lkdtm: add "WRITE_KERN" test

Add "WRITE_KERN" crash target to validate that kernel executable memory is not writable. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kees Cook <keescook@chromium.org> 2014-02-09 16:48:48 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-14 15:30:20 -0500
commit: dc2b9e9069780774c01a06e0ea8dce0c705f1812 (patch)
tree: 1be055211e27aeddf72cc09c33b5c55daae4db8a
parent: aac416fc38cdfd45139a6917eb3f6b77cd00a24f (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index d6ee1aae3e72..d30301149242 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -102,6 +102,7 @@ enum ctype {
        CT_EXEC_USERSPACE,
        CT_ACCESS_USERSPACE,
        CT_WRITE_RO,
+        CT_WRITE_KERN,
 };
 static char* cp_name[] = {
@@ -138,6 +139,7 @@ static char* cp_type[] = {
        "EXEC_USERSPACE",
        "ACCESS_USERSPACE",
        "WRITE_RO",
+        "WRITE_KERN",
 };
 static struct jprobe lkdtm;
@@ -317,6 +319,13 @@ static void do_nothing(void)
        return;
 }
+/* Must immediately follow do_nothing for size calculuations to work out. */
+static void do_overwritten(void)
+{
+        pr_info("do_overwritten wasn't overwritten!\n");
+        return;
+}
 static noinline void corrupt_stack(void)
 {
        /* Use default char array length that triggers stack protection. */
@@ -496,6 +505,22 @@ static void lkdtm_do_action(enum ctype which)
                break;
        }
+        case CT_WRITE_KERN: {
+                size_t size;
+                unsigned char *ptr;
+                size = (unsigned long)do_overwritten -
+                       (unsigned long)do_nothing;
+                ptr = (unsigned char *)do_overwritten;
+                pr_info("attempting bad %zu byte write at %p\n", size, ptr);
+                memcpy(ptr, (unsigned char *)do_nothing, size);
+                flush_icache_range((unsigned long)ptr,
+                                   (unsigned long)(ptr + size));
+                do_overwritten();
+                break;
+        }
        case CT_NONE:
        default:
                break;
author	Kees Cook <keescook@chromium.org>	2014-02-09 16:48:48 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-02-14 15:30:20 -0500
commit	dc2b9e9069780774c01a06e0ea8dce0c705f1812 (patch)
tree	1be055211e27aeddf72cc09c33b5c55daae4db8a
parent	aac416fc38cdfd45139a6917eb3f6b77cd00a24f (diff)

diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index d6ee1aae3e72..d30301149242 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c
@@ -102,6 +102,7 @@ enum ctype {
102	CT_EXEC_USERSPACE,	102	CT_EXEC_USERSPACE,
103	CT_ACCESS_USERSPACE,	103	CT_ACCESS_USERSPACE,
104	CT_WRITE_RO,	104	CT_WRITE_RO,
		105	CT_WRITE_KERN,
105	};	106	};
106		107
107	static char* cp_name[] = {	108	static char* cp_name[] = {
@@ -138,6 +139,7 @@ static char* cp_type[] = {
138	"EXEC_USERSPACE",	139	"EXEC_USERSPACE",
139	"ACCESS_USERSPACE",	140	"ACCESS_USERSPACE",
140	"WRITE_RO",	141	"WRITE_RO",
		142	"WRITE_KERN",
141	};	143	};
142		144
143	static struct jprobe lkdtm;	145	static struct jprobe lkdtm;
@@ -317,6 +319,13 @@ static void do_nothing(void)
317	return;	319	return;
318	}	320	}
319		321
		322	/* Must immediately follow do_nothing for size calculuations to work out. */
		323	static void do_overwritten(void)
		324	{
		325	pr_info("do_overwritten wasn't overwritten!\n");
		326	return;
		327	}
		328
320	static noinline void corrupt_stack(void)	329	static noinline void corrupt_stack(void)
321	{	330	{
322	/* Use default char array length that triggers stack protection. */	331	/* Use default char array length that triggers stack protection. */
@@ -496,6 +505,22 @@ static void lkdtm_do_action(enum ctype which)
496		505
497	break;	506	break;
498	}	507	}
		508	case CT_WRITE_KERN: {
		509	size_t size;
		510	unsigned char *ptr;
		511
		512	size = (unsigned long)do_overwritten -
		513	(unsigned long)do_nothing;
		514	ptr = (unsigned char *)do_overwritten;
		515
		516	pr_info("attempting bad %zu byte write at %p\n", size, ptr);
		517	memcpy(ptr, (unsigned char *)do_nothing, size);
		518	flush_icache_range((unsigned long)ptr,
		519	(unsigned long)(ptr + size));
		520
		521	do_overwritten();
		522	break;
		523	}
499	case CT_NONE:	524	case CT_NONE:
500	default:	525	default:
501	break;	526	break;