lkdtm: remove set_fs-based tests
Once we can't manipulate the address limit, we also can't test what happens when the manipulation is abused. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
81b1e242b8
commit
c6f7c753f7
@ -312,16 +312,6 @@ void lkdtm_CORRUPT_LIST_DEL(void)
|
||||
pr_err("list_del() corruption not detected!\n");
|
||||
}
|
||||
|
||||
/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */
|
||||
void lkdtm_CORRUPT_USER_DS(void)
|
||||
{
|
||||
pr_info("setting bad task size limit\n");
|
||||
set_fs(KERNEL_DS);
|
||||
|
||||
/* Make sure we do not keep running with a KERNEL_DS! */
|
||||
force_sig(SIGKILL);
|
||||
}
|
||||
|
||||
/* Test that VMAP_STACK is actually allocating with a leading guard page */
|
||||
void lkdtm_STACK_GUARD_PAGE_LEADING(void)
|
||||
{
|
||||
|
@ -112,7 +112,6 @@ static const struct crashtype crashtypes[] = {
|
||||
CRASHTYPE(CORRUPT_STACK_STRONG),
|
||||
CRASHTYPE(CORRUPT_LIST_ADD),
|
||||
CRASHTYPE(CORRUPT_LIST_DEL),
|
||||
CRASHTYPE(CORRUPT_USER_DS),
|
||||
CRASHTYPE(STACK_GUARD_PAGE_LEADING),
|
||||
CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
|
||||
CRASHTYPE(UNSET_SMEP),
|
||||
@ -172,7 +171,6 @@ static const struct crashtype crashtypes[] = {
|
||||
CRASHTYPE(USERCOPY_STACK_FRAME_FROM),
|
||||
CRASHTYPE(USERCOPY_STACK_BEYOND),
|
||||
CRASHTYPE(USERCOPY_KERNEL),
|
||||
CRASHTYPE(USERCOPY_KERNEL_DS),
|
||||
CRASHTYPE(STACKLEAK_ERASING),
|
||||
CRASHTYPE(CFI_FORWARD_PROTO),
|
||||
#ifdef CONFIG_X86_32
|
||||
|
@ -27,7 +27,6 @@ void lkdtm_OVERFLOW_UNSIGNED(void);
|
||||
void lkdtm_ARRAY_BOUNDS(void);
|
||||
void lkdtm_CORRUPT_LIST_ADD(void);
|
||||
void lkdtm_CORRUPT_LIST_DEL(void);
|
||||
void lkdtm_CORRUPT_USER_DS(void);
|
||||
void lkdtm_STACK_GUARD_PAGE_LEADING(void);
|
||||
void lkdtm_STACK_GUARD_PAGE_TRAILING(void);
|
||||
void lkdtm_UNSET_SMEP(void);
|
||||
@ -96,7 +95,6 @@ void lkdtm_USERCOPY_STACK_FRAME_TO(void);
|
||||
void lkdtm_USERCOPY_STACK_FRAME_FROM(void);
|
||||
void lkdtm_USERCOPY_STACK_BEYOND(void);
|
||||
void lkdtm_USERCOPY_KERNEL(void);
|
||||
void lkdtm_USERCOPY_KERNEL_DS(void);
|
||||
|
||||
/* lkdtm_stackleak.c */
|
||||
void lkdtm_STACKLEAK_ERASING(void);
|
||||
|
@ -325,21 +325,6 @@ free_user:
|
||||
vm_munmap(user_addr, PAGE_SIZE);
|
||||
}
|
||||
|
||||
void lkdtm_USERCOPY_KERNEL_DS(void)
|
||||
{
|
||||
char __user *user_ptr =
|
||||
(char __user *)(0xFUL << (sizeof(unsigned long) * 8 - 4));
|
||||
mm_segment_t old_fs = get_fs();
|
||||
char buf[10] = {0};
|
||||
|
||||
pr_info("attempting copy_to_user() to noncanonical address: %px\n",
|
||||
user_ptr);
|
||||
set_fs(KERNEL_DS);
|
||||
if (copy_to_user(user_ptr, buf, sizeof(buf)) == 0)
|
||||
pr_err("copy_to_user() to noncanonical address succeeded!?\n");
|
||||
set_fs(old_fs);
|
||||
}
|
||||
|
||||
void __init lkdtm_usercopy_init(void)
|
||||
{
|
||||
/* Prepare cache that lacks SLAB_USERCOPY flag. */
|
||||
|
@ -9,7 +9,6 @@ EXCEPTION
|
||||
#CORRUPT_STACK_STRONG Crashes entire system on success
|
||||
CORRUPT_LIST_ADD list_add corruption
|
||||
CORRUPT_LIST_DEL list_del corruption
|
||||
CORRUPT_USER_DS Invalid address limit on user-mode return
|
||||
STACK_GUARD_PAGE_LEADING
|
||||
STACK_GUARD_PAGE_TRAILING
|
||||
UNSET_SMEP CR4 bits went missing
|
||||
@ -67,6 +66,5 @@ USERCOPY_STACK_FRAME_TO
|
||||
USERCOPY_STACK_FRAME_FROM
|
||||
USERCOPY_STACK_BEYOND
|
||||
USERCOPY_KERNEL
|
||||
USERCOPY_KERNEL_DS
|
||||
STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
|
||||
CFI_FORWARD_PROTO
|
||||
|
Loading…
Reference in New Issue
Block a user