Commit 325bf6d8 authored by Kees Cook's avatar Kees Cook

lkdtm: Update tests for memcpy() run-time warnings

Clarify the LKDTM FORTIFY tests, and add tests for the mem*() family of
functions, now that run-time checking is distinct.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 54d9469b
...@@ -10,28 +10,31 @@ ...@@ -10,28 +10,31 @@
static volatile int fortify_scratch_space; static volatile int fortify_scratch_space;
static void lkdtm_FORTIFIED_OBJECT(void) static void lkdtm_FORTIFY_STR_OBJECT(void)
{ {
struct target { struct target {
char a[10]; char a[10];
} target[2] = {}; int foo;
} target[3] = {};
/* /*
* Using volatile prevents the compiler from determining the value of * Using volatile prevents the compiler from determining the value of
* 'size' at compile time. Without that, we would get a compile error * 'size' at compile time. Without that, we would get a compile error
* rather than a runtime error. * rather than a runtime error.
*/ */
volatile int size = 11; volatile int size = 20;
pr_info("trying to strcmp() past the end of a struct\n");
pr_info("trying to read past the end of a struct\n"); strncpy(target[0].a, target[1].a, size);
/* Store result to global to prevent the code from being eliminated */ /* Store result to global to prevent the code from being eliminated */
fortify_scratch_space = memcmp(&target[0], &target[1], size); fortify_scratch_space = target[0].a[3];
pr_err("FAIL: fortify did not block an object overread!\n"); pr_err("FAIL: fortify did not block a strncpy() object write overflow!\n");
pr_expected_config(CONFIG_FORTIFY_SOURCE); pr_expected_config(CONFIG_FORTIFY_SOURCE);
} }
static void lkdtm_FORTIFIED_SUBOBJECT(void) static void lkdtm_FORTIFY_STR_MEMBER(void)
{ {
struct target { struct target {
char a[10]; char a[10];
...@@ -44,7 +47,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) ...@@ -44,7 +47,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void)
strscpy(src, "over ten bytes", size); strscpy(src, "over ten bytes", size);
size = strlen(src) + 1; size = strlen(src) + 1;
pr_info("trying to strncpy past the end of a member of a struct\n"); pr_info("trying to strncpy() past the end of a struct member...\n");
/* /*
* strncpy(target.a, src, 20); will hit a compile error because the * strncpy(target.a, src, 20); will hit a compile error because the
...@@ -56,7 +59,72 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) ...@@ -56,7 +59,72 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void)
/* Store result to global to prevent the code from being eliminated */ /* Store result to global to prevent the code from being eliminated */
fortify_scratch_space = target.a[3]; fortify_scratch_space = target.a[3];
pr_err("FAIL: fortify did not block an sub-object overrun!\n"); pr_err("FAIL: fortify did not block a strncpy() struct member write overflow!\n");
pr_expected_config(CONFIG_FORTIFY_SOURCE);
kfree(src);
}
static void lkdtm_FORTIFY_MEM_OBJECT(void)
{
int before[10];
struct target {
char a[10];
int foo;
} target = {};
int after[10];
/*
* Using volatile prevents the compiler from determining the value of
* 'size' at compile time. Without that, we would get a compile error
* rather than a runtime error.
*/
volatile int size = 20;
memset(before, 0, sizeof(before));
memset(after, 0, sizeof(after));
fortify_scratch_space = before[5];
fortify_scratch_space = after[5];
pr_info("trying to memcpy() past the end of a struct\n");
pr_info("0: %zu\n", __builtin_object_size(&target, 0));
pr_info("1: %zu\n", __builtin_object_size(&target, 1));
pr_info("s: %d\n", size);
memcpy(&target, &before, size);
/* Store result to global to prevent the code from being eliminated */
fortify_scratch_space = target.a[3];
pr_err("FAIL: fortify did not block a memcpy() object write overflow!\n");
pr_expected_config(CONFIG_FORTIFY_SOURCE);
}
static void lkdtm_FORTIFY_MEM_MEMBER(void)
{
struct target {
char a[10];
char b[10];
} target;
volatile int size = 20;
char *src;
src = kmalloc(size, GFP_KERNEL);
strscpy(src, "over ten bytes", size);
size = strlen(src) + 1;
pr_info("trying to memcpy() past the end of a struct member...\n");
/*
* strncpy(target.a, src, 20); will hit a compile error because the
* compiler knows at build time that target.a < 20 bytes. Use a
* volatile to force a runtime error.
*/
memcpy(target.a, src, size);
/* Store result to global to prevent the code from being eliminated */
fortify_scratch_space = target.a[3];
pr_err("FAIL: fortify did not block a memcpy() struct member write overflow!\n");
pr_expected_config(CONFIG_FORTIFY_SOURCE); pr_expected_config(CONFIG_FORTIFY_SOURCE);
kfree(src); kfree(src);
...@@ -67,7 +135,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) ...@@ -67,7 +135,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void)
* strscpy and generate a panic because there is a write overflow (i.e. src * strscpy and generate a panic because there is a write overflow (i.e. src
* length is greater than dst length). * length is greater than dst length).
*/ */
static void lkdtm_FORTIFIED_STRSCPY(void) static void lkdtm_FORTIFY_STRSCPY(void)
{ {
char *src; char *src;
char dst[5]; char dst[5];
...@@ -136,9 +204,11 @@ static void lkdtm_FORTIFIED_STRSCPY(void) ...@@ -136,9 +204,11 @@ static void lkdtm_FORTIFIED_STRSCPY(void)
} }
static struct crashtype crashtypes[] = { static struct crashtype crashtypes[] = {
CRASHTYPE(FORTIFIED_OBJECT), CRASHTYPE(FORTIFY_STR_OBJECT),
CRASHTYPE(FORTIFIED_SUBOBJECT), CRASHTYPE(FORTIFY_STR_MEMBER),
CRASHTYPE(FORTIFIED_STRSCPY), CRASHTYPE(FORTIFY_MEM_OBJECT),
CRASHTYPE(FORTIFY_MEM_MEMBER),
CRASHTYPE(FORTIFY_STRSCPY),
}; };
struct crashtype_category fortify_crashtypes = { struct crashtype_category fortify_crashtypes = {
......
...@@ -75,7 +75,9 @@ USERCOPY_KERNEL ...@@ -75,7 +75,9 @@ USERCOPY_KERNEL
STACKLEAK_ERASING OK: the rest of the thread stack is properly erased STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
CFI_FORWARD_PROTO CFI_FORWARD_PROTO
CFI_BACKWARD call trace:|ok: control flow unchanged CFI_BACKWARD call trace:|ok: control flow unchanged
FORTIFIED_STRSCPY FORTIFY_STRSCPY detected buffer overflow
FORTIFIED_OBJECT FORTIFY_STR_OBJECT detected buffer overflow
FORTIFIED_SUBOBJECT FORTIFY_STR_MEMBER detected buffer overflow
FORTIFY_MEM_OBJECT detected buffer overflow
FORTIFY_MEM_MEMBER detected field-spanning write
PPC_SLB_MULTIHIT Recovered PPC_SLB_MULTIHIT Recovered
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment