mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-22 12:14:01 +08:00
- Add new CORRUPT_STACK_STRONG to test -fstack-protector-strong, since
the existing CORRUPT_STACK test only tested regular -fstack-protector. - Add pair of tests for checking kernel stack leading/trailing guard pages under VMAP_STACK: STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Kees Cook <kees@outflux.net> iQIcBAABCgAGBQJZk05WAAoJEIly9N/cbcAmepMP+gOggQeTd/MI++EEF4deFJ/A 1ZOejtCtg69QfhdTWxUR4GMOMpTDMtTEiCPeW18e4Go6WZTbNBrpym8E1gh3tYAU KdBYLkaijWfYaLcQAZxXjSD8MR4ONZlm+iBm1klX+Mcp0FA8bWCiJaNr+biSdG5l k1bcrWDxynK2VNdw6caIFYP/FG5UEvkughfOCDeAd7/nAW2hF5fxMPamoisaOk54 3CuSJDDnbf3ZRVVmMPPCSFmLVwD3Jf3A0xNsvXGXaVVqhCQhx+O8d+nwlFs8cKnR EbxzxEuOHeOVHbiLUcYPoeh2svWKhuYLCoN8w2Qo4B0yOkmZw5C0jS/qwIPmkPfb QCHS2nMQNdHlvo+r3Y2zyvX1LciyBIRLgnOsV7w0kAtOw0q9EDTxhEoBt7yX9F58 ewjHqTSbBTVCvwvJGR5lqyDmebtJuzctmrRMXrgvxgJMqzJ2yZ/FNWEdInWoslsg ffjWsXRHxTyleEaFYBdK9ypbLDItnsmsXfrvRrX8MDdO9l/aHHtEgrt+1ky080PN bnrhy6rLhROsz1hwga3zk1ybjvgRG2/i/Zhfogf8iKnwmBaXkEDtl+a4mV6DX8vW X6ELDFoArDtXF60pfg1klHCEMWGg6AqMha2OQoy831lRcF5JVdVQX+Q7ZTFcZPXu PgwrIVyFjGWmX1uziWGQ =obz9 -----END PGP SIGNATURE----- Merge tag 'lkdtm-next-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into char-misc-next Kees writes: - Add new CORRUPT_STACK_STRONG to test -fstack-protector-strong, since the existing CORRUPT_STACK test only tested regular -fstack-protector. - Add pair of tests for checking kernel stack leading/trailing guard pages under VMAP_STACK: STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING.
This commit is contained in:
commit
5f972797b1
@ -14,6 +14,7 @@ void lkdtm_EXCEPTION(void);
|
||||
void lkdtm_LOOP(void);
|
||||
void lkdtm_OVERFLOW(void);
|
||||
void lkdtm_CORRUPT_STACK(void);
|
||||
void lkdtm_CORRUPT_STACK_STRONG(void);
|
||||
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void);
|
||||
void lkdtm_SOFTLOCKUP(void);
|
||||
void lkdtm_HARDLOCKUP(void);
|
||||
@ -22,6 +23,8 @@ void lkdtm_HUNG_TASK(void);
|
||||
void lkdtm_CORRUPT_LIST_ADD(void);
|
||||
void lkdtm_CORRUPT_LIST_DEL(void);
|
||||
void lkdtm_CORRUPT_USER_DS(void);
|
||||
void lkdtm_STACK_GUARD_PAGE_LEADING(void);
|
||||
void lkdtm_STACK_GUARD_PAGE_TRAILING(void);
|
||||
|
||||
/* lkdtm_heap.c */
|
||||
void lkdtm_OVERWRITE_ALLOCATION(void);
|
||||
|
@ -8,6 +8,7 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/sched.h>
|
||||
#include <linux/sched/signal.h>
|
||||
#include <linux/sched/task_stack.h>
|
||||
#include <linux/uaccess.h>
|
||||
|
||||
struct lkdtm_list {
|
||||
@ -84,16 +85,31 @@ void lkdtm_OVERFLOW(void)
|
||||
|
||||
static noinline void __lkdtm_CORRUPT_STACK(void *stack)
|
||||
{
|
||||
memset(stack, 'a', 64);
|
||||
memset(stack, '\xff', 64);
|
||||
}
|
||||
|
||||
/* This should trip the stack canary, not corrupt the return address. */
|
||||
noinline void lkdtm_CORRUPT_STACK(void)
|
||||
{
|
||||
/* Use default char array length that triggers stack protection. */
|
||||
char data[8];
|
||||
char data[8] __aligned(sizeof(void *));
|
||||
|
||||
__lkdtm_CORRUPT_STACK(&data);
|
||||
|
||||
pr_info("Corrupted stack with '%16s'...\n", data);
|
||||
pr_info("Corrupted stack containing char array ...\n");
|
||||
}
|
||||
|
||||
/* Same as above but will only get a canary with -fstack-protector-strong */
|
||||
noinline void lkdtm_CORRUPT_STACK_STRONG(void)
|
||||
{
|
||||
union {
|
||||
unsigned short shorts[4];
|
||||
unsigned long *ptr;
|
||||
} data __aligned(sizeof(void *));
|
||||
|
||||
__lkdtm_CORRUPT_STACK(&data);
|
||||
|
||||
pr_info("Corrupted stack containing union ...\n");
|
||||
}
|
||||
|
||||
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)
|
||||
@ -199,6 +215,7 @@ void lkdtm_CORRUPT_LIST_DEL(void)
|
||||
pr_err("list_del() corruption not detected!\n");
|
||||
}
|
||||
|
||||
/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */
|
||||
void lkdtm_CORRUPT_USER_DS(void)
|
||||
{
|
||||
pr_info("setting bad task size limit\n");
|
||||
@ -207,3 +224,31 @@ void lkdtm_CORRUPT_USER_DS(void)
|
||||
/* Make sure we do not keep running with a KERNEL_DS! */
|
||||
force_sig(SIGKILL, current);
|
||||
}
|
||||
|
||||
/* Test that VMAP_STACK is actually allocating with a leading guard page */
|
||||
void lkdtm_STACK_GUARD_PAGE_LEADING(void)
|
||||
{
|
||||
const unsigned char *stack = task_stack_page(current);
|
||||
const unsigned char *ptr = stack - 1;
|
||||
volatile unsigned char byte;
|
||||
|
||||
pr_info("attempting bad read from page below current stack\n");
|
||||
|
||||
byte = *ptr;
|
||||
|
||||
pr_err("FAIL: accessed page before stack!\n");
|
||||
}
|
||||
|
||||
/* Test that VMAP_STACK is actually allocating with a trailing guard page */
|
||||
void lkdtm_STACK_GUARD_PAGE_TRAILING(void)
|
||||
{
|
||||
const unsigned char *stack = task_stack_page(current);
|
||||
const unsigned char *ptr = stack + THREAD_SIZE;
|
||||
volatile unsigned char byte;
|
||||
|
||||
pr_info("attempting bad read from page above current stack\n");
|
||||
|
||||
byte = *ptr;
|
||||
|
||||
pr_err("FAIL: accessed page after stack!\n");
|
||||
}
|
||||
|
@ -201,6 +201,9 @@ struct crashtype crashtypes[] = {
|
||||
CRASHTYPE(CORRUPT_LIST_DEL),
|
||||
CRASHTYPE(CORRUPT_USER_DS),
|
||||
CRASHTYPE(CORRUPT_STACK),
|
||||
CRASHTYPE(CORRUPT_STACK_STRONG),
|
||||
CRASHTYPE(STACK_GUARD_PAGE_LEADING),
|
||||
CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
|
||||
CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
|
||||
CRASHTYPE(OVERWRITE_ALLOCATION),
|
||||
CRASHTYPE(WRITE_AFTER_FREE),
|
||||
|
Loading…
Reference in New Issue
Block a user