diff options
author | Kees Cook <keescook@chromium.org> | 2017-03-24 10:51:25 -0700 |
---|---|---|
committer | Amit Pundir <amit.pundir@linaro.org> | 2018-10-04 14:19:44 +0530 |
commit | f6e2385809202c2d49e538960bebbcf22f720271 (patch) | |
tree | 45bac3cf65702f8cf61d051fb4167f664422d5f5 | |
parent | 3891454fb8131caa4807262dc6498ade4c0ce82a (diff) |
BACKPORT: lkdtm: add bad USER_DS test
(cherry-picked from e22aa9d781a27a961581c57442911309fb86a48e)
This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.
Change-Id: I1d2585de65032f0f6b9baea2a71f92bfc296c94b
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Satya Tangirala <satyat@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
-rw-r--r-- | drivers/misc/lkdtm.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 42a0a99007be..8e06e1020ad9 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -48,6 +48,8 @@ #include <linux/mman.h> #include <asm/cacheflush.h> #include <linux/list.h> +#include <linux/sched.h> +#include <linux/uaccess.h> #ifdef CONFIG_IDE #include <linux/ide.h> @@ -95,6 +97,7 @@ enum ctype { CT_OVERFLOW, CT_CORRUPT_LIST_ADD, CT_CORRUPT_LIST_DEL, + CT_CORRUPT_USER_DS, CT_CORRUPT_STACK, CT_UNALIGNED_LOAD_STORE_WRITE, CT_OVERWRITE_ALLOCATION, @@ -135,6 +138,7 @@ static char* cp_type[] = { "OVERFLOW", "CORRUPT_LIST_ADD", "CORRUPT_LIST_DEL", + "CORRUPT_USER_DS", "CORRUPT_STACK", "UNALIGNED_LOAD_STORE_WRITE", "OVERWRITE_ALLOCATION", @@ -618,6 +622,14 @@ static void lkdtm_do_action(enum ctype which) pr_err("list_del() corruption not detected!\n"); break; } + case CT_CORRUPT_USER_DS: { + pr_info("setting bad task size limit\n"); + set_fs(KERNEL_DS); + + /* Make sure we do not keep running with a KERNEL_DS! */ + force_sig(SIGKILL, current); + break; + } case CT_NONE: default: break; |