diff options
| author | David Windsor <dave@progbits.org> | 2015-12-17 00:56:36 -0500 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2016-03-01 17:29:15 -0500 |
| commit | 5fd9e48084f5566aafb759882f549f37e5940501 (patch) | |
| tree | 8f44f01ff67d74fd63278db2acbb4ca9afa3095e | |
| parent | 920d451f9ce68e306b1f35b2029450093163d476 (diff) | |
lkdtm: add test for atomic_t underflow/overflow
dmesg output of running this LKDTM test with PaX:
[187095.475573] lkdtm: No crash points registered, enable through debugfs
[187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
[187118.030045] lkdtm: attempting atomic underflow
[187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
[187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.111321] RIP: 0010:[<ffffffffc00fc2fe>] [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
...
[187118.128074] lkdtm: attempting atomic overflow
[187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
[187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.128092] RIP: 0010:[<ffffffffc00fc316>] [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
Signed-off-by: David Windsor <dave@progbits.org>
[cleaned up whitespacing, keescook]
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | drivers/misc/lkdtm.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 8e00e2e992d1..c333e813ed34 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c | |||
| @@ -107,6 +107,7 @@ enum ctype { | |||
| 107 | CT_ACCESS_USERSPACE, | 107 | CT_ACCESS_USERSPACE, |
| 108 | CT_WRITE_RO, | 108 | CT_WRITE_RO, |
| 109 | CT_WRITE_KERN, | 109 | CT_WRITE_KERN, |
| 110 | CT_WRAP_ATOMIC | ||
| 110 | }; | 111 | }; |
| 111 | 112 | ||
| 112 | static char* cp_name[] = { | 113 | static char* cp_name[] = { |
| @@ -147,6 +148,7 @@ static char* cp_type[] = { | |||
| 147 | "ACCESS_USERSPACE", | 148 | "ACCESS_USERSPACE", |
| 148 | "WRITE_RO", | 149 | "WRITE_RO", |
| 149 | "WRITE_KERN", | 150 | "WRITE_KERN", |
| 151 | "WRAP_ATOMIC" | ||
| 150 | }; | 152 | }; |
| 151 | 153 | ||
| 152 | static struct jprobe lkdtm; | 154 | static struct jprobe lkdtm; |
| @@ -620,6 +622,17 @@ static void lkdtm_do_action(enum ctype which) | |||
| 620 | do_overwritten(); | 622 | do_overwritten(); |
| 621 | break; | 623 | break; |
| 622 | } | 624 | } |
| 625 | case CT_WRAP_ATOMIC: { | ||
| 626 | atomic_t under = ATOMIC_INIT(INT_MIN); | ||
| 627 | atomic_t over = ATOMIC_INIT(INT_MAX); | ||
| 628 | |||
| 629 | pr_info("attempting atomic underflow\n"); | ||
| 630 | atomic_dec(&under); | ||
| 631 | pr_info("attempting atomic overflow\n"); | ||
| 632 | atomic_inc(&over); | ||
| 633 | |||
| 634 | return; | ||
| 635 | } | ||
| 623 | case CT_NONE: | 636 | case CT_NONE: |
| 624 | default: | 637 | default: |
| 625 | break; | 638 | break; |