lkdtm: various fixes

- Move KERNEL_DS test to non-canonical range - Make stack exhaustion test more robust -----BEGIN PGP SIGNATURE----- Comment: Kees Cook <kees@outflux.net> iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlzUYHwWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJhAyD/0W9ySmiuaRdF9No99g1pqMdGre Cna1DogegFd6N6zv51e1NGDqemtubYgk5Z07Mkwdif7xH6Cu0kKhJLKkiVqoKzlL nIqSrxvxDHaqAfpzS3PuQ2Gux34RtL2NXaX5Mgl9v+9GkTXt6y+iFEYrQE4sTM0D FAZBi4HxQCmfNYfz5WcL/1z/MRC5LajWsOh/vTvJoCbVQfN/xVr8F8uDkCTSQP7p pFqgppP/Aivk1vgZBMns5UL4OuHPgeHwHeHfInlAEYH/NKJE0T0/M8kBm5KeUp41 dW6ygxg3O13S2R1DH29c3vi0BGD3N4g/m4NJQDgyWu5Jxrqnw54Ljemk+bbX09PE LhsvMg7+rJtFdBBOAZ2ZAtjtCBwE1IePL3E/61Je6bHiJp4raZmXMqMV2zoZ4CsY ElwyDisl87fYDeddTmdV7+NLB+Hqm2oGX7DJ5nE8WiahK0KDyZ9gk341bs1bMOBe 6yH45+sTgMDmBYFwJtSoHRySGrUdLgeLNqcFdtc2p3iJav2m3WqXc7ReGalrZk1A 0fxw16IWMHff3JmNpdq/61dHPCWS++YuhBSK1ciJDqIJtXQD0S5k5UM6ZBmxEvcO y1l9ZVkgmr6vEs+oYb3oqADGJ2cg798+w4Do8mze7wv2PAmRYxXIxmoD6M3A6mrS VYUAviTRQ40UF6d9Pw== =We47 -----END PGP SIGNATURE----- Merge tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into char-misc-linus Kees writes: lkdtm: various fixes - Move KERNEL_DS test to non-canonical range - Make stack exhaustion test more robust * tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lkdtm/bugs: Adjust recursion test to avoid elision lkdtm/usercopy: Moves the KERNEL_DS test to non-canonical
2019-05-24 20:30:04 +02:00 · 2019-05-24 20:30:04 +02:00 · 02bd610e85
commit 02bd610e85
parent 6660a04feb 24cccab42c
4 changed files with 27 additions and 14 deletions
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@ -32,12 +32,20 @@ static int recur_count = REC_NUM_DEFAULT;

 static DEFINE_SPINLOCK(lock_me_up);

-static int recursive_loop(int remaining)
+/*
+ * Make sure compiler does not optimize this function or stack frame away:
+ * - function marked noinline
+ * - stack variables are marked volatile
+ * - stack variables are written (memset()) and read (pr_info())
+ * - function has external effects (pr_info())
+ * */
+static int noinline recursive_loop(int remaining)
 {
-	char buf[REC_STACK_SIZE];
+	volatile char buf[REC_STACK_SIZE];

-	/* Make sure compiler does not optimize this away. */
-	memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
+	memset((void *)buf, remaining & 0xFF, sizeof(buf));
+	pr_info("loop %d/%d ...\n", (int)buf[remaining % sizeof(buf)],
+		recur_count);
 	if (!remaining)
 		return 0;
 	else
@ -81,9 +89,12 @@ void lkdtm_LOOP(void)
 		;
 }

-void lkdtm_OVERFLOW(void)
+void lkdtm_EXHAUST_STACK(void)
 {
-	(void) recursive_loop(recur_count);
+	pr_info("Calling function with %d frame size to depth %d ...\n",
+		REC_STACK_SIZE, recur_count);
+	recursive_loop(recur_count);
+	pr_info("FAIL: survived without exhausting stack?!\n");
 }

 static noinline void __lkdtm_CORRUPT_STACK(void *stack)
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@ -119,12 +119,12 @@ static const struct crashtype crashtypes[] = {
 	CRASHTYPE(WARNING),
 	CRASHTYPE(EXCEPTION),
 	CRASHTYPE(LOOP),
-	CRASHTYPE(OVERFLOW),
+	CRASHTYPE(EXHAUST_STACK),
+	CRASHTYPE(CORRUPT_STACK),
+	CRASHTYPE(CORRUPT_STACK_STRONG),
 	CRASHTYPE(CORRUPT_LIST_ADD),
 	CRASHTYPE(CORRUPT_LIST_DEL),
 	CRASHTYPE(CORRUPT_USER_DS),
-	CRASHTYPE(CORRUPT_STACK),
-	CRASHTYPE(CORRUPT_STACK_STRONG),
 	CRASHTYPE(STACK_GUARD_PAGE_LEADING),
 	CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
 	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@ -13,7 +13,7 @@ void lkdtm_BUG(void);
 void lkdtm_WARNING(void);
 void lkdtm_EXCEPTION(void);
 void lkdtm_LOOP(void);
-void lkdtm_OVERFLOW(void);
+void lkdtm_EXHAUST_STACK(void);
 void lkdtm_CORRUPT_STACK(void);
 void lkdtm_CORRUPT_STACK_STRONG(void);
 void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void);
--- a/drivers/misc/lkdtm/usercopy.c
+++ b/drivers/misc/lkdtm/usercopy.c
@ -324,14 +324,16 @@ free_user:

 void lkdtm_USERCOPY_KERNEL_DS(void)
 {
-	char __user *user_ptr = (char __user *)ERR_PTR(-EINVAL);
+	char __user *user_ptr =
+		(char __user *)(0xFUL << (sizeof(unsigned long) * 8 - 4));
 	mm_segment_t old_fs = get_fs();
 	char buf[10] = {0};

-	pr_info("attempting copy_to_user on unmapped kernel address\n");
+	pr_info("attempting copy_to_user() to noncanonical address: %px\n",
+		user_ptr);
 	set_fs(KERNEL_DS);
-	if (copy_to_user(user_ptr, buf, sizeof(buf)))
-		pr_info("copy_to_user un unmapped kernel address failed\n");
+	if (copy_to_user(user_ptr, buf, sizeof(buf)) == 0)
+		pr_err("copy_to_user() to noncanonical address succeeded!?\n");
 	set_fs(old_fs);
 }