summaryrefslogtreecommitdiff
path: root/drivers/misc/lkdtm_core.c
AgeCommit message (Collapse)Author
2017-08-15lkdtm: Add -fstack-protector-strong testKees Cook
There wasn't an LKDTM test to distinguish between -fstack-protector and -fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see the difference. Also adjusts the stack-clobber value to 0xff so execution won't potentially jump into userspace when the stack protector is missing. Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-04lkdtm: Test VMAP_STACK allocates leading/trailing guard pagesKees Cook
Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING attempt to read the byte before and after, respectively, of the current stack frame, which should fault. Signed-off-by: Kees Cook <keescook@chromium.org>
2017-07-26lkdtm: Provide timing tests for atomic_t vs refcount_tKees Cook
While not a crash test, this does provide two tight atomic_t and refcount_t loops for performance comparisons: cd /sys/kernel/debug/provoke-crash perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT Looking a CPU cycles is the best way to example the fast-path (rather than instruction counts, since conditional jumps will be executed but will be negligible due to branch-prediction). Signed-off-by: Kees Cook <keescook@chromium.org>
2017-07-26lkdtm: Provide more complete coverage for REFCOUNT testsKees Cook
The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and expands their testing to poke each boundary condition. Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different saturation values and reach-zero behavior, those have to be build-time set so the tests can actually validate things are happening at the right places. Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors (which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO). Signed-off-by: Kees Cook <keescook@chromium.org>
2017-04-08lkdtm: add bad USER_DS testKees Cook
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-02-22Merge tag 'char-misc-4.11-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver updates from Greg KH: "Here is the big char/misc driver patchset for 4.11-rc1. Lots of different driver subsystems updated here: rework for the hyperv subsystem to handle new platforms better, mei and w1 and extcon driver updates, as well as a number of other "minor" driver updates. All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (169 commits) goldfish: Sanitize the broken interrupt handler x86/platform/goldfish: Prevent unconditional loading vmbus: replace modulus operation with subtraction vmbus: constify parameters where possible vmbus: expose hv_begin/end_read vmbus: remove conditional locking of vmbus_write vmbus: add direct isr callback mode vmbus: change to per channel tasklet vmbus: put related per-cpu variable together vmbus: callback is in softirq not workqueue binder: Add support for file-descriptor arrays binder: Add support for scatter-gather binder: Add extra size to allocator binder: Refactor binder_transact() binder: Support multiple /dev instances binder: Deal with contexts in debugfs binder: Support multiple context managers binder: Split flat_binder_object auxdisplay: ht16k33: remove private workqueue auxdisplay: ht16k33: rework input device initialization ...
2017-02-10lkdtm: Convert to refcount_t testingKees Cook
Since we'll be using refcount_t instead of atomic_t for refcounting, change the LKDTM tests to reflect the new interface and test conditions. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Hans Liljestrand <ishkamiel@gmail.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: arnd@arndb.de Cc: dhowells@redhat.com Cc: dwindsor@gmail.com Cc: elena.reshetova@intel.com Cc: gregkh@linuxfoundation.org Cc: h.peter.anvin@intel.com Cc: kernel-hardening@lists.openwall.com Cc: will.deacon@arm.com Link: http://lkml.kernel.org/r/1486164412-7338-3-git-send-email-keescook@chromium.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-25lkdtm: Fix Oops when unloading the moduleJuerg Haefliger
No jprobe is registered when the module is loaded without specifying a crashpoint that uses a jprobe. At the moment, we unconditionally try to unregister the jprobe on module unload which results in an Oops. Add a check to fix this. Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-10-31lkdtm: Add tests for struct list corruptionKees Cook
When building under CONFIG_DEBUG_LIST, list addition and removal will be sanity-checked. This validates that the check is working as expected by setting up classic corruption attacks against list manipulations, available with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Rik van Riel <riel@redhat.com>
2016-07-15lkdtm: silence warnings about function declarationsKees Cook
When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and lkdtm_rodata.c was discovered. This fixes the issue and consolidates the common header and the pr_fmt macro for simplicity and regularity across each test source file. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-15lkdtm: hide unused functionsArnd Bergmann
A conversion of the lkdtm core module added an "#ifdef CONFIG_KPROBES" check, but a number of functions then become unused: drivers/misc/lkdtm_core.c:340:16: error: 'lkdtm_debugfs_entry' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:122:12: error: 'jp_generic_ide_ioctl' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:114:12: error: 'jp_scsi_dispatch_cmd' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:106:12: error: 'jp_hrtimer_start' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:97:22: error: 'jp_shrink_inactive_list' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:89:13: error: 'jp_ll_rw_block' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:83:13: error: 'jp_tasklet_action' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:75:20: error: 'jp_handle_irq_event' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:68:21: error: 'jp_do_irq' defined but not used [-Werror=unused-function] This adds the same #ifdef everywhere. There is probably a better way to do the same thing, but for now this avoids the new warnings. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Fixes: c479e3fd8870 ("lkdtm: use struct arrays instead of enums") [kees: moved some code around to better consolidate the #ifdefs] Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: use struct arrays instead of enumsKees Cook
This removes the use of enums in favor of much more readable and compact structure arrays. This requires changing all the enum passing to pointers instead, but the results are much cleaner. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: move jprobe entry points to start of sourceKees Cook
In preparation of referencing the jprobe entry points in a structure, this moves them to the start of the source since they operate mostly separately from everything else. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: reorganize module paramatersKees Cook
This reorganizes module parameters and global variables in the source so they're grouped together with comments. Also moves early function declarations to the top of the file. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: rename globals for clarityKees Cook
The global variables used to track the active crashpoint and crashtype are hard to distinguish from local variable names, so add a "lkdtm_" prefix to them (or in the case of "lkdtm", add a "_jprobe" suffix). Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: rename "count" to "crash_count"Kees Cook
The "count" variable name was not easy to understand, since it was regularly obscured by local variables of the same name, and it's purpose wasn't clear. This renames it (and its lock) to "crash_count", which is more readable. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: remove intentional off-by-one array accessKees Cook
There wasn't a good reason for keeping the enum and the names out of sync by 1 position just to avoid "NONE" and "INVALID" from being in the string lists. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: split remaining logic bug tests to separate fileKees Cook
This splits all the remaining tests from lkdtm_core.c into the new lkdtm_bugs.c file to help separate things better for readability. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: split heap corruption tests to separate fileKees Cook
This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c file to help separate things better for readability. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: split memory permissions tests to separate fileKees Cook
This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c file to help separate things better for readability. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: split usercopy tests to separate fileKees Cook
This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to help separate things better for readability. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: drop "alloc_size" parameterKees Cook
There is no good reason to have the alloc_size parameter currently. The compiler-tricking value used to exercise the stack can just use a stack address instead. Similarly hard-code cache_size. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07lkdtm: add usercopy test for blocking kernel textKees Cook
The upcoming HARDENED_USERCOPY checks will also block access to the kernel text, so provide a test for this as well. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10lkdtm: split atomic test into over and underflowKees Cook
Each direction of the atomic wrapping should be individually testable. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10lkdtm: add usercopy testsKees Cook
This adds test to detect copy_to_user/copy_from_user problems that are protected by PAX_USERCOPY (and will be protected by HARDENED_USERCOPY). Explicitly tests both "to" and "from" directions of heap object size problems, heap object markings and, stack frame misalignment. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10lkdtm: add function for testing .rodata sectionKees Cook
This adds a function that lives in the .rodata section. The section flags are corrected using objcopy since there is no way with gcc to declare section flags in an architecture-agnostic way. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10lkdtm: clean up after renameKees Cook
This cleans up comments a bit to improve readability, adjusts the name of the module after the source file renaming, and corrects the MAINTAINERS for the upcoming lkdtm files. Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10lkdtm: split build into multiple source filesKees Cook
Kbuild lacks a way to do in-place objcopy or other modifications of built targets, so in order to move functions into non-text sections without renaming the kernel module, the build of lkdtm must be split into separate source files. This renames lkdtm.c to lkdtm_core.c in preparation for adding the source file for the .rodata section. Signed-off-by: Kees Cook <keescook@chromium.org>