This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c
file to help separate things better for readability.
Signed-off-by: NKees Cook <keescook@chromium.org>

This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c
file to help separate things better for readability.
Signed-off-by: NKees Cook <keescook@chromium.org>

This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to
help separate things better for readability.
Signed-off-by: NKees Cook <keescook@chromium.org>

There is no good reason to have the alloc_size parameter currently. The
compiler-tricking value used to exercise the stack can just use a stack
address instead. Similarly hard-code cache_size.
Signed-off-by: NKees Cook <keescook@chromium.org>

The upcoming HARDENED_USERCOPY checks will also block access to the
kernel text, so provide a test for this as well.
Signed-off-by: NKees Cook <keescook@chromium.org>

Each direction of the atomic wrapping should be individually testable.
Signed-off-by: NKees Cook <keescook@chromium.org>

This adds test to detect copy_to_user/copy_from_user problems that are
protected by PAX_USERCOPY (and will be protected by HARDENED_USERCOPY).
Explicitly tests both "to" and "from" directions of heap object size
problems, heap object markings and, stack frame misalignment.
Signed-off-by: NKees Cook <keescook@chromium.org>

This adds a function that lives in the .rodata section. The section
flags are corrected using objcopy since there is no way with gcc to
declare section flags in an architecture-agnostic way.
Signed-off-by: NKees Cook <keescook@chromium.org>

This cleans up comments a bit to improve readability, adjusts the
name of the module after the source file renaming, and corrects the
MAINTAINERS for the upcoming lkdtm files.
Signed-off-by: NKees Cook <keescook@chromium.org>

Kbuild lacks a way to do in-place objcopy or other modifications of
built targets, so in order to move functions into non-text sections
without renaming the kernel module, the build of lkdtm must be split
into separate source files. This renames lkdtm.c to lkdtm_core.c in
preparation for adding the source file for the .rodata section.
Signed-off-by: NKees Cook <keescook@chromium.org>

This frees the allocated page if there is a kmalloc failure.
Signed-off-by: NKees Cook <keescook@chromium.org>

This case is supposed to read from a memory after it has been freed,
but we missed freeing base if the memory 'val' could not be allocated.
Signed-off-by: NSudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: NKees Cook <keescook@chromium.org>

This case is supposed to read from a page after after it is freed, but
it missed freeing val if we are not able to get a free page.
Signed-off-by: NSudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: NKees Cook <keescook@chromium.org>

This improves the order of operations on the use-after-free tests to
try to make sure we've executed any available sanity-checking code,
and to report the poisoning that was found.
Signed-off-by: NKees Cook <keescook@chromium.org>

dmesg output of running this LKDTM test with PaX:

[187095.475573] lkdtm: No crash points registered, enable through debugfs
[187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
[187118.030045] lkdtm: attempting atomic underflow
[187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
[187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.111321] RIP: 0010:[<ffffffffc00fc2fe>]  [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
...
[187118.128074] lkdtm: attempting atomic overflow
[187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
[187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.128092] RIP: 0010:[<ffffffffc00fc316>]  [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
Signed-off-by: NDavid Windsor <dave@progbits.org>
[cleaned up whitespacing, keescook]
Signed-off-by: NKees Cook <keescook@chromium.org>

The current tests for read/write after free work on slab
allocated memory. Memory straight from the buddy allocator
may behave slightly differently and have a different set
of parameters to test. Add tests for those cases as well.

On a basic x86 boot:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   22.292983] lkdtm: Writing to the buddy page before free
[   22.293950] lkdtm: Attempting bad write to the buddy page after free

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   32.379896] lkdtm: Value in memory before free: 12345678
[   32.383854] lkdtm: Attempting to read from freed memory
[   32.389309] lkdtm: Buddy page was not poisoned

On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   17.477360] lkdtm: Writing to the buddy page before free
[   17.479089] lkdtm: Attempting bad write to the buddy page after free
[   17.480904] BUG: unable to handle kernel paging request at
ffff88000ebd8000

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   14.607447] lkdtm: Value in memory before free: 12345678
[   14.608161] lkdtm: Attempting to read from freed memory
[   14.608860] BUG: unable to handle kernel paging request at
ffff88000eba3000

Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
produce the same crash.
Signed-off-by: NLaura Abbott <labbott@fedoraproject.org>
Signed-off-by: NKees Cook <keescook@chromium.org>

The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.
Signed-off-by: NLaura Abbott <labbott@fedoraproject.org>
Signed-off-by: NKees Cook <keescook@chromium.org>

In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
test to test free poisoning features. Sample output when
no sanitization is present:

 # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
[   17.543866] lkdtm: Value in memory before free: 12345678
[   17.545212] lkdtm: Attempting bad read from freed memory
[   17.546542] lkdtm: Memory was not poisoned

with slub_debug=P:

 # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
[   22.416366] lkdtm: Value in memory before free: 12345678
[   22.417137] lkdtm: Attempting bad read from freed memory
[   22.417897] lkdtm: Memory correctly poisoned, calling BUG
Signed-off-by: NLaura Abbott <labbott@fedoraproject.org>
Signed-off-by: NKees Cook <keescook@chromium.org>

The new __ro_after_init section should be writable before init, but
not after. Validate that it gets updated at init and can't be written
to afterwards.
Signed-off-by: NKees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: David Brown <david.brown@linaro.org>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathias Krause <minipli@googlemail.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: PaX Team <pageexec@freemail.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kernel-hardening@lists.openwall.com
Cc: linux-arch <linux-arch@vger.kernel.org>
Link: http://lkml.kernel.org/r/1455748879-21872-6-git-send-email-keescook@chromium.orgSigned-off-by: NIngo Molnar <mingo@kernel.org>

The kernel sometimes fails to link when lkdrm is built-in and
compiled with clang:

relocation truncated to fit: R_ARM_THM_CALL against `.bss'

The reason here is that a relocation from .text to .bss fails to
generate a trampoline because .bss is not an executable section.

Marking the function 'noinline' turns the relative branch to .bss
into an absolute branch to the function argument, and that works
fine.
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add a copy_to_user() call to the ACCESS_USERSPACE test
prior to attempting direct dereferencing of the user
address to ensure the page is present.  Otherwise,
a fault occurs on arm kernels even prior to the introduction
of CONFIG_CPU_SW_DOMAIN_PAN, and there is no difference in
behavior for CONFIG_CPU_SW_DOMAIN_PAN=n vs CONFIG_CPU_SW_DOMAIN_PAN=y.

Before this change, for any value of CONFIG_CPU_SW_DOMAIN_PAN:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6fe8000
Unable to handle kernel paging request at virtual address b6fe8000

After this change, for CONFIG_CPU_SW_DOMAIN_PAN=n:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6efc000
lkdtm: attempting bad write at b6efc000

After this change, for CONFIG_CPU_SW_DOMAIN_PAN=y:
lkdtm: Performing direct entry ACCESS_USERSPACE
lkdtm: attempting bad read at b6f7d000
Unhandled fault: page domain fault (0x01b) at 0xb6f7d000
...
Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
Acked-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This starts to address
https://bugzilla.kernel.org/show_bug.cgi?id=10770Signed-off-by: NTerry Chia <terrycwk1994@gmail.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Some architectures need cacheflush.h explicitly included (mips) for
use of flush_icache_range():

    config: make ARCH=mips allmodconfig
    All error/warnings:
    >> ERROR: "flush_icache_range" undefined!
Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add "WRITE_KERN" crash target to validate that kernel executable memory
is not writable.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Some CPUs explicitly need to have their icache flushed after making
executable code copies for the memory region execution tests.
Additionally, report the specific address targets being used so that
debugging non-crash failures is easier.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Move to using pr_* calls instead of printk calls for reporting.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

This patch marks the function jp_generic_ide_ioctl() as static in
lkdtm.c because it is not used outside this file.

Thus, it also eliminates the following warnings in lkdtm.c:
drivers/misc/lkdtm.c:227:5: warning: no previous prototype for ‘jp_generic_ide_ioctl’ [-Wmissing-prototypes]
Signed-off-by: NRashika Kheria <rashika.kheria@gmail.com>
Reviewed-by: NJosh Triplett <josh@joshtriplett.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Since lkdtm intentionally does "bad" things, we need to convince sparse
that we're doing these things on purpose. This adds an explicit cast
to the call to copy_to_user() and marks the spin lock as expecting
to dead-lock.
Reported-by: NFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Testing execution and access of userspace from the kernel is needed for
validating things like Intel's SMEP and SMAP protections. Additionally,
add an explicit test for validating that RO page permissions have been
set for the RO data area.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When CONFIG_FRAME_WARN is set low (e.g. some ARM builds), the hard-coded
stack buffer size used for kernel stack over run testing triggers build
warnings. Instead, avoid the warning by recalcuating the buffer size and
recursion count needed to trigger the test. Also uses the recursion counter
indirectly to avoid changing the parameter during the test.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

When tests were added to lkdtm that grew the stack frame, the stack
corruption test stopped working. This isolates the test in its own
function, and forces it not to be inlined.
Signed-off-by: NKees Cook <keescook@chromium.org>
Fixes: cc33c537 ("lkdtm: add "EXEC_*" triggers")
Cc: stable <stable@vger.kernel.org> # 3.12
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Add new crash locations that attempt to execute non-executable memory
regions (data segment, stack, kmalloc, vmalloc).
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

For additional lockup testing, add "SPINLOCKUP" to trigger a spinlock
deadlock when triggered twice.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

For additional testing, add "WARNING" as a trigger that calls WARN_ON(1).
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

The -fstack-protector compiler flag will only build stack protections if
a character array is seen. Additionally, the offset to the saved
instruction pointer changes based on architecture, so stomp much harder
(64 bytes) when corrupting the stack.
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=44691

Reported-by: <rucsoftsec@gmail.com>
Signed-off-by: NAlan Cox <alan@linux.intel.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

lkdtm_do_action() may call sleeping functions like kmalloc(), so do not
call it with spin lock held.
Signed-off-by: NWANG Cong <xiyou.wangcong@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <greg@kroah.com>
Reviewed-by: NDave Young <dyoung@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

We observed the crash point count going negative in cases where the
crash point is hit multiple times before the check of "count == 0" is
done.  Because of this we never call lkdtm_do_action().  This patch just
adds a spinlock to protect count.
Reported-by: NTapan Dhimant <tdhimant@akamai.com>
Signed-off-by: NJosh Hunt <johunt@akamai.com>
Acked-by: NAnkita Garg <ankita@in.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Prefix cname and ctype constants with CN/CT_.  This is especially for the
conflict on BUG which causes a build break if arch defines it as a inline
function, i.e.  MIPS.
Signed-off-by: NNamhyung Kim <namhyung@gmail.com>
Cc: Ankita Garg <ankita@in.ibm.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

When the default llseek behavior gets changed to
not allowing seek, all file operations that rely
on the current behaviour need to use an explicit
.llseek operation.

The files that lkdtm uses in debugfs are regular
files and they get read using simple_read_from_buffer,
so generic_file_llseek is the right operation.
Signed-off-by: NArnd Bergmann <arnd@arndb.de>