• Kees Cook's avatar
    lkdtm: Check for SMEP clearing protections · 06b32fdb
    Kees Cook authored
    This adds an x86-specific test for pinned cr4 bits. A successful test
    will validate pinning and check the ROP-style call-middle-of-function
    defense, if needed. For example, in the case of native_write_cr4()
    looking like this:
    
    ffffffff8171bce0 <native_write_cr4>:
    ffffffff8171bce0:       48 8b 35 79 46 f2 00    mov    0xf24679(%rip),%rsi
    ffffffff8171bce7:       48 09 f7                or     %rsi,%rdi
    ffffffff8171bcea:       0f 22 e7                mov    %rdi,%cr4
    ...
    ffffffff8171bd5a:       c3                      retq
    
    The UNSET_SMEP test will jump to ffffffff8171bcea (the mov to cr4)
    instead of ffffffff8171bce0 (native_write_cr4() entry) to simulate a
    direct-call bypass attempt.
    
    Expected successful results:
    
      # echo UNSET_SMEP > /sys/kernel/debug/provoke-crash/DIRECT
      # dmesg
      [   79.594433] lkdtm: Performing direct entry UNSET_SMEP
      [   79.596459] lkdtm: trying to clear SMEP normally
      [   79.598406] lkdtm: ok: SMEP did not get cleared
      [   79.599981] lkdtm: trying to clear SMEP with call gadget
      [   79.601810] ------------[ cut here ]------------
      [   79.603421] Attempt to unpin cr4 bits: 100000; bypass attack?!
      ...
      [   79.650170] ---[ end trace 2452ca0f6126242e ]---
      [   79.650937] lkdtm: ok: SMEP removal was reverted
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    06b32fdb
core.c 12.4 KB