[LTP] [PATCH] kallsyms01: Utilize ksymbol table for unauthorized address access

($INBOX_DIR/description missing)
 help / color / mirror / Atom feed

From: Li Wang <liwang@redhat.com>
To: ltp@lists.linux.it
Subject: [LTP] [PATCH] kallsyms01: Utilize ksymbol table for unauthorized address access
Date: Mon, 22 Apr 2024 13:36:11 +0800	[thread overview]
Message-ID: <20240422053611.3581473-1-liwang@redhat.com> (raw)

Access the system symbols with root permission to test whether it's
possible to read and write the memory addresses of kernel-space
from user-space. This helps in identifying potential vulnerabilities
where user-space processes can inappropriately access kernel memory.

Signed-off-by: Li Wang <liwang@redhat.com>
---
 runtest/mm                                    |   2 +
 testcases/kernel/security/kallsyms/.gitignore |   1 +
 testcases/kernel/security/kallsyms/Makefile   |   6 +
 testcases/kernel/security/kallsyms/kallsyms.c | 161 ++++++++++++++++++
 4 files changed, 170 insertions(+)
 create mode 100644 testcases/kernel/security/kallsyms/.gitignore
 create mode 100644 testcases/kernel/security/kallsyms/Makefile
 create mode 100644 testcases/kernel/security/kallsyms/kallsyms.c

diff --git a/runtest/mm b/runtest/mm
index d859b331c..6a8cd0b9d 100644
--- a/runtest/mm
+++ b/runtest/mm
@@ -58,6 +58,8 @@ mmap10_2 mmap10 -s
 mmap10_3 mmap10 -a -s
 mmap10_4 mmap10 -a -s -i 60
 
+kallsyms kallsyms
+
 ksm01 ksm01
 ksm01_1 ksm01 -u 128
 ksm02 ksm02
diff --git a/testcases/kernel/security/kallsyms/.gitignore b/testcases/kernel/security/kallsyms/.gitignore
new file mode 100644
index 000000000..7074d4e24
--- /dev/null
+++ b/testcases/kernel/security/kallsyms/.gitignore
@@ -0,0 +1 @@
+kallsyms
diff --git a/testcases/kernel/security/kallsyms/Makefile b/testcases/kernel/security/kallsyms/Makefile
new file mode 100644
index 000000000..5ea7d67db
--- /dev/null
+++ b/testcases/kernel/security/kallsyms/Makefile
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/security/kallsyms/kallsyms.c b/testcases/kernel/security/kallsyms/kallsyms.c
new file mode 100644
index 000000000..83622dea7
--- /dev/null
+++ b/testcases/kernel/security/kallsyms/kallsyms.c
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * Copyright (C) 2024 Red Hat, Inc.
+ */
+
+/*\
+ * [Description]
+ *
+ *  Utilize kernel's symbol table for unauthorized address access.
+ *
+ *  Access the system symbols with root permission to test whether it's
+ *  possible to read and write the memory addresses of kernel-space
+ *  from user-space. This helps in identifying potential vulnerabilities
+ *  where user-space processes can inappropriately access kernel memory.
+ *
+ * Steps:
+ *  1. Start a process that reads all symbols and their addresses from
+ *     '/proc/kallsyms' and stores them in a linked list.
+ *
+ *  2. Attempt to write to each kernel address found in the linked list.
+ *     The expectation is that each attempt will fail with a SIGSEGV
+ *     (segmentation fault), indicating that the user-space process
+ *     cannot write to kernel memory.
+ *
+ *  3. Handle each SIGSEGV using a signal handler that sets a flag and
+ *     long jumps out of the faulting context.
+ *
+ *  4. If any write operation does not result in a SIGSEGV, log this as
+ *     a potential security vulnerability.
+ *
+ *  5. Observe and log the behavior and any system responses to these
+ *     unauthorized access attempts.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <unistd.h>
+#include <string.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include "tst_test.h"
+#include "tst_safe_stdio.h"
+
+struct kallsym {
+	unsigned long addr;
+	char type;
+	char name[128];
+};
+
+struct ksymstbl {
+	struct kallsym symbol;
+	struct ksymstbl *next;
+};
+
+static struct ksymstbl *sym_table;
+static unsigned int nr_symbols;
+static sigjmp_buf jmpbuf;
+volatile sig_atomic_t segv_caught = 0;
+
+static void segv_handler(int sig)
+{
+	if (sig == SIGSEGV)
+		segv_caught++;
+	else
+		tst_res(TFAIL, "Unexpected signal %s", strsignal(sig));
+
+	siglongjmp(jmpbuf, 1);
+}
+
+static struct ksymstbl *read_kallsyms(unsigned int *nr_symbols)
+{
+	FILE *stream;
+	char *line = NULL;
+	size_t len = 0;
+	unsigned int nr_syms = 0;
+	struct ksymstbl *head, *item, *i;
+
+	item = head = calloc(1, sizeof(*head));
+	if (head == NULL)
+		goto out;
+
+	stream = SAFE_FOPEN("/proc/kallsyms", "r");
+
+	while (getline(&line, &len, stream) != -1) {
+		i = item;
+
+		sscanf(line, "%lx %c %s",
+				&i->symbol.addr, &i->symbol.type, i->symbol.name);
+
+		item = calloc(1, sizeof(*i));
+		if (item == NULL)
+			tst_brk(TBROK, "In calloc[]");
+
+		i->next = item;
+		nr_syms += 1;
+	}
+
+	*nr_symbols = nr_syms;
+	SAFE_FCLOSE(stream);
+out:
+	return head;
+}
+
+static void setup(void)
+{
+	sym_table = read_kallsyms(&nr_symbols);
+	if (!sym_table)
+		tst_brk(TBROK, "Failed to read kernel symbols");
+}
+
+static void access_ksymbols_address(struct ksymstbl *sym_table)
+{
+	if (sigsetjmp(jmpbuf, 1) == 0) {
+		*(volatile unsigned long *)sym_table->symbol.addr = 0;
+
+		tst_res(TFAIL, "Successfully accessed kernel addr 0x%lx (%s)",
+			sym_table->symbol.addr, sym_table->symbol.name);
+	}
+
+}
+
+static void test_access_kernel_address(void)
+{
+	struct ksymstbl *current;
+	struct sigaction sa;
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = segv_handler;
+	sigaction(SIGSEGV, &sa, NULL);
+
+	current = sym_table;
+	while (current->next != NULL) {
+		access_ksymbols_address(current);
+		current = current->next;
+	}
+
+	if (segv_caught == (sig_atomic_t)nr_symbols)
+		tst_res(TPASS, "Caught %d times SIGSEGV in access ksymbols addr", segv_caught);
+}
+
+static void cleanup(void)
+{
+	while (sym_table != NULL) {
+		struct ksymstbl *temp = sym_table;
+		sym_table = sym_table->next;
+		free(temp);
+	}
+}
+
+static struct tst_test test = {
+	.needs_root = 1,
+	.setup = setup,
+	.cleanup = cleanup,
+	.max_runtime = 60,
+	.test_all = test_access_kernel_address,
+};
-- 
2.40.1


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

next             reply	other threads:[~2024-04-22  5:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-22  5:36 Li Wang [this message]
2024-04-29 14:42 ` [LTP] [PATCH] kallsyms01: Utilize ksymbol table for unauthorized address access Cyril Hrubis

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:d859b331 dfblob:6a8cd0b9 dfblob:7074d4e2 dfblob:5ea7d67d
dfblob:83622dea
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240422053611.3581473-1-liwang@redhat.com \
    --to=liwang@redhat.com \
    --cc=ltp@lists.linux.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).