- 27 7月, 2017 2 次提交
-
-
由 Kees Cook 提交于
While not a crash test, this does provide two tight atomic_t and refcount_t loops for performance comparisons: cd /sys/kernel/debug/provoke-crash perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT Looking a CPU cycles is the best way to example the fast-path (rather than instruction counts, since conditional jumps will be executed but will be negligible due to branch-prediction). Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and expands their testing to poke each boundary condition. Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different saturation values and reach-zero behavior, those have to be build-time set so the tests can actually validate things are happening at the right places. Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors (which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO). Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 08 4月, 2017 1 次提交
-
-
由 Kees Cook 提交于
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 10 2月, 2017 1 次提交
-
-
由 Kees Cook 提交于
Since we'll be using refcount_t instead of atomic_t for refcounting, change the LKDTM tests to reflect the new interface and test conditions. Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org> Cc: Hans Liljestrand <ishkamiel@gmail.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: arnd@arndb.de Cc: dhowells@redhat.com Cc: dwindsor@gmail.com Cc: elena.reshetova@intel.com Cc: gregkh@linuxfoundation.org Cc: h.peter.anvin@intel.com Cc: kernel-hardening@lists.openwall.com Cc: will.deacon@arm.com Link: http://lkml.kernel.org/r/1486164412-7338-3-git-send-email-keescook@chromium.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
-
- 25 1月, 2017 1 次提交
-
-
由 Juerg Haefliger 提交于
No jprobe is registered when the module is loaded without specifying a crashpoint that uses a jprobe. At the moment, we unconditionally try to unregister the jprobe on module unload which results in an Oops. Add a check to fix this. Signed-off-by: NJuerg Haefliger <juerg.haefliger@hpe.com> Acked-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 01 11月, 2016 1 次提交
-
-
由 Kees Cook 提交于
When building under CONFIG_DEBUG_LIST, list addition and removal will be sanity-checked. This validates that the check is working as expected by setting up classic corruption attacks against list manipulations, available with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL. Signed-off-by: NKees Cook <keescook@chromium.org> Acked-by: NSteven Rostedt <rostedt@goodmis.org> Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: NRik van Riel <riel@redhat.com>
-
- 16 7月, 2016 2 次提交
-
-
由 Kees Cook 提交于
When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and lkdtm_rodata.c was discovered. This fixes the issue and consolidates the common header and the pr_fmt macro for simplicity and regularity across each test source file. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Arnd Bergmann 提交于
A conversion of the lkdtm core module added an "#ifdef CONFIG_KPROBES" check, but a number of functions then become unused: drivers/misc/lkdtm_core.c:340:16: error: 'lkdtm_debugfs_entry' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:122:12: error: 'jp_generic_ide_ioctl' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:114:12: error: 'jp_scsi_dispatch_cmd' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:106:12: error: 'jp_hrtimer_start' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:97:22: error: 'jp_shrink_inactive_list' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:89:13: error: 'jp_ll_rw_block' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:83:13: error: 'jp_tasklet_action' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:75:20: error: 'jp_handle_irq_event' defined but not used [-Werror=unused-function] drivers/misc/lkdtm_core.c:68:21: error: 'jp_do_irq' defined but not used [-Werror=unused-function] This adds the same #ifdef everywhere. There is probably a better way to do the same thing, but for now this avoids the new warnings. Signed-off-by: NArnd Bergmann <arnd@arndb.de> Fixes: c479e3fd ("lkdtm: use struct arrays instead of enums") [kees: moved some code around to better consolidate the #ifdefs] Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 08 7月, 2016 12 次提交
-
-
由 Kees Cook 提交于
This removes the use of enums in favor of much more readable and compact structure arrays. This requires changing all the enum passing to pointers instead, but the results are much cleaner. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
In preparation of referencing the jprobe entry points in a structure, this moves them to the start of the source since they operate mostly separately from everything else. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This reorganizes module parameters and global variables in the source so they're grouped together with comments. Also moves early function declarations to the top of the file. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
The global variables used to track the active crashpoint and crashtype are hard to distinguish from local variable names, so add a "lkdtm_" prefix to them (or in the case of "lkdtm", add a "_jprobe" suffix). Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
The "count" variable name was not easy to understand, since it was regularly obscured by local variables of the same name, and it's purpose wasn't clear. This renames it (and its lock) to "crash_count", which is more readable. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
There wasn't a good reason for keeping the enum and the names out of sync by 1 position just to avoid "NONE" and "INVALID" from being in the string lists. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This splits all the remaining tests from lkdtm_core.c into the new lkdtm_bugs.c file to help separate things better for readability. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c file to help separate things better for readability. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c file to help separate things better for readability. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to help separate things better for readability. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
There is no good reason to have the alloc_size parameter currently. The compiler-tricking value used to exercise the stack can just use a stack address instead. Similarly hard-code cache_size. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
The upcoming HARDENED_USERCOPY checks will also block access to the kernel text, so provide a test for this as well. Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 11 6月, 2016 5 次提交
-
-
由 Kees Cook 提交于
Each direction of the atomic wrapping should be individually testable. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This adds test to detect copy_to_user/copy_from_user problems that are protected by PAX_USERCOPY (and will be protected by HARDENED_USERCOPY). Explicitly tests both "to" and "from" directions of heap object size problems, heap object markings and, stack frame misalignment. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This adds a function that lives in the .rodata section. The section flags are corrected using objcopy since there is no way with gcc to declare section flags in an architecture-agnostic way. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
This cleans up comments a bit to improve readability, adjusts the name of the module after the source file renaming, and corrects the MAINTAINERS for the upcoming lkdtm files. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Kees Cook 提交于
Kbuild lacks a way to do in-place objcopy or other modifications of built targets, so in order to move functions into non-text sections without renaming the kernel module, the build of lkdtm must be split into separate source files. This renames lkdtm.c to lkdtm_core.c in preparation for adding the source file for the .rodata section. Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 07 4月, 2016 3 次提交
-
-
由 Kees Cook 提交于
This frees the allocated page if there is a kmalloc failure. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Sudip Mukherjee 提交于
This case is supposed to read from a memory after it has been freed, but we missed freeing base if the memory 'val' could not be allocated. Signed-off-by: NSudip Mukherjee <sudip.mukherjee@codethink.co.uk> Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Sudip Mukherjee 提交于
This case is supposed to read from a page after after it is freed, but it missed freeing val if we are not able to get a free page. Signed-off-by: NSudip Mukherjee <sudip.mukherjee@codethink.co.uk> Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 02 3月, 2016 5 次提交
-
-
由 Kees Cook 提交于
This improves the order of operations on the use-after-free tests to try to make sure we've executed any available sanity-checking code, and to report the poisoning that was found. Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 David Windsor 提交于
dmesg output of running this LKDTM test with PaX: [187095.475573] lkdtm: No crash points registered, enable through debugfs [187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC [187118.030045] lkdtm: attempting atomic underflow [187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0 [187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm] [187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2 [187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000 [187118.111321] RIP: 0010:[<ffffffffc00fc2fe>] [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm] ... [187118.128074] lkdtm: attempting atomic overflow [187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0 [187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm] [187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2 [187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000 [187118.128092] RIP: 0010:[<ffffffffc00fc316>] [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm] Signed-off-by: NDavid Windsor <dave@progbits.org> [cleaned up whitespacing, keescook] Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Laura Abbott 提交于
The current tests for read/write after free work on slab allocated memory. Memory straight from the buddy allocator may behave slightly differently and have a different set of parameters to test. Add tests for those cases as well. On a basic x86 boot: # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE [ 22.292983] lkdtm: Writing to the buddy page before free [ 22.293950] lkdtm: Attempting bad write to the buddy page after free # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE [ 32.379896] lkdtm: Value in memory before free: 12345678 [ 32.383854] lkdtm: Attempting to read from freed memory [ 32.389309] lkdtm: Buddy page was not poisoned On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on: # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE [ 17.477360] lkdtm: Writing to the buddy page before free [ 17.479089] lkdtm: Attempting bad write to the buddy page after free [ 17.480904] BUG: unable to handle kernel paging request at ffff88000ebd8000 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE [ 14.607447] lkdtm: Value in memory before free: 12345678 [ 14.608161] lkdtm: Attempting to read from freed memory [ 14.608860] BUG: unable to handle kernel paging request at ffff88000eba3000 Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not produce the same crash. Signed-off-by: NLaura Abbott <labbott@fedoraproject.org> Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Laura Abbott 提交于
The SLUB allocator may use the first word of a freed block to store the freelist information. This may make it harder to test poisoning features. Change the WRITE_AFTER_FREE test to better match what the READ_AFTER_FREE test does and also print out a big more information. Signed-off-by: NLaura Abbott <labbott@fedoraproject.org> Signed-off-by: NKees Cook <keescook@chromium.org>
-
由 Laura Abbott 提交于
In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE test to test free poisoning features. Sample output when no sanitization is present: # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 17.542473] lkdtm: Performing direct entry READ_AFTER_FREE [ 17.543866] lkdtm: Value in memory before free: 12345678 [ 17.545212] lkdtm: Attempting bad read from freed memory [ 17.546542] lkdtm: Memory was not poisoned with slub_debug=P: # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT [ 22.415531] lkdtm: Performing direct entry READ_AFTER_FREE [ 22.416366] lkdtm: Value in memory before free: 12345678 [ 22.417137] lkdtm: Attempting bad read from freed memory [ 22.417897] lkdtm: Memory correctly poisoned, calling BUG Signed-off-by: NLaura Abbott <labbott@fedoraproject.org> Signed-off-by: NKees Cook <keescook@chromium.org>
-
- 22 2月, 2016 1 次提交
-
-
由 Kees Cook 提交于
The new __ro_after_init section should be writable before init, but not after. Validate that it gets updated at init and can't be written to afterwards. Signed-off-by: NKees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Brown <david.brown@linaro.org> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Emese Revfy <re.emese@gmail.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mathias Krause <minipli@googlemail.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: PaX Team <pageexec@freemail.hu> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: kernel-hardening@lists.openwall.com Cc: linux-arch <linux-arch@vger.kernel.org> Link: http://lkml.kernel.org/r/1455748879-21872-6-git-send-email-keescook@chromium.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>
-
- 10 2月, 2016 1 次提交
-
-
由 Arnd Bergmann 提交于
The kernel sometimes fails to link when lkdrm is built-in and compiled with clang: relocation truncated to fit: R_ARM_THM_CALL against `.bss' The reason here is that a relocation from .text to .bss fails to generate a trampoline because .bss is not an executable section. Marking the function 'noinline' turns the relative branch to .bss into an absolute branch to the function argument, and that works fine. Signed-off-by: NArnd Bergmann <arnd@arndb.de> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 29 10月, 2015 1 次提交
-
-
由 Stephen Smalley 提交于
Add a copy_to_user() call to the ACCESS_USERSPACE test prior to attempting direct dereferencing of the user address to ensure the page is present. Otherwise, a fault occurs on arm kernels even prior to the introduction of CONFIG_CPU_SW_DOMAIN_PAN, and there is no difference in behavior for CONFIG_CPU_SW_DOMAIN_PAN=n vs CONFIG_CPU_SW_DOMAIN_PAN=y. Before this change, for any value of CONFIG_CPU_SW_DOMAIN_PAN: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6fe8000 Unable to handle kernel paging request at virtual address b6fe8000 After this change, for CONFIG_CPU_SW_DOMAIN_PAN=n: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6efc000 lkdtm: attempting bad write at b6efc000 After this change, for CONFIG_CPU_SW_DOMAIN_PAN=y: lkdtm: Performing direct entry ACCESS_USERSPACE lkdtm: attempting bad read at b6f7d000 Unhandled fault: page domain fault (0x01b) at 0xb6f7d000 ... Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov> Acked-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 10 7月, 2014 1 次提交
-
-
由 Terry Chia 提交于
This starts to address https://bugzilla.kernel.org/show_bug.cgi?id=10770Signed-off-by: NTerry Chia <terrycwk1994@gmail.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 15 2月, 2014 3 次提交
-
-
由 Kees Cook 提交于
Some architectures need cacheflush.h explicitly included (mips) for use of flush_icache_range(): config: make ARCH=mips allmodconfig All error/warnings: >> ERROR: "flush_icache_range" undefined! Reported-by: NFengguang Wu <fengguang.wu@intel.com> Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Kees Cook 提交于
Add "WRITE_KERN" crash target to validate that kernel executable memory is not writable. Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-
由 Kees Cook 提交于
Some CPUs explicitly need to have their icache flushed after making executable code copies for the memory region execution tests. Additionally, report the specific address targets being used so that debugging non-crash failures is easier. Signed-off-by: NKees Cook <keescook@chromium.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
-