5ad18b2e60
Pull force_sig() argument change from Eric Biederman: "A source of error over the years has been that force_sig has taken a task parameter when it is only safe to use force_sig with the current task. The force_sig function is built for delivering synchronous signals such as SIGSEGV where the userspace application caused a synchronous fault (such as a page fault) and the kernel responded with a signal. Because the name force_sig does not make this clear, and because the force_sig takes a task parameter the function force_sig has been abused for sending other kinds of signals over the years. Slowly those have been fixed when the oopses have been tracked down. This set of changes fixes the remaining abusers of force_sig and carefully rips out the task parameter from force_sig and friends making this kind of error almost impossible in the future" * 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (27 commits) signal/x86: Move tsk inside of CONFIG_MEMORY_FAILURE in do_sigbus signal: Remove the signal number and task parameters from force_sig_info signal: Factor force_sig_info_to_task out of force_sig_info signal: Generate the siginfo in force_sig signal: Move the computation of force into send_signal and correct it. signal: Properly set TRACE_SIGNAL_LOSE_INFO in __send_signal signal: Remove the task parameter from force_sig_fault signal: Use force_sig_fault_to_task for the two calls that don't deliver to current signal: Explicitly call force_sig_fault on current signal/unicore32: Remove tsk parameter from __do_user_fault signal/arm: Remove tsk parameter from __do_user_fault signal/arm: Remove tsk parameter from ptrace_break signal/nds32: Remove tsk parameter from send_sigtrap signal/riscv: Remove tsk parameter from do_trap signal/sh: Remove tsk parameter from force_sig_info_fault signal/um: Remove task parameter from send_sigtrap signal/x86: Remove task parameter from send_sigtrap signal: Remove task parameter from force_sig_mceerr signal: Remove task parameter from force_sig signal: Remove task parameter from force_sigsegv ...
269 lines
6.1 KiB
C
269 lines
6.1 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* This is for all the tests related to logic bugs (e.g. bad dereferences,
|
|
* bad alignment, bad loops, bad locking, bad scheduling, deep stacks, and
|
|
* lockups) along with other things that don't fit well into existing LKDTM
|
|
* test source files.
|
|
*/
|
|
#include "lkdtm.h"
|
|
#include <linux/list.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/sched/signal.h>
|
|
#include <linux/sched/task_stack.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
struct lkdtm_list {
|
|
struct list_head node;
|
|
};
|
|
|
|
/*
|
|
* Make sure our attempts to over run the kernel stack doesn't trigger
|
|
* a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
|
|
* recurse past the end of THREAD_SIZE by default.
|
|
*/
|
|
#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
|
|
#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
|
|
#else
|
|
#define REC_STACK_SIZE (THREAD_SIZE / 8)
|
|
#endif
|
|
#define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
|
|
|
|
static int recur_count = REC_NUM_DEFAULT;
|
|
|
|
static DEFINE_SPINLOCK(lock_me_up);
|
|
|
|
/*
|
|
* Make sure compiler does not optimize this function or stack frame away:
|
|
* - function marked noinline
|
|
* - stack variables are marked volatile
|
|
* - stack variables are written (memset()) and read (pr_info())
|
|
* - function has external effects (pr_info())
|
|
* */
|
|
static int noinline recursive_loop(int remaining)
|
|
{
|
|
volatile char buf[REC_STACK_SIZE];
|
|
|
|
memset((void *)buf, remaining & 0xFF, sizeof(buf));
|
|
pr_info("loop %d/%d ...\n", (int)buf[remaining % sizeof(buf)],
|
|
recur_count);
|
|
if (!remaining)
|
|
return 0;
|
|
else
|
|
return recursive_loop(remaining - 1);
|
|
}
|
|
|
|
/* If the depth is negative, use the default, otherwise keep parameter. */
|
|
void __init lkdtm_bugs_init(int *recur_param)
|
|
{
|
|
if (*recur_param < 0)
|
|
*recur_param = recur_count;
|
|
else
|
|
recur_count = *recur_param;
|
|
}
|
|
|
|
void lkdtm_PANIC(void)
|
|
{
|
|
panic("dumptest");
|
|
}
|
|
|
|
void lkdtm_BUG(void)
|
|
{
|
|
BUG();
|
|
}
|
|
|
|
static int warn_counter;
|
|
|
|
void lkdtm_WARNING(void)
|
|
{
|
|
WARN(1, "Warning message trigger count: %d\n", warn_counter++);
|
|
}
|
|
|
|
void lkdtm_EXCEPTION(void)
|
|
{
|
|
*((volatile int *) 0) = 0;
|
|
}
|
|
|
|
void lkdtm_LOOP(void)
|
|
{
|
|
for (;;)
|
|
;
|
|
}
|
|
|
|
void lkdtm_EXHAUST_STACK(void)
|
|
{
|
|
pr_info("Calling function with %d frame size to depth %d ...\n",
|
|
REC_STACK_SIZE, recur_count);
|
|
recursive_loop(recur_count);
|
|
pr_info("FAIL: survived without exhausting stack?!\n");
|
|
}
|
|
|
|
static noinline void __lkdtm_CORRUPT_STACK(void *stack)
|
|
{
|
|
memset(stack, '\xff', 64);
|
|
}
|
|
|
|
/* This should trip the stack canary, not corrupt the return address. */
|
|
noinline void lkdtm_CORRUPT_STACK(void)
|
|
{
|
|
/* Use default char array length that triggers stack protection. */
|
|
char data[8] __aligned(sizeof(void *));
|
|
|
|
__lkdtm_CORRUPT_STACK(&data);
|
|
|
|
pr_info("Corrupted stack containing char array ...\n");
|
|
}
|
|
|
|
/* Same as above but will only get a canary with -fstack-protector-strong */
|
|
noinline void lkdtm_CORRUPT_STACK_STRONG(void)
|
|
{
|
|
union {
|
|
unsigned short shorts[4];
|
|
unsigned long *ptr;
|
|
} data __aligned(sizeof(void *));
|
|
|
|
__lkdtm_CORRUPT_STACK(&data);
|
|
|
|
pr_info("Corrupted stack containing union ...\n");
|
|
}
|
|
|
|
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)
|
|
{
|
|
static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5};
|
|
u32 *p;
|
|
u32 val = 0x12345678;
|
|
|
|
p = (u32 *)(data + 1);
|
|
if (*p == 0)
|
|
val = 0x87654321;
|
|
*p = val;
|
|
}
|
|
|
|
void lkdtm_SOFTLOCKUP(void)
|
|
{
|
|
preempt_disable();
|
|
for (;;)
|
|
cpu_relax();
|
|
}
|
|
|
|
void lkdtm_HARDLOCKUP(void)
|
|
{
|
|
local_irq_disable();
|
|
for (;;)
|
|
cpu_relax();
|
|
}
|
|
|
|
void lkdtm_SPINLOCKUP(void)
|
|
{
|
|
/* Must be called twice to trigger. */
|
|
spin_lock(&lock_me_up);
|
|
/* Let sparse know we intended to exit holding the lock. */
|
|
__release(&lock_me_up);
|
|
}
|
|
|
|
void lkdtm_HUNG_TASK(void)
|
|
{
|
|
set_current_state(TASK_UNINTERRUPTIBLE);
|
|
schedule();
|
|
}
|
|
|
|
void lkdtm_CORRUPT_LIST_ADD(void)
|
|
{
|
|
/*
|
|
* Initially, an empty list via LIST_HEAD:
|
|
* test_head.next = &test_head
|
|
* test_head.prev = &test_head
|
|
*/
|
|
LIST_HEAD(test_head);
|
|
struct lkdtm_list good, bad;
|
|
void *target[2] = { };
|
|
void *redirection = ⌖
|
|
|
|
pr_info("attempting good list addition\n");
|
|
|
|
/*
|
|
* Adding to the list performs these actions:
|
|
* test_head.next->prev = &good.node
|
|
* good.node.next = test_head.next
|
|
* good.node.prev = test_head
|
|
* test_head.next = good.node
|
|
*/
|
|
list_add(&good.node, &test_head);
|
|
|
|
pr_info("attempting corrupted list addition\n");
|
|
/*
|
|
* In simulating this "write what where" primitive, the "what" is
|
|
* the address of &bad.node, and the "where" is the address held
|
|
* by "redirection".
|
|
*/
|
|
test_head.next = redirection;
|
|
list_add(&bad.node, &test_head);
|
|
|
|
if (target[0] == NULL && target[1] == NULL)
|
|
pr_err("Overwrite did not happen, but no BUG?!\n");
|
|
else
|
|
pr_err("list_add() corruption not detected!\n");
|
|
}
|
|
|
|
void lkdtm_CORRUPT_LIST_DEL(void)
|
|
{
|
|
LIST_HEAD(test_head);
|
|
struct lkdtm_list item;
|
|
void *target[2] = { };
|
|
void *redirection = ⌖
|
|
|
|
list_add(&item.node, &test_head);
|
|
|
|
pr_info("attempting good list removal\n");
|
|
list_del(&item.node);
|
|
|
|
pr_info("attempting corrupted list removal\n");
|
|
list_add(&item.node, &test_head);
|
|
|
|
/* As with the list_add() test above, this corrupts "next". */
|
|
item.node.next = redirection;
|
|
list_del(&item.node);
|
|
|
|
if (target[0] == NULL && target[1] == NULL)
|
|
pr_err("Overwrite did not happen, but no BUG?!\n");
|
|
else
|
|
pr_err("list_del() corruption not detected!\n");
|
|
}
|
|
|
|
/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */
|
|
void lkdtm_CORRUPT_USER_DS(void)
|
|
{
|
|
pr_info("setting bad task size limit\n");
|
|
set_fs(KERNEL_DS);
|
|
|
|
/* Make sure we do not keep running with a KERNEL_DS! */
|
|
force_sig(SIGKILL);
|
|
}
|
|
|
|
/* Test that VMAP_STACK is actually allocating with a leading guard page */
|
|
void lkdtm_STACK_GUARD_PAGE_LEADING(void)
|
|
{
|
|
const unsigned char *stack = task_stack_page(current);
|
|
const unsigned char *ptr = stack - 1;
|
|
volatile unsigned char byte;
|
|
|
|
pr_info("attempting bad read from page below current stack\n");
|
|
|
|
byte = *ptr;
|
|
|
|
pr_err("FAIL: accessed page before stack!\n");
|
|
}
|
|
|
|
/* Test that VMAP_STACK is actually allocating with a trailing guard page */
|
|
void lkdtm_STACK_GUARD_PAGE_TRAILING(void)
|
|
{
|
|
const unsigned char *stack = task_stack_page(current);
|
|
const unsigned char *ptr = stack + THREAD_SIZE;
|
|
volatile unsigned char byte;
|
|
|
|
pr_info("attempting bad read from page above current stack\n");
|
|
|
|
byte = *ptr;
|
|
|
|
pr_err("FAIL: accessed page after stack!\n");
|
|
}
|