20 Commits

Author SHA1 Message Date
Kees Cook
6819d101dd lkdtm: Add tests for struct list corruption
When building under CONFIG_DEBUG_LIST, list addition and removal will be
sanity-checked. This validates that the check is working as expected by
setting up classic corruption attacks against list manipulations, available
with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Rik van Riel <riel@redhat.com>
2016-10-31 13:01:58 -07:00
Kees Cook
6d2e91a662 lkdtm: silence warnings about function declarations
When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and
lkdtm_rodata.c was discovered. This fixes the issue and consolidates
the common header and the pr_fmt macro for simplicity and regularity
across each test source file.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-15 16:14:45 -07:00
Arnd Bergmann
2b271cb720 lkdtm: hide unused functions
A conversion of the lkdtm core module added an "#ifdef CONFIG_KPROBES" check,
but a number of functions then become unused:

drivers/misc/lkdtm_core.c:340:16: error: 'lkdtm_debugfs_entry' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:122:12: error: 'jp_generic_ide_ioctl' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:114:12: error: 'jp_scsi_dispatch_cmd' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:106:12: error: 'jp_hrtimer_start' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:97:22: error: 'jp_shrink_inactive_list' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:89:13: error: 'jp_ll_rw_block' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:83:13: error: 'jp_tasklet_action' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:75:20: error: 'jp_handle_irq_event' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:68:21: error: 'jp_do_irq' defined but not used [-Werror=unused-function]

This adds the same #ifdef everywhere. There is probably a better way to do the
same thing, but for now this avoids the new warnings.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: c479e3fd8870 ("lkdtm: use struct arrays instead of enums")
[kees: moved some code around to better consolidate the #ifdefs]
Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-15 16:14:44 -07:00
Kees Cook
c479e3fd88 lkdtm: use struct arrays instead of enums
This removes the use of enums in favor of much more readable and compact
structure arrays. This requires changing all the enum passing to pointers
instead, but the results are much cleaner.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:27 -07:00
Kees Cook
f2c6edc1ed lkdtm: move jprobe entry points to start of source
In preparation of referencing the jprobe entry points in a structure,
this moves them to the start of the source since they operate mostly
separately from everything else.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:26 -07:00
Kees Cook
d87c978830 lkdtm: reorganize module paramaters
This reorganizes module parameters and global variables in the source
so they're grouped together with comments. Also moves early function
declarations to the top of the file.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:25 -07:00
Kees Cook
38f95fe296 lkdtm: rename globals for clarity
The global variables used to track the active crashpoint and crashtype
are hard to distinguish from local variable names, so add a "lkdtm_"
prefix to them (or in the case of "lkdtm", add a "_jprobe" suffix).

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:25 -07:00
Kees Cook
76a10e2b3a lkdtm: rename "count" to "crash_count"
The "count" variable name was not easy to understand, since it was regularly
obscured by local variables of the same name, and it's purpose wasn't clear.
This renames it (and its lock) to "crash_count", which is more readable.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:24 -07:00
Kees Cook
329d416ca0 lkdtm: remove intentional off-by-one array access
There wasn't a good reason for keeping the enum and the names out of sync
by 1 position just to avoid "NONE" and "INVALID" from being in the string
lists.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:23 -07:00
Kees Cook
00f496c416 lkdtm: split remaining logic bug tests to separate file
This splits all the remaining tests from lkdtm_core.c into the new
lkdtm_bugs.c file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:22 -07:00
Kees Cook
ffc514f3fc lkdtm: split heap corruption tests to separate file
This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c
file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:22 -07:00
Kees Cook
0d9eb29b13 lkdtm: split memory permissions tests to separate file
This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c
file to help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:21 -07:00
Kees Cook
a3dff71c1c lkdtm: split usercopy tests to separate file
This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to
help separate things better for readability.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:20 -07:00
Kees Cook
0edca7b5af lkdtm: drop "alloc_size" parameter
There is no good reason to have the alloc_size parameter currently. The
compiler-tricking value used to exercise the stack can just use a stack
address instead. Similarly hard-code cache_size.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:20 -07:00
Kees Cook
6c3521400c lkdtm: add usercopy test for blocking kernel text
The upcoming HARDENED_USERCOPY checks will also block access to the
kernel text, so provide a test for this as well.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-07-07 11:09:19 -07:00
Kees Cook
b54845276a lkdtm: split atomic test into over and underflow
Each direction of the atomic wrapping should be individually testable.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:51 -07:00
Kees Cook
aa981a665d lkdtm: add usercopy tests
This adds test to detect copy_to_user/copy_from_user problems that are
protected by PAX_USERCOPY (and will be protected by HARDENED_USERCOPY).
Explicitly tests both "to" and "from" directions of heap object size
problems, heap object markings and, stack frame misalignment.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:51 -07:00
Kees Cook
9a49a528dc lkdtm: add function for testing .rodata section
This adds a function that lives in the .rodata section. The section
flags are corrected using objcopy since there is no way with gcc to
declare section flags in an architecture-agnostic way.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:50 -07:00
Kees Cook
426f3a53d4 lkdtm: clean up after rename
This cleans up comments a bit to improve readability, adjusts the
name of the module after the source file renaming, and corrects the
MAINTAINERS for the upcoming lkdtm files.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:49 -07:00
Kees Cook
9e197e2f89 lkdtm: split build into multiple source files
Kbuild lacks a way to do in-place objcopy or other modifications of
built targets, so in order to move functions into non-text sections
without renaming the kernel module, the build of lkdtm must be split
into separate source files. This renames lkdtm.c to lkdtm_core.c in
preparation for adding the source file for the .rodata section.

Signed-off-by: Kees Cook <keescook@chromium.org>
2016-06-10 15:57:48 -07:00