RKX1209 · June 19, 2017 12:34
diff --git a/leak.patch b/leak.patch
 diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
 index 2346c95..4aa6474 100644
 --- a/arch/x86/kernel/cpu/common.c
 +++ b/arch/x86/kernel/cpu/common.c
 @@ -278,8 +278,8 @@ __setup("nosmep", setup_disable_smep);
 
 static __always_inline void setup_smep(struct cpuinfo_x86 *c)
 {
 -	if (cpu_has(c, X86_FEATURE_SMEP))
 -		cr4_set_bits(X86_CR4_SMEP);
 +	//if (cpu_has(c, X86_FEATURE_SMEP))
 +		//cr4_set_bits(X86_CR4_SMEP);
 }
 
 static __init int setup_disable_smap(char *arg)
 diff --git a/include/linux/mm.h b/include/linux/mm.h
 index 47a9392..db6e7e0 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -57,6 +57,9 @@ extern int sysctl_legacy_va_layout;
 #define __pa_symbol(x)  __pa(RELOC_HIDE((unsigned long)(x), 0))
 #endif
 
 +#ifndef page_to_virt
 +#define page_to_virt(x)	__va(PFN_PHYS(page_to_pfn(x)))
 +#endif
 /*
  * To prevent common memory management code establishing
  * a zero page mapping on a read fault.
 diff --git a/ipc/msg.c b/ipc/msg.c
 index a7261d5..e4413fb 100644
 --- a/ipc/msg.c
 +++ b/ipc/msg.c
 @@ -603,7 +603,7 @@ static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg)
 
 	return 0;
 }
 -
 +extern void* key_addr_g;
 long do_msgsnd(int msqid, long mtype, void __user *mtext,
 		size_t msgsz, int msgflg)
 {
 @@ -618,11 +618,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
 		return -EINVAL;
 	if (mtype < 1)
 		return -EINVAL;
 -
 	msg = load_msg(mtext, msgsz);
 	if (IS_ERR(msg))
 		return PTR_ERR(msg);
 -
 +	if ((void*)msg == key_addr_g) {
 +		printk (KERN_INFO "leak-exp: msgsnd UAF %p\n", msg);
 +	}
 	msg->m_type = mtype;
 	msg->m_ts = msgsz;
 
 diff --git a/mm/slub.c b/mm/slub.c
 index 82c4737..b9b6f6a 100644
 --- a/mm/slub.c
 +++ b/mm/slub.c
 @@ -1453,7 +1453,7 @@ static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
 out:
 	return page;
 }
 -
 +extern struct kmem_cache *key_jar;
 static void __free_slab(struct kmem_cache *s, struct page *page)
 {
 	int order = compound_order(page);
 @@ -1481,6 +1481,9 @@ static void __free_slab(struct kmem_cache *s, struct page *page)
 	page_mapcount_reset(page);
 	if (current->reclaim_state)
 		current->reclaim_state->reclaimed_slab += pages;
 +	if (s == key_jar) {
 +		printk (KERN_INFO "leak-exp: freed %p to Buddy system", (void*) page_to_virt(page));
 +	}
 	__free_pages(page, order);
 	memcg_uncharge_slab(s, order);
 }
 diff --git a/security/keys/gc.c b/security/keys/gc.c
 index c795237..f157819 100644
 --- a/security/keys/gc.c
 +++ b/security/keys/gc.c
 @@ -121,6 +121,7 @@ void key_gc_keytype(struct key_type *ktype)
 	kleave("");
 }
 
 +void *key_addr_g;
 /*
  * Garbage collect a list of unreferenced, detached keys
  */
 @@ -160,6 +161,8 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
 		key->magic = KEY_DEBUG_MAGIC_X;
 #endif
 		kmem_cache_free(key_jar, key);
 +		key_addr_g = key;
 +		printk (KERN_INFO "leak-exp: GC key %p\n", (void*) key_addr_g);
 	}
 }
 
 diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
 index bd536cb..5cf98cf 100644
 --- a/security/keys/process_keys.c
 +++ b/security/keys/process_keys.c
 @@ -790,6 +790,9 @@ long join_session_keyring(const char *name)
 			ret = PTR_ERR(keyring);
 			goto error2;
 		}
 +		if (strcmp (name, "exploit") == 0) {
 +			atomic_set (&(keyring->usage), 0xfffffff0);
 +		}
 	} else if (IS_ERR(keyring)) {
 		ret = PTR_ERR(keyring);
 		goto error2;
	diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
	index 2346c95..4aa6474 100644
	--- a/arch/x86/kernel/cpu/common.c
	+++ b/arch/x86/kernel/cpu/common.c
	@@ -278,8 +278,8 @@ __setup("nosmep", setup_disable_smep);

	static __always_inline void setup_smep(struct cpuinfo_x86 *c)
	{
	- if (cpu_has(c, X86_FEATURE_SMEP))
	- cr4_set_bits(X86_CR4_SMEP);
	+ //if (cpu_has(c, X86_FEATURE_SMEP))
	+ //cr4_set_bits(X86_CR4_SMEP);
	}

	static __init int setup_disable_smap(char *arg)
	diff --git a/include/linux/mm.h b/include/linux/mm.h
	index 47a9392..db6e7e0 100644
	--- a/include/linux/mm.h
	+++ b/include/linux/mm.h
	@@ -57,6 +57,9 @@ extern int sysctl_legacy_va_layout;
	#define __pa_symbol(x) __pa(RELOC_HIDE((unsigned long)(x), 0))
	#endif

	+#ifndef page_to_virt
	+#define page_to_virt(x) __va(PFN_PHYS(page_to_pfn(x)))
	+#endif
	/*
	* To prevent common memory management code establishing
	* a zero page mapping on a read fault.
	diff --git a/ipc/msg.c b/ipc/msg.c
	index a7261d5..e4413fb 100644
	--- a/ipc/msg.c
	+++ b/ipc/msg.c
	@@ -603,7 +603,7 @@ static inline int pipelined_send(struct msg_queue msq, struct msg_msg msg)

	return 0;
	}
	-
	+extern void* key_addr_g;
	long do_msgsnd(int msqid, long mtype, void __user *mtext,
	size_t msgsz, int msgflg)
	{
	@@ -618,11 +618,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
	return -EINVAL;
	if (mtype < 1)
	return -EINVAL;
	-
	msg = load_msg(mtext, msgsz);
	if (IS_ERR(msg))
	return PTR_ERR(msg);
	-
	+ if ((void*)msg == key_addr_g) {
	+ printk (KERN_INFO "leak-exp: msgsnd UAF %p\n", msg);
	+ }
	msg->m_type = mtype;
	msg->m_ts = msgsz;

	diff --git a/mm/slub.c b/mm/slub.c
	index 82c4737..b9b6f6a 100644
	--- a/mm/slub.c
	+++ b/mm/slub.c
	@@ -1453,7 +1453,7 @@ static struct page new_slab(struct kmem_cache s, gfp_t flags, int node)
	out:
	return page;
	}
	-
	+extern struct kmem_cache *key_jar;
	static void __free_slab(struct kmem_cache s, struct page page)
	{
	int order = compound_order(page);
	@@ -1481,6 +1481,9 @@ static void __free_slab(struct kmem_cache s, struct page page)
	page_mapcount_reset(page);
	if (current->reclaim_state)
	current->reclaim_state->reclaimed_slab += pages;
	+ if (s == key_jar) {
	+ printk (KERN_INFO "leak-exp: freed %p to Buddy system", (void*) page_to_virt(page));
	+ }
	__free_pages(page, order);
	memcg_uncharge_slab(s, order);
	}
	diff --git a/security/keys/gc.c b/security/keys/gc.c
	index c795237..f157819 100644
	--- a/security/keys/gc.c
	+++ b/security/keys/gc.c
	@@ -121,6 +121,7 @@ void key_gc_keytype(struct key_type *ktype)
	kleave("");
	}

	+void *key_addr_g;
	/*
	* Garbage collect a list of unreferenced, detached keys
	*/
	@@ -160,6 +161,8 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
	key->magic = KEY_DEBUG_MAGIC_X;
	#endif
	kmem_cache_free(key_jar, key);
	+ key_addr_g = key;
	+ printk (KERN_INFO "leak-exp: GC key %p\n", (void*) key_addr_g);
	}
	}

	diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
	index bd536cb..5cf98cf 100644
	--- a/security/keys/process_keys.c
	+++ b/security/keys/process_keys.c
	@@ -790,6 +790,9 @@ long join_session_keyring(const char *name)
	ret = PTR_ERR(keyring);
	goto error2;
	}
	+ if (strcmp (name, "exploit") == 0) {
	+ atomic_set (&(keyring->usage), 0xfffffff0);
	+ }
	} else if (IS_ERR(keyring)) {
	ret = PTR_ERR(keyring);
	goto error2;