2e53b877dc
In order to test various backward-edge control flow integrity methods, add a test that manipulates the return address on the stack. Currently only arm64 Pointer Authentication and Shadow Call Stack is supported. $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT Under SCS, successful test of the mitigation is reported as: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... lkdtm: ok: control flow unchanged. Under PAC, successful test of the mitigation is reported by the PAC exception handler: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... Unable to handle kernel paging request at virtual address bfffffc0088d0514 Mem abort info: ESR = 0x86000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault [bfffffc0088d0514] address between user and kernel address ranges ... If the CONFIGs are missing (or the mitigation isn't working), failure is reported as: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... lkdtm: FAIL: stack return address was redirected! lkdtm: This is probably expected, since this kernel was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=y nor CONFIG_SHADOW_CALL_STACK=y Co-developed-by: Dan Li <ashimida@linux.alibaba.com> Signed-off-by: Dan Li <ashimida@linux.alibaba.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/lkml/20220416001103.1524653-1-keescook@chromium.org |
||
---|---|---|
.. | ||
altera-stapl | ||
bcm-vk | ||
c2port | ||
cardreader | ||
cb710 | ||
cxl | ||
echo | ||
eeprom | ||
genwqe | ||
habanalabs | ||
ibmasm | ||
lis3lv02d | ||
lkdtm | ||
mei | ||
ocxl | ||
pvpanic | ||
sgi-gru | ||
sgi-xp | ||
ti-st | ||
uacce | ||
vmw_vmci | ||
ad525x_dpot-i2c.c | ||
ad525x_dpot-spi.c | ||
ad525x_dpot.c | ||
ad525x_dpot.h | ||
apds990x.c | ||
apds9802als.c | ||
atmel-ssc.c | ||
bh1770glc.c | ||
cs5535-mfgpt.c | ||
ds1682.c | ||
dummy-irq.c | ||
dw-xdata-pcie.c | ||
enclosure.c | ||
fastrpc.c | ||
gehc-achc.c | ||
hi6421v600-irq.c | ||
hisi_hikey_usb.c | ||
hmc6352.c | ||
hpilo.c | ||
hpilo.h | ||
ibmvmc.c | ||
ibmvmc.h | ||
ics932s401.c | ||
isl29003.c | ||
isl29020.c | ||
Kconfig | ||
kgdbts.c | ||
lattice-ecp3-config.c | ||
Makefile | ||
open-dice.c | ||
pch_phub.c | ||
pci_endpoint_test.c | ||
phantom.c | ||
qcom-coincell.c | ||
sram-exec.c | ||
sram.c | ||
sram.h | ||
tifm_7xx1.c | ||
tifm_core.c | ||
tsl2550.c | ||
vmw_balloon.c | ||
xilinx_sdfec.c |