Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b25a85c authored by Kees Cook's avatar Kees Cook
Browse files

lkdtm: Test VMAP_STACK allocates leading/trailing guard pages 



Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING
attempt to read the byte before and after, respectively, of the current
stack frame, which should fault.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent c7fea488

drivers/misc/lkdtm.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -22,6 +22,8 @@ void lkdtm_HUNG_TASK(void); 
void lkdtm_CORRUPT_LIST_ADD(void);

void lkdtm_CORRUPT_LIST_ADD(void);

void lkdtm_CORRUPT_LIST_DEL(void);

void lkdtm_CORRUPT_LIST_DEL(void);

void lkdtm_CORRUPT_USER_DS(void);

void lkdtm_CORRUPT_USER_DS(void);

void lkdtm_STACK_GUARD_PAGE_LEADING(void);

void lkdtm_STACK_GUARD_PAGE_TRAILING(void);





/* lkdtm_heap.c */

/* lkdtm_heap.c */

void lkdtm_OVERWRITE_ALLOCATION(void);

void lkdtm_OVERWRITE_ALLOCATION(void);

drivers/misc/lkdtm_bugs.c

+30 −0
Original line number Original line Diff line number Diff line
@@ -8,6 +8,7 @@ 
#include <linux/list.h>

#include <linux/list.h>

#include <linux/sched.h>

#include <linux/sched.h>

#include <linux/sched/signal.h>

#include <linux/sched/signal.h>

#include <linux/sched/task_stack.h>

#include <linux/uaccess.h>

#include <linux/uaccess.h>





struct lkdtm_list {

struct lkdtm_list {
@@ -199,6 +200,7 @@ void lkdtm_CORRUPT_LIST_DEL(void) 
		pr_err("list_del() corruption not detected!\n");

		pr_err("list_del() corruption not detected!\n");

}

}





/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */

void lkdtm_CORRUPT_USER_DS(void)

void lkdtm_CORRUPT_USER_DS(void)

{

{

	pr_info("setting bad task size limit\n");

	pr_info("setting bad task size limit\n");
@@ -207,3 +209,31 @@ void lkdtm_CORRUPT_USER_DS(void) 
	/* Make sure we do not keep running with a KERNEL_DS! */

	/* Make sure we do not keep running with a KERNEL_DS! */

	force_sig(SIGKILL, current);

	force_sig(SIGKILL, current);

}

}



/* Test that VMAP_STACK is actually allocating with a leading guard page */

void lkdtm_STACK_GUARD_PAGE_LEADING(void)

{

	const unsigned char *stack = task_stack_page(current);

	const unsigned char *ptr = stack - 1;

	volatile unsigned char byte;



	pr_info("attempting bad read from page below current stack\n");



	byte = *ptr;



	pr_err("FAIL: accessed page before stack!\n");

}



/* Test that VMAP_STACK is actually allocating with a trailing guard page */

void lkdtm_STACK_GUARD_PAGE_TRAILING(void)

{

	const unsigned char *stack = task_stack_page(current);

	const unsigned char *ptr = stack + THREAD_SIZE;

	volatile unsigned char byte;



	pr_info("attempting bad read from page above current stack\n");



	byte = *ptr;



	pr_err("FAIL: accessed page after stack!\n");

}

drivers/misc/lkdtm_core.c

+2 −0
Original line number Original line Diff line number Diff line
@@ -201,6 +201,8 @@ struct crashtype crashtypes[] = { 
	CRASHTYPE(CORRUPT_LIST_DEL),

	CRASHTYPE(CORRUPT_LIST_DEL),

	CRASHTYPE(CORRUPT_USER_DS),

	CRASHTYPE(CORRUPT_USER_DS),

	CRASHTYPE(CORRUPT_STACK),

	CRASHTYPE(CORRUPT_STACK),

	CRASHTYPE(STACK_GUARD_PAGE_LEADING),

	CRASHTYPE(STACK_GUARD_PAGE_TRAILING),

	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),

	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),

	CRASHTYPE(OVERWRITE_ALLOCATION),

	CRASHTYPE(OVERWRITE_ALLOCATION),

	CRASHTYPE(WRITE_AFTER_FREE),

	CRASHTYPE(WRITE_AFTER_FREE),