BACKPORT: lkdtm: add bad USER_DS test (4bc04315) · Commits · e / devices / android_kernel_sony_msm8998

(cherry-picked from e22aa9d781a27a961581c57442911309fb86a48e) This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Change-Id: I1d2585de65032f0f6b9baea2a71f92bfc296c94b Signed-off-by:

Kees Cook <keescook@chromium.org> Signed-off-by:

Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by:

Satya Tangirala <satyat@google.com>

drivers/misc/lkdtm.c

+12 −0

Original line number	Diff line number	Diff line
		@@ -48,6 +48,8 @@
		#include <linux/mman.h>
		#include <asm/cacheflush.h>
		#include <linux/list.h>
		#include <linux/sched.h>
		#include <linux/uaccess.h>

		#ifdef CONFIG_IDE
		#include <linux/ide.h>
		@@ -95,6 +97,7 @@ enum ctype {
		CT_OVERFLOW,
		CT_CORRUPT_LIST_ADD,
		CT_CORRUPT_LIST_DEL,
		CT_CORRUPT_USER_DS,
		CT_CORRUPT_STACK,
		CT_UNALIGNED_LOAD_STORE_WRITE,
		CT_OVERWRITE_ALLOCATION,
		@@ -135,6 +138,7 @@ static char* cp_type[] = {
		"OVERFLOW",
		"CORRUPT_LIST_ADD",
		"CORRUPT_LIST_DEL",
		"CORRUPT_USER_DS",
		"CORRUPT_STACK",
		"UNALIGNED_LOAD_STORE_WRITE",
		"OVERWRITE_ALLOCATION",
		@@ -618,6 +622,14 @@ static void lkdtm_do_action(enum ctype which)
		pr_err("list_del() corruption not detected!\n");
		break;
		}
		case CT_CORRUPT_USER_DS: {
		pr_info("setting bad task size limit\n");
		set_fs(KERNEL_DS);

		/* Make sure we do not keep running with a KERNEL_DS! */
		force_sig(SIGKILL, current);
		break;
		}
		case CT_NONE:
		default:
		break;