mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-18 08:46:14 +07:00
lkdtm: add bad USER_DS test
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
8ab44b4003
commit
e22aa9d781
@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void);
|
||||
void lkdtm_REFCOUNT_ZERO_ADD(void);
|
||||
void lkdtm_CORRUPT_LIST_ADD(void);
|
||||
void lkdtm_CORRUPT_LIST_DEL(void);
|
||||
void lkdtm_CORRUPT_USER_DS(void);
|
||||
|
||||
/* lkdtm_heap.c */
|
||||
void lkdtm_OVERWRITE_ALLOCATION(void);
|
||||
|
@ -8,6 +8,8 @@
|
||||
#include <linux/list.h>
|
||||
#include <linux/refcount.h>
|
||||
#include <linux/sched.h>
|
||||
#include <linux/sched/signal.h>
|
||||
#include <linux/uaccess.h>
|
||||
|
||||
struct lkdtm_list {
|
||||
struct list_head node;
|
||||
@ -279,3 +281,12 @@ void lkdtm_CORRUPT_LIST_DEL(void)
|
||||
else
|
||||
pr_err("list_del() corruption not detected!\n");
|
||||
}
|
||||
|
||||
void lkdtm_CORRUPT_USER_DS(void)
|
||||
{
|
||||
pr_info("setting bad task size limit\n");
|
||||
set_fs(KERNEL_DS);
|
||||
|
||||
/* Make sure we do not keep running with a KERNEL_DS! */
|
||||
force_sig(SIGKILL, current);
|
||||
}
|
||||
|
@ -199,6 +199,7 @@ struct crashtype crashtypes[] = {
|
||||
CRASHTYPE(OVERFLOW),
|
||||
CRASHTYPE(CORRUPT_LIST_ADD),
|
||||
CRASHTYPE(CORRUPT_LIST_DEL),
|
||||
CRASHTYPE(CORRUPT_USER_DS),
|
||||
CRASHTYPE(CORRUPT_STACK),
|
||||
CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
|
||||
CRASHTYPE(OVERWRITE_ALLOCATION),
|
||||
|
Loading…
Reference in New Issue
Block a user