This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Since we'll be using refcount_t instead of atomic_t for refcounting,
change the LKDTM tests to reflect the new interface and test conditions.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NPeter Zijlstra (Intel) <peterz@infradead.org>
Cc: Hans Liljestrand <ishkamiel@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arnd@arndb.de
Cc: dhowells@redhat.com
Cc: dwindsor@gmail.com
Cc: elena.reshetova@intel.com
Cc: gregkh@linuxfoundation.org
Cc: h.peter.anvin@intel.com
Cc: kernel-hardening@lists.openwall.com
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1486164412-7338-3-git-send-email-keescook@chromium.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>

After the latest change to make sure the compiler actually does a memset,
it is now smart enough to flag the stack overflow at compile time,
at least with gcc-7.0:

drivers/misc/lkdtm_bugs.c: In function 'lkdtm_CORRUPT_STACK':
drivers/misc/lkdtm_bugs.c:88:144: warning: 'memset' writing 64 bytes into a region of size 8 overflows the destination [-Wstringop-overflow=]

To outsmart the compiler again, this moves the memset into a noinline
function where (for now) it doesn't see that we intentionally write
broken code here.

Fixes: c55d2400 ("lkdtm: Prevent the compiler from optimising lkdtm_CORRUPT_STACK()")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

At least on powerpc with GCC 6, the compiler is smart enough to optimise
lkdtm_CORRUPT_STACK() into an empty function that just returns.

If we print the buffer after we've written to it that prevents the
compiler from optimising away data and the memset().
Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
Acked-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When building under CONFIG_DEBUG_LIST, list addition and removal will be
sanity-checked. This validates that the check is working as expected by
setting up classic corruption attacks against list manipulations, available
with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL.
Signed-off-by: NKees Cook <keescook@chromium.org>
Acked-by: NSteven Rostedt <rostedt@goodmis.org>
Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: NRik van Riel <riel@redhat.com>

When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and
lkdtm_rodata.c was discovered. This fixes the issue and consolidates
the common header and the pr_fmt macro for simplicity and regularity
across each test source file.
Signed-off-by: NKees Cook <keescook@chromium.org>

This splits all the remaining tests from lkdtm_core.c into the new
lkdtm_bugs.c file to help separate things better for readability.
Signed-off-by: NKees Cook <keescook@chromium.org>