lkdtm: Add Control Flow Integrity test

This adds a simple test for forward CFI (indirect function calls) with
function prototype granularity (as implemented by Clang's CFI).

Signed-off-by: Kees Cook <keescook@chromium.org>

drivers/misc/lkdtm/Makefile

@@ -9,6 +9,7 @@ lkdtm-$(CONFIG_LKDTM)		+= refcount.o
 lkdtm-$(CONFIG_LKDTM)		+= rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)		+= usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+= stackleak.o
+lkdtm-$(CONFIG_LKDTM)		+= cfi.o
 
 KASAN_SANITIZE_stackleak.o	:= n
 KCOV_INSTRUMENT_rodata.o	:= n

drivers/misc/lkdtm/cfi.c

@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * This is for all the tests relating directly to Control Flow Integrity.
+ */
+#include "lkdtm.h"
+
+static int called_count;
+
+/* Function taking one argument, without a return value. */
+static noinline void lkdtm_increment_void(int *counter)
+{
+	(*counter)++;
+}
+
+/* Function taking one argument, returning int. */
+static noinline int lkdtm_increment_int(int *counter)
+{
+	(*counter)++;
+
+	return *counter;
+}
+/*
+ * This tries to call an indirect function with a mismatched prototype.
+ */
+void lkdtm_CFI_FORWARD_PROTO(void)
+{
+	/*
+	 * Matches lkdtm_increment_void()'s prototype, but not
+	 * lkdtm_increment_int()'s prototype.
+	 */
+	void (*func)(int *);
+
+	pr_info("Calling matched prototype ...\n");
+	func = lkdtm_increment_void;
+	func(&called_count);
+
+	pr_info("Calling mismatched prototype ...\n");
+	func = (void *)lkdtm_increment_int;
+	func(&called_count);
+
+	pr_info("Fail: survived mismatched prototype function call!\n");
+}

drivers/misc/lkdtm/core.c

@@ -169,6 +169,7 @@ static const struct crashtype crashtypes[] = {
 	CRASHTYPE(USERCOPY_KERNEL),
 	CRASHTYPE(USERCOPY_KERNEL_DS),
 	CRASHTYPE(STACKLEAK_ERASING),
+	CRASHTYPE(CFI_FORWARD_PROTO),
 };
 
 

drivers/misc/lkdtm/lkdtm.h

@@ -95,4 +95,7 @@ void lkdtm_USERCOPY_KERNEL_DS(void);
 /* lkdtm_stackleak.c */
 void lkdtm_STACKLEAK_ERASING(void);
 
+/* cfi.c */
+void lkdtm_CFI_FORWARD_PROTO(void);
+
 #endif