4 files changed, 79 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index 3370a4138e94..951c984de61a 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -8,7 +8,9 @@ lkdtm-$(CONFIG_LKDTM)		+= perms.o
 lkdtm-$(CONFIG_LKDTM)           += refcount.o
 lkdtm-$(CONFIG_LKDTM)           += rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)           += usercopy.o
+lkdtm-$(CONFIG_LKDTM)           += stackleak.o
+KASAN_SANITIZE_stackleak.o      := n
 KCOV_INSTRUMENT_rodata.o        := n
 OBJCOPYFLAGS :=
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 5a755590d3dc..2837dc77478e 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -184,6 +184,7 @@ static const struct crashtype crashtypes[] = {
        CRASHTYPE(USERCOPY_STACK_BEYOND),
        CRASHTYPE(USERCOPY_KERNEL),
        CRASHTYPE(USERCOPY_KERNEL_DS),
+        CRASHTYPE(STACKLEAK_ERASING),
 };
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 07db641d71d0..3c6fd327e166 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -84,4 +84,7 @@ void lkdtm_USERCOPY_STACK_BEYOND(void);
 void lkdtm_USERCOPY_KERNEL(void);
 void lkdtm_USERCOPY_KERNEL_DS(void);
+/* lkdtm_stackleak.c */
+void lkdtm_STACKLEAK_ERASING(void);
 #endif
diff --git a/drivers/misc/lkdtm/stackleak.c b/drivers/misc/lkdtm/stackleak.c
new file mode 100644
index 000000000000..d5a084475abc
--- /dev/null
+++ b/drivers/misc/lkdtm/stackleak.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * This code tests that the current task stack is properly erased (filled
+ * with STACKLEAK_POISON).
+ *
+ * Authors:
+ *   Alexander Popov <alex.popov@linux.com>
+ *   Tycho Andersen <tycho@tycho.ws>
+ */
+#include "lkdtm.h"
+#include <linux/stackleak.h>
+void lkdtm_STACKLEAK_ERASING(void)
+{
+        unsigned long *sp, left, found, i;
+        const unsigned long check_depth =
+                        STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
+        /*
+         * For the details about the alignment of the poison values, see
+         * the comment in stackleak_track_stack().
+         */
+        sp = PTR_ALIGN(&i, sizeof(unsigned long));
+        left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long);
+        sp--;
+        /*
+         * One 'long int' at the bottom of the thread stack is reserved
+         * and not poisoned.
+         */
+        if (left > 1) {
+                left--;
+        } else {
+                pr_err("FAIL: not enough stack space for the test\n");
+                return;
+        }
+        pr_info("checking unused part of the thread stack (%lu bytes)...\n",
+                                        left * sizeof(unsigned long));
+        /*
+         * Search for 'check_depth' poison values in a row (just like
+         * stackleak_erase() does).
+         */
+        for (i = 0, found = 0; i < left && found <= check_depth; i++) {
+                if (*(sp - i) == STACKLEAK_POISON)
+                        found++;
+                else
+                        found = 0;
+        }
+        if (found <= check_depth) {
+                pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n",
+                                                i * sizeof(unsigned long));
+                return;
+        }
+        pr_info("first %lu bytes are unpoisoned\n",
+                                (i - found) * sizeof(unsigned long));
+        /* The rest of thread stack should be erased */
+        for (; i < left; i++) {
+                if (*(sp - i) != STACKLEAK_POISON) {
+                        pr_err("FAIL: thread stack is NOT properly erased\n");
+                        return;
+                }
+        }
+        pr_info("OK: the rest of the thread stack is properly erased\n");
+        return;
+}

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile index 3370a4138e94..951c984de61a 100644 --- a/drivers/misc/lkdtm/Makefile +++ b/drivers/misc/lkdtm/Makefile
@@ -8,7 +8,9 @@ lkdtm-$(CONFIG_LKDTM) += perms.o
8	lkdtm-$(CONFIG_LKDTM) += refcount.o	8	lkdtm-$(CONFIG_LKDTM) += refcount.o
9	lkdtm-$(CONFIG_LKDTM) += rodata_objcopy.o	9	lkdtm-$(CONFIG_LKDTM) += rodata_objcopy.o
10	lkdtm-$(CONFIG_LKDTM) += usercopy.o	10	lkdtm-$(CONFIG_LKDTM) += usercopy.o
		11	lkdtm-$(CONFIG_LKDTM) += stackleak.o
11		12
		13	KASAN_SANITIZE_stackleak.o := n
12	KCOV_INSTRUMENT_rodata.o := n	14	KCOV_INSTRUMENT_rodata.o := n
13		15
14	OBJCOPYFLAGS :=	16	OBJCOPYFLAGS :=


diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c index 5a755590d3dc..2837dc77478e 100644 --- a/drivers/misc/lkdtm/core.c +++ b/drivers/misc/lkdtm/core.c
@@ -184,6 +184,7 @@ static const struct crashtype crashtypes[] = {
184	CRASHTYPE(USERCOPY_STACK_BEYOND),	184	CRASHTYPE(USERCOPY_STACK_BEYOND),
185	CRASHTYPE(USERCOPY_KERNEL),	185	CRASHTYPE(USERCOPY_KERNEL),
186	CRASHTYPE(USERCOPY_KERNEL_DS),	186	CRASHTYPE(USERCOPY_KERNEL_DS),
		187	CRASHTYPE(STACKLEAK_ERASING),
187	};	188	};
188		189
189		190


diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h index 07db641d71d0..3c6fd327e166 100644 --- a/drivers/misc/lkdtm/lkdtm.h +++ b/drivers/misc/lkdtm/lkdtm.h
@@ -84,4 +84,7 @@ void lkdtm_USERCOPY_STACK_BEYOND(void);
84	void lkdtm_USERCOPY_KERNEL(void);	84	void lkdtm_USERCOPY_KERNEL(void);
85	void lkdtm_USERCOPY_KERNEL_DS(void);	85	void lkdtm_USERCOPY_KERNEL_DS(void);
86		86
		87	/* lkdtm_stackleak.c */
		88	void lkdtm_STACKLEAK_ERASING(void);
		89
87	#endif	90	#endif


diff --git a/drivers/misc/lkdtm/stackleak.c b/drivers/misc/lkdtm/stackleak.c new file mode 100644 index 000000000000..d5a084475abc --- /dev/null +++ b/drivers/misc/lkdtm/stackleak.c
@@ -0,0 +1,73 @@
		1	// SPDX-License-Identifier: GPL-2.0
		2	/*
		3	* This code tests that the current task stack is properly erased (filled
		4	* with STACKLEAK_POISON).
		5	*
		6	* Authors:
		7	* Alexander Popov <alex.popov@linux.com>
		8	* Tycho Andersen <tycho@tycho.ws>
		9	*/
		10
		11	#include "lkdtm.h"
		12	#include <linux/stackleak.h>
		13
		14	void lkdtm_STACKLEAK_ERASING(void)
		15	{
		16	unsigned long *sp, left, found, i;
		17	const unsigned long check_depth =
		18	STACKLEAK_SEARCH_DEPTH / sizeof(unsigned long);
		19
		20	/*
		21	* For the details about the alignment of the poison values, see
		22	* the comment in stackleak_track_stack().
		23	*/
		24	sp = PTR_ALIGN(&i, sizeof(unsigned long));
		25
		26	left = ((unsigned long)sp & (THREAD_SIZE - 1)) / sizeof(unsigned long);
		27	sp--;
		28
		29	/*
		30	* One 'long int' at the bottom of the thread stack is reserved
		31	* and not poisoned.
		32	*/
		33	if (left > 1) {
		34	left--;
		35	} else {
		36	pr_err("FAIL: not enough stack space for the test\n");
		37	return;
		38	}
		39
		40	pr_info("checking unused part of the thread stack (%lu bytes)...\n",
		41	left * sizeof(unsigned long));
		42
		43	/*
		44	* Search for 'check_depth' poison values in a row (just like
		45	* stackleak_erase() does).
		46	*/
		47	for (i = 0, found = 0; i < left && found <= check_depth; i++) {
		48	if (*(sp - i) == STACKLEAK_POISON)
		49	found++;
		50	else
		51	found = 0;
		52	}
		53
		54	if (found <= check_depth) {
		55	pr_err("FAIL: thread stack is not erased (checked %lu bytes)\n",
		56	i * sizeof(unsigned long));
		57	return;
		58	}
		59
		60	pr_info("first %lu bytes are unpoisoned\n",
		61	(i - found) * sizeof(unsigned long));
		62
		63	/* The rest of thread stack should be erased */
		64	for (; i < left; i++) {
		65	if (*(sp - i) != STACKLEAK_POISON) {
		66	pr_err("FAIL: thread stack is NOT properly erased\n");
		67	return;
		68	}
		69	}
		70
		71	pr_info("OK: the rest of the thread stack is properly erased\n");
		72	return;
		73	}