aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-03-24 10:51:25 -0700
committerAmit Pundir <amit.pundir@linaro.org>2018-10-04 14:19:44 +0530
commitf6e2385809202c2d49e538960bebbcf22f720271 (patch)
tree45bac3cf65702f8cf61d051fb4167f664422d5f5
parent3891454fb8131caa4807262dc6498ade4c0ce82a (diff)
BACKPORT: lkdtm: add bad USER_DS test
(cherry-picked from e22aa9d781a27a961581c57442911309fb86a48e) This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Change-Id: I1d2585de65032f0f6b9baea2a71f92bfc296c94b Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Satya Tangirala <satyat@google.com> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
-rw-r--r--drivers/misc/lkdtm.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 42a0a99007be..8e06e1020ad9 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -48,6 +48,8 @@
#include <linux/mman.h>
#include <asm/cacheflush.h>
#include <linux/list.h>
+#include <linux/sched.h>
+#include <linux/uaccess.h>
#ifdef CONFIG_IDE
#include <linux/ide.h>
@@ -95,6 +97,7 @@ enum ctype {
CT_OVERFLOW,
CT_CORRUPT_LIST_ADD,
CT_CORRUPT_LIST_DEL,
+ CT_CORRUPT_USER_DS,
CT_CORRUPT_STACK,
CT_UNALIGNED_LOAD_STORE_WRITE,
CT_OVERWRITE_ALLOCATION,
@@ -135,6 +138,7 @@ static char* cp_type[] = {
"OVERFLOW",
"CORRUPT_LIST_ADD",
"CORRUPT_LIST_DEL",
+ "CORRUPT_USER_DS",
"CORRUPT_STACK",
"UNALIGNED_LOAD_STORE_WRITE",
"OVERWRITE_ALLOCATION",
@@ -618,6 +622,14 @@ static void lkdtm_do_action(enum ctype which)
pr_err("list_del() corruption not detected!\n");
break;
}
+ case CT_CORRUPT_USER_DS: {
+ pr_info("setting bad task size limit\n");
+ set_fs(KERNEL_DS);
+
+ /* Make sure we do not keep running with a KERNEL_DS! */
+ force_sig(SIGKILL, current);
+ break;
+ }
case CT_NONE:
default:
break;