]> asedeno.scripts.mit.edu Git - linux.git/commitdiff
projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8ab44b4)
lkdtm: add bad USER_DS test
authorKees Cook <keescook@chromium.org>
Fri, 24 Mar 2017 17:51:25 +0000 (10:51 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 8 Apr 2017 15:56:02 +0000 (17:56 +0200)
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/misc/lkdtm.h patch | blob | history
drivers/misc/lkdtm_bugs.c patch | blob | history
drivers/misc/lkdtm_core.c patch | blob | history

diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index 67d27be60405489580e7d794ae4263984301e98a..3b4976396ec4ebe1f06dd4c8a9260afa6f689f15 100644 (file)
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -27,6 +27,7 @@ void lkdtm_REFCOUNT_ZERO_SUB(void);
 void lkdtm_REFCOUNT_ZERO_ADD(void);
 void lkdtm_CORRUPT_LIST_ADD(void);
 void lkdtm_CORRUPT_LIST_DEL(void);
+void lkdtm_CORRUPT_USER_DS(void);
 
 /* lkdtm_heap.c */
 void lkdtm_OVERWRITE_ALLOCATION(void);
diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
index e3f4cd8876b518eaf2dd9fe760828208f5befc82..ed4f4c56c796a9550d38be8abe3a8f47858b36f2 100644 (file)
--- a/drivers/misc/lkdtm_bugs.c
+++ b/drivers/misc/lkdtm_bugs.c
@@ -8,6 +8,8 @@
 #include <linux/list.h>
 #include <linux/refcount.h>
 #include <linux/sched.h>
+#include <linux/sched/signal.h>
+#include <linux/uaccess.h>
 
 struct lkdtm_list {
        struct list_head node;
@@ -279,3 +281,12 @@ void lkdtm_CORRUPT_LIST_DEL(void)
        else
                pr_err("list_del() corruption not detected!\n");
 }
+
+void lkdtm_CORRUPT_USER_DS(void)
+{
+       pr_info("setting bad task size limit\n");
+       set_fs(KERNEL_DS);
+
+       /* Make sure we do not keep running with a KERNEL_DS! */
+       force_sig(SIGKILL, current);
+}
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index b9a4cd4a9b682a57f893a5372dcb72f4e0f389da..42d2b8e31e6b6a3f8fa3fe4a80af04075a06e99f 100644 (file)
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -199,6 +199,7 @@ struct crashtype crashtypes[] = {
        CRASHTYPE(OVERFLOW),
        CRASHTYPE(CORRUPT_LIST_ADD),
        CRASHTYPE(CORRUPT_LIST_DEL),
+       CRASHTYPE(CORRUPT_USER_DS),
        CRASHTYPE(CORRUPT_STACK),
        CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
        CRASHTYPE(OVERWRITE_ALLOCATION),
local clone of linux.git