From e8d37b7b172d31928d26ad6fb2e3b89ab8490acd Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Fri, 12 Mar 2021 22:18:45 +0100 Subject: [PATCH] crash: Check whether the msyscall mitigation actually works --- Userland/Utilities/crash.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Userland/Utilities/crash.cpp b/Userland/Utilities/crash.cpp index 227e67f5c1..54fcfdd984 100644 --- a/Userland/Utilities/crash.cpp +++ b/Userland/Utilities/crash.cpp @@ -42,6 +42,7 @@ int main(int argc, char** argv) bool do_invalid_stack_pointer_on_syscall = false; bool do_invalid_stack_pointer_on_page_fault = false; bool do_syscall_from_writeable_memory = false; + bool do_legitimate_syscall = false; bool do_execute_non_executable_memory = false; bool do_trigger_user_mode_instruction_prevention = false; bool do_use_io_instruction = false; @@ -67,6 +68,7 @@ int main(int argc, char** argv) args_parser.add_option(do_invalid_stack_pointer_on_syscall, "Make a syscall while using an invalid stack pointer", nullptr, 'T'); args_parser.add_option(do_invalid_stack_pointer_on_page_fault, "Trigger a page fault while using an invalid stack pointer", nullptr, 't'); args_parser.add_option(do_syscall_from_writeable_memory, "Make a syscall from writeable memory", nullptr, 'S'); + args_parser.add_option(do_legitimate_syscall, "Make a syscall from legitimate memory (but outside msyscall)", nullptr, 'y'); args_parser.add_option(do_execute_non_executable_memory, "Attempt to execute non-executable memory (not mapped with PROT_EXEC)", nullptr, 'X'); args_parser.add_option(do_trigger_user_mode_instruction_prevention, "Attempt to trigger an x86 User Mode Instruction Prevention fault", nullptr, 'U'); args_parser.add_option(do_use_io_instruction, "Use an x86 I/O instruction in userspace", nullptr, 'I'); @@ -227,6 +229,14 @@ int main(int argc, char** argv) }).run(run_type); } + if (do_legitimate_syscall || do_all_crash_types) { + Crash("Regular syscall from outside msyscall", []() { + // Since 'crash' is dynamically linked, and DynamicLoader only allows LibSystem to make syscalls, this should kill us: + Syscall::invoke(Syscall::SC_getuid); + return Crash::Failure::DidNotCrash; + }).run(run_type); + } + if (do_execute_non_executable_memory || do_all_crash_types) { Crash("Execute non executable memory", []() { auto* ptr = (u8*)mmap(nullptr, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);