Commit Graph

13 Commits

Author SHA1 Message Date
Kees Cook
93e78c6b14 lkdtm: Add -fstack-protector-strong test
There wasn't an LKDTM test to distinguish between -fstack-protector and
-fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see
the difference. Also adjusts the stack-clobber value to 0xff so execution
won't potentially jump into userspace when the stack protector is missing.

Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-15 12:27:35 -07:00
Kees Cook
7b25a85c9d lkdtm: Test VMAP_STACK allocates leading/trailing guard pages
Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING
attempt to read the byte before and after, respectively, of the current
stack frame, which should fault.

Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-04 13:04:21 -07:00
Kees Cook
c7fea48876 lkdtm: Provide timing tests for atomic_t vs refcount_t
While not a crash test, this does provide two tight atomic_t and
refcount_t loops for performance comparisons:

	cd /sys/kernel/debug/provoke-crash
	perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT
	perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT

Looking a CPU cycles is the best way to example the fast-path (rather
than instruction counts, since conditional jumps will be executed but
will be negligible due to branch-prediction).

Signed-off-by: Kees Cook <keescook@chromium.org>
2017-07-26 14:38:04 -07:00
Kees Cook
95925c99b9 lkdtm: Provide more complete coverage for REFCOUNT tests
The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow
portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and
expands their testing to poke each boundary condition.

Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different
saturation values and reach-zero behavior, those have to be build-time
set so the tests can actually validate things are happening at the
right places.

Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and
REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow
is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for
each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors
(which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO).

Signed-off-by: Kees Cook <keescook@chromium.org>
2017-07-26 14:38:03 -07:00
Kees Cook
e22aa9d781 lkdtm: add bad USER_DS test
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-04-08 17:56:02 +02:00
Kees Cook
ff86b30010 lkdtm: Convert to refcount_t testing
Since we'll be using refcount_t instead of atomic_t for refcounting,
change the LKDTM tests to reflect the new interface and test conditions.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Hans Liljestrand <ishkamiel@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arnd@arndb.de
Cc: dhowells@redhat.com
Cc: dwindsor@gmail.com
Cc: elena.reshetova@intel.com
Cc: gregkh@linuxfoundation.org
Cc: h.peter.anvin@intel.com
Cc: kernel-hardening@lists.openwall.com
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1486164412-7338-3-git-send-email-keescook@chromium.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-02-10 09:04:20 +01:00
Kees Cook
6819d101dd lkdtm: Add tests for struct list corruption
When building under CONFIG_DEBUG_LIST, list addition and removal will be
sanity-checked. This validates that the check is working as expected by
setting up classic corruption attacks against list manipulations, available
with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Rik van Riel <riel@redhat.com>
2016-10-31 13:01:58 -07:00
Kees Cook
6d2e91a662 lkdtm: silence warnings about function declarations
When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and
lkdtm_rodata.c was discovered. This fixes the issue and consolidates
the common header and the pr_fmt macro for simplicity and regularity
across each test source file.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-15 16:14:45 -07:00
Kees Cook
00f496c416 lkdtm: split remaining logic bug tests to separate file
This splits all the remaining tests from lkdtm_core.c into the new
lkdtm_bugs.c file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:22 -07:00
Kees Cook
ffc514f3fc lkdtm: split heap corruption tests to separate file
This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c
file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:22 -07:00
Kees Cook
0d9eb29b13 lkdtm: split memory permissions tests to separate file
This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c
file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:21 -07:00
Kees Cook
a3dff71c1c lkdtm: split usercopy tests to separate file
This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to
help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:20 -07:00
Kees Cook
9a49a528dc lkdtm: add function for testing .rodata section
This adds a function that lives in the .rodata section. The section
flags are corrected using objcopy since there is no way with gcc to
declare section flags in an architecture-agnostic way.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:50 -07:00