_exit(myexit) +MODULE_LICENSE("GPL");