lkdtm updates and new tests
- Check NULL dereferences (Christophe Leroy) - Print real addresses for debugging (Christophe Leroy) - Drop CONFIG_BLOCK dependency -----BEGIN PGP SIGNATURE----- Comment: Kees Cook <kees@outflux.net> iQJKBAABCgA0FiEEpcP2jyKd1g9yPm4TiXL039xtwCYFAlw2VSoWHGtlZXNjb29r QGNocm9taXVtLm9yZwAKCRCJcvTf3G3AJhkiEACJf+GFe7lkvJPIEUz7kY6tw1b7 J8sD/TzSGlv+g7XtuZ7Pn7AToaSqsRERZBIW4B8Y93Im4RuZMoMw19ZtprEgnfmD nQUDLGq9xosCVxna5gGre0EsobDQ+w82f8kXiDUCGm/QT7SHctAQyRmbcahw3825 6aDGFZWWaGqVVl+Sb4O8ST73eXYmPkN/dCCn97TZB23XMZC176gcGHkbqRnkJ0Hv 5KNYhBonV/0uHnsOfBW/FS9JmAiTCjBdEy/pNmgYyZ/yy0iMjlMXsTO+L/xxMn3m +8WgCgXjDB7T51YmUsfWghkmk0LQVEVqHk+mqdekFKFBmZG6tta5idhWnqw8c//g Rjrlfcd9p5VelysCfh1ETtLPKH7DdIfpR8x92LGAKBhTDz3GLOZjNLQQu84LIB89 eON7D0zzy6xoNdOqaTS4/M5QXh0eBCnuYaiJRXFp4+mFLvav7lFGVvzhi+i8oqAl o5ImbTeyjXglkVvvW/Cew2xuMJgPcdwCAZdruAZl3YcUf9ddCJ9himP6LH0vCW8n vGM333JT/uaFLa4XzagKdsb0KnRSrCwKl1ydwCpH+DKZnBES+3RRRAPaGlsSFUzP MlP9DM+vVmc5JNGot+eckUnvHS5BaansoxXYNdWOhS4tNDiLb2kRJ+EatO6T2LKB XEVx3Qa+95R38aRMoQ== =PwhZ -----END PGP SIGNATURE----- Merge tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into char-misc-next Kees writes: lkdtm updates and new tests - Check NULL dereferences (Christophe Leroy) - Print real addresses for debugging (Christophe Leroy) - Drop CONFIG_BLOCK dependency * tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lkdtm: Add tests for NULL pointer dereference lkdtm: Print real addresses lkdtm: Do not depend on BLOCK and clean up headers
This commit is contained in:
Greg Kroah-Hartman
commit
a2915698ba
@ -37,16 +37,9 @@
|
||||
#include <linux/kprobes.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/interrupt.h>
|
||||
#include <linux/hrtimer.h>
|
||||
#include <linux/slab.h>
|
||||
#include <scsi/scsi_cmnd.h>
|
||||
#include <linux/debugfs.h>
|
||||
|
||||
#ifdef CONFIG_IDE
|
||||
#include <linux/ide.h>
|
||||
#endif
|
||||
|
||||
#define DEFAULT_COUNT 10
|
||||
|
||||
static int lkdtm_debugfs_open(struct inode *inode, struct file *file);
|
||||
@ -102,9 +95,7 @@ static struct crashpoint crashpoints[] = {
|
||||
CRASHPOINT("MEM_SWAPOUT", "shrink_inactive_list"),
|
||||
CRASHPOINT("TIMERADD", "hrtimer_start"),
|
||||
CRASHPOINT("SCSI_DISPATCH_CMD", "scsi_dispatch_cmd"),
|
||||
# ifdef CONFIG_IDE
|
||||
CRASHPOINT("IDE_CORE_CP", "generic_ide_ioctl"),
|
||||
# endif
|
||||
#endif
|
||||
};
|
||||
|
||||
@ -152,7 +143,9 @@ static const struct crashtype crashtypes[] = {
|
||||
CRASHTYPE(EXEC_VMALLOC),
|
||||
CRASHTYPE(EXEC_RODATA),
|
||||
CRASHTYPE(EXEC_USERSPACE),
|
||||
CRASHTYPE(EXEC_NULL),
|
||||
CRASHTYPE(ACCESS_USERSPACE),
|
||||
CRASHTYPE(ACCESS_NULL),
|
||||
CRASHTYPE(WRITE_RO),
|
||||
CRASHTYPE(WRITE_RO_AFTER_INIT),
|
||||
CRASHTYPE(WRITE_KERN),
|
||||
|
||||
@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
|
||||
void lkdtm_EXEC_VMALLOC(void);
|
||||
void lkdtm_EXEC_RODATA(void);
|
||||
void lkdtm_EXEC_USERSPACE(void);
|
||||
void lkdtm_EXEC_NULL(void);
|
||||
void lkdtm_ACCESS_USERSPACE(void);
|
||||
void lkdtm_ACCESS_NULL(void);
|
||||
|
||||
/* lkdtm_refcount.c */
|
||||
void lkdtm_REFCOUNT_INC_OVERFLOW(void);
|
||||
|
||||
@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write)
|
||||
{
|
||||
void (*func)(void) = dst;
|
||||
|
||||
pr_info("attempting ok execution at %p\n", do_nothing);
|
||||
pr_info("attempting ok execution at %px\n", do_nothing);
|
||||
do_nothing();
|
||||
|
||||
if (write == CODE_WRITE) {
|
||||
@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write)
|
||||
flush_icache_range((unsigned long)dst,
|
||||
(unsigned long)dst + EXEC_SIZE);
|
||||
}
|
||||
pr_info("attempting bad execution at %p\n", func);
|
||||
pr_info("attempting bad execution at %px\n", func);
|
||||
func();
|
||||
}
|
||||
|
||||
@ -66,14 +66,14 @@ static void execute_user_location(void *dst)
|
||||
/* Intentionally crossing kernel/user memory boundary. */
|
||||
void (*func)(void) = dst;
|
||||
|
||||
pr_info("attempting ok execution at %p\n", do_nothing);
|
||||
pr_info("attempting ok execution at %px\n", do_nothing);
|
||||
do_nothing();
|
||||
|
||||
copied = access_process_vm(current, (unsigned long)dst, do_nothing,
|
||||
EXEC_SIZE, FOLL_WRITE);
|
||||
if (copied < EXEC_SIZE)
|
||||
return;
|
||||
pr_info("attempting bad execution at %p\n", func);
|
||||
pr_info("attempting bad execution at %px\n", func);
|
||||
func();
|
||||
}
|
||||
|
||||
@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void)
|
||||
/* Explicitly cast away "const" for the test. */
|
||||
unsigned long *ptr = (unsigned long *)&rodata;
|
||||
|
||||
pr_info("attempting bad rodata write at %p\n", ptr);
|
||||
pr_info("attempting bad rodata write at %px\n", ptr);
|
||||
*ptr ^= 0xabcd1234;
|
||||
}
|
||||
|
||||
@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void)
|
||||
return;
|
||||
}
|
||||
|
||||
pr_info("attempting bad ro_after_init write at %p\n", ptr);
|
||||
pr_info("attempting bad ro_after_init write at %px\n", ptr);
|
||||
*ptr ^= 0xabcd1234;
|
||||
}
|
||||
|
||||
@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void)
|
||||
size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
|
||||
ptr = (unsigned char *)do_overwritten;
|
||||
|
||||
pr_info("attempting bad %zu byte write at %p\n", size, ptr);
|
||||
pr_info("attempting bad %zu byte write at %px\n", size, ptr);
|
||||
memcpy(ptr, (unsigned char *)do_nothing, size);
|
||||
flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
|
||||
|
||||
@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
|
||||
vm_munmap(user_addr, PAGE_SIZE);
|
||||
}
|
||||
|
||||
void lkdtm_EXEC_NULL(void)
|
||||
{
|
||||
execute_location(NULL, CODE_AS_IS);
|
||||
}
|
||||
|
||||
void lkdtm_ACCESS_USERSPACE(void)
|
||||
{
|
||||
unsigned long user_addr, tmp = 0;
|
||||
@ -185,16 +190,29 @@ void lkdtm_ACCESS_USERSPACE(void)
|
||||
|
||||
ptr = (unsigned long *)user_addr;
|
||||
|
||||
pr_info("attempting bad read at %p\n", ptr);
|
||||
pr_info("attempting bad read at %px\n", ptr);
|
||||
tmp = *ptr;
|
||||
tmp += 0xc0dec0de;
|
||||
|
||||
pr_info("attempting bad write at %p\n", ptr);
|
||||
pr_info("attempting bad write at %px\n", ptr);
|
||||
*ptr = tmp;
|
||||
|
||||
vm_munmap(user_addr, PAGE_SIZE);
|
||||
}
|
||||
|
||||
void lkdtm_ACCESS_NULL(void)
|
||||
{
|
||||
unsigned long tmp;
|
||||
unsigned long *ptr = (unsigned long *)NULL;
|
||||
|
||||
pr_info("attempting bad read at %px\n", ptr);
|
||||
tmp = *ptr;
|
||||
tmp += 0xc0dec0de;
|
||||
|
||||
pr_info("attempting bad write at %px\n", ptr);
|
||||
*ptr = tmp;
|
||||
}
|
||||
|
||||
void __init lkdtm_perms_init(void)
|
||||
{
|
||||
/* Make sure we can write to __ro_after_init values during __init */
|
||||
|
||||
@ -1700,7 +1700,6 @@ if RUNTIME_TESTING_MENU
|
||||
config LKDTM
|
||||
tristate "Linux Kernel Dump Test Tool Module"
|
||||
depends on DEBUG_FS
|
||||
depends on BLOCK
|
||||
help
|
||||
This module enables testing of the different dumping mechanisms by
|
||||
inducing system failures at predefined crash points.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user