linux/drivers/misc
Kees Cook 2e53b877dc lkdtm: Add CFI_BACKWARD to test ROP mitigations
In order to test various backward-edge control flow integrity methods,
add a test that manipulates the return address on the stack. Currently
only arm64 Pointer Authentication and Shadow Call Stack is supported.

 $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT

Under SCS, successful test of the mitigation is reported as:

 lkdtm: Performing direct entry CFI_BACKWARD
 lkdtm: Attempting unchecked stack return address redirection ...
 lkdtm: ok: redirected stack return address.
 lkdtm: Attempting checked stack return address redirection ...
 lkdtm: ok: control flow unchanged.

Under PAC, successful test of the mitigation is reported by the PAC
exception handler:

 lkdtm: Performing direct entry CFI_BACKWARD
 lkdtm: Attempting unchecked stack return address redirection ...
 lkdtm: ok: redirected stack return address.
 lkdtm: Attempting checked stack return address redirection ...
 Unable to handle kernel paging request at virtual address bfffffc0088d0514
 Mem abort info:
   ESR = 0x86000004
   EC = 0x21: IABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
   FSC = 0x04: level 0 translation fault
 [bfffffc0088d0514] address between user and kernel address ranges
 ...

If the CONFIGs are missing (or the mitigation isn't working), failure
is reported as:

 lkdtm: Performing direct entry CFI_BACKWARD
 lkdtm: Attempting unchecked stack return address redirection ...
 lkdtm: ok: redirected stack return address.
 lkdtm: Attempting checked stack return address redirection ...
 lkdtm: FAIL: stack return address was redirected!
 lkdtm: This is probably expected, since this kernel was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=y nor CONFIG_SHADOW_CALL_STACK=y

Co-developed-by: Dan Li <ashimida@linux.alibaba.com>
Signed-off-by: Dan Li <ashimida@linux.alibaba.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/lkml/20220416001103.1524653-1-keescook@chromium.org
2022-04-16 13:57:23 -07:00
..
altera-stapl
bcm-vk Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
c2port
cardreader misc: rtsx: clean up one inconsistent indenting 2022-03-18 13:52:30 +01:00
cb710 cb710: avoid NULL pointer subtraction 2021-10-05 15:50:05 +02:00
cxl Char/Misc and other driver changes for 5.17-rc1 2022-01-14 16:02:28 +01:00
echo
eeprom Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
genwqe Merge 5.15-rc3 into char-misc next 2021-09-27 15:39:40 +02:00
habanalabs habanalabs: Fix test build failures 2022-04-04 17:03:04 +02:00
ibmasm Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
lis3lv02d spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
lkdtm lkdtm: Add CFI_BACKWARD to test ROP mitigations 2022-04-16 13:57:23 -07:00
mei mei: avoid iterator usage outside of list_for_each_entry 2022-03-18 13:48:30 +01:00
ocxl ocxl: Make use of the helper macro LIST_HEAD() 2022-02-25 12:09:56 +01:00
pvpanic pvpanic: Indentation fixes here and there 2021-09-14 11:07:13 +02:00
sgi-gru misc: sgi-gru: Fix spelling mistake "unexpect" -> "unexpected" 2022-03-18 14:02:15 +01:00
sgi-xp net: sgi-xp: Use netif_rx(). 2022-03-04 12:02:19 +00:00
ti-st ti-st: use tty_write_room 2021-05-13 17:03:20 +02:00
uacce uacce: use sysfs_emit instead of sprintf 2021-12-21 10:13:34 +01:00
vmw_vmci VMCI: Release notification_bitmap in error path 2022-03-18 13:47:48 +01:00
ad525x_dpot-i2c.c misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
ad525x_dpot-spi.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
ad525x_dpot.c misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
ad525x_dpot.h misc: ad525x_dpot: Make ad_dpot_remove() return void 2021-10-13 14:35:37 +02:00
apds990x.c
apds9802als.c
atmel-ssc.c
bh1770glc.c
cs5535-mfgpt.c
ds1682.c
dummy-irq.c
dw-xdata-pcie.c misc: Add Synopsys DesignWare xData IP driver 2021-04-05 13:15:52 +02:00
enclosure.c misc: enclosure: replace snprintf in show functions with sysfs_emit 2021-10-22 11:25:39 +02:00
fastrpc.c Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
gehc-achc.c misc: gehc: Add SPI ID table 2021-10-05 15:47:18 +02:00
hi6421v600-irq.c misc: hi6421-spmi-pmic: Use generic_handle_irq_safe(). 2022-03-02 22:28:50 +01:00
hisi_hikey_usb.c misc: hisi_hikey_usb: change the DT schema 2021-09-14 10:57:31 +02:00
hmc6352.c
hpilo.c misc: hpilo: map iLO shared memory by PCI revision id 2021-06-04 15:28:23 +02:00
hpilo.h misc: hpilo: map iLO shared memory by PCI revision id 2021-06-04 15:28:23 +02:00
ibmvmc.c
ibmvmc.h
ics932s401.c ics932s401: fix broken handling of errors when word reading fails 2021-05-13 17:21:54 +02:00
isl29003.c
isl29020.c
Kconfig misc: fastrpc: Add support to secure memory map 2022-03-18 14:11:00 +01:00
kgdbts.c kgdbts: fix return value of __setup handler 2022-03-18 14:17:56 +01:00
lattice-ecp3-config.c spi: make remove callback a void function 2022-02-09 13:00:45 +00:00
Makefile misc: open-dice: Add driver to expose DICE data to userspace 2022-02-04 16:45:39 +01:00
open-dice.c misc: open-dice: Add driver to expose DICE data to userspace 2022-02-04 16:45:39 +01:00
pch_phub.c
pci_endpoint_test.c misc: pci_endpoint_test: Terminate statement with semicolon 2022-01-11 10:19:59 -06:00
phantom.c
qcom-coincell.c
sram-exec.c
sram.c misc: sram: Add compatible string for Tegra234 SYSRAM 2021-12-08 15:16:05 +01:00
sram.h misc: sram: Only map reserved areas in Tegra SYSRAM 2021-08-05 14:27:46 +02:00
tifm_7xx1.c tifm: Remove usage of the deprecated "pci-dma-compat.h" API 2021-09-21 17:33:31 +02:00
tifm_core.c tifm: Remove usage of the deprecated "pci-dma-compat.h" API 2021-09-21 17:33:31 +02:00
tsl2550.c
vmw_balloon.c
xilinx_sdfec.c misc: xilinx-sdfec: Drop unnecessary NULL check after container_of 2021-05-21 22:14:48 +02:00