lkdtm/bugs: Adjust recursion test to avoid elision

While I was able to trick gcc into keeping a pathological recursion, Clang was not so easily fooled. Instead, switch to using "volatile" and side-effects to keep the stack variable allocated and to run the function. Additionally renames "OVERFLOW" to "EXHAUST_STACK" to better describe the test. Signed-off-by: Kees Cook <keescook@chromium.org>

lkdtm/bugs: Adjust recursion test to avoid elision
While I was able to trick gcc into keeping a pathological recursion, Clang was not so easily fooled. Instead, switch to using "volatile" and side-effects to keep the stack variable allocated and to run the function. Additionally renames "OVERFLOW" to "EXHAUST_STACK" to better describe the test. Signed-off-by: Kees Cook <keescook@chromium.org>
24cccab4 · Kees Cook · 2bf8496f · 24cccab4 · 24cccab4 · 24cccab4
Commit 24cccab4 authored Apr 06, 2019 by Kees Cook
Showing with 21 additions and 10 deletions

drivers/misc/lkdtm/bugs.c drivers/misc/lkdtm/bugs.c +17 -6

drivers/misc/lkdtm/core.c drivers/misc/lkdtm/core.c +3 -3

drivers/misc/lkdtm/lkdtm.h drivers/misc/lkdtm/lkdtm.h +1 -1

No files found.
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -32,12 +32,20 @@ static int recur_count = REC_NUM_DEFAULT;
 static DEFINE_SPINLOCK(lock_me_up);
-static int recursive_loop(int remaining)
+/*
+ * Make sure compiler does not optimize this function or stack frame away:
+ * - function marked noinline
+ * - stack variables are marked volatile
+ * - stack variables are written (memset()) and read (pr_info())
+ * - function has external effects (pr_info())
+ * */
+static int noinline recursive_loop(int remaining)
 {
-	char buf[REC_STACK_SIZE];
+	volatile char buf[REC_STACK_SIZE];
-	/* Make sure compiler does not optimize this away. */
+	memset((void *)buf, remaining & 0xFF, sizeof(buf));
-	memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
+	pr_info("loop %d/%d ...\n", (int)buf[remaining % sizeof(buf)],
+		recur_count);
 	if (!remaining)
 		return 0;
 	else
@@ -81,9 +89,12 @@ void lkdtm_LOOP(void)
 		;
 }
-void lkdtm_OVERFLOW(void)
+void lkdtm_EXHAUST_STACK(void)
 {
-	(void) recursive_loop(recur_count);
+	pr_info("Calling function with %d frame size to depth %d ...\n",
+		REC_STACK_SIZE, recur_count);
+	recursive_loop(recur_count);
+	pr_info("FAIL: survived without exhausting stack?!\n");
 }
 static noinline void __lkdtm_CORRUPT_STACK(void *stack)

--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -119,12 +119,12 @@ static const struct crashtype crashtypes[] = {
 	CRASHTYPE(WARNING),
 	CRASHTYPE(EXCEPTION),
 	CRASHTYPE(LOOP),
-	CRASHTYPE(OVERFLOW),
+	CRASHTYPE(EXHAUST_STACK),
+	CRASHTYPE(CORRUPT_STACK),
+	CRASHTYPE(CORRUPT_STACK_STRONG),
 	CRASHTYPE(CORRUPT_LIST_ADD),
 	CRASHTYPE(CORRUPT_LIST_DEL),
 	CRASHTYPE(CORRUPT_USER_DS),
-	CRASHTYPE(CORRUPT_STACK),
-	CRASHTYPE(CORRUPT_STACK_STRONG),
 	CRASHTYPE(STACK_GUARD_PAGE_LEADING),
 	CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
 	CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),

--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -13,7 +13,7 @@ void lkdtm_BUG(void);
 void lkdtm_WARNING(void);
 void lkdtm_EXCEPTION(void);
 void lkdtm_LOOP(void);
-void lkdtm_OVERFLOW(void);
+void lkdtm_EXHAUST_STACK(void);
 void lkdtm_CORRUPT_STACK(void);
 void lkdtm_CORRUPT_STACK_STRONG(void);
 void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void);