x86: add CONFIG_CC_STACKPROTECTOR self-test

This patch adds a simple self-test capability to the stackprotector feature. The test deliberately overflows a stack buffer and then checks if the canary trap function gets called. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
author: Arjan van de Ven <arjan@linux.intel.com> 2008-02-15 18:33:12 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2008-05-26 10:15:32 -0400
commit: 54371a43a66f4477889769b4fa00df936855dc8f (patch)
tree: 71ac55110032a742f3a166bb11957936339ca3e7 /kernel/panic.c
parent: 113c5413cf9051cc50b88befdc42e3402bb92115 (diff)
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/panic.c b/kernel/panic.c
index 17aad578a2f2..50cf9257b234 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -324,14 +324,82 @@ EXPORT_SYMBOL(warn_on_slowpath);
 #endif
 #ifdef CONFIG_CC_STACKPROTECTOR
+static unsigned long __stack_check_testing;
+/*
+ * Self test function for the stack-protector feature.
+ * This test requires that the local variable absolutely has
+ * a stack slot, hence the barrier()s.
+ */
+static noinline void __stack_chk_test_func(void)
+{
+        unsigned long foo;
+        barrier();
+        /*
+         * we need to make sure we're not about to clobber the return address,
+         * while real exploits do this, it's unhealthy on a running system.
+         * Besides, if we would, the test is already failed anyway so
+         * time to pull the emergency brake on it.
+         */
+        if ((unsigned long)__builtin_return_address(0) == 
+                                        *(((unsigned long *)&foo)+1)) {
+                printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+                return;
+        }
+#ifdef CONFIG_FRAME_POINTER
+        /* We also don't want to clobber the frame pointer */
+        if ((unsigned long)__builtin_return_address(0) == 
+                                        *(((unsigned long *)&foo)+2)) {
+                printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+                return;
+        }
+#endif
+        barrier();
+        if (current->stack_canary == *(((unsigned long *)&foo)+1))
+                *(((unsigned long *)&foo)+1) = 0;
+        else
+                printk(KERN_ERR "No -fstack-protector canary found\n");
+        barrier();
+}
+static int __stack_chk_test(void)
+{
+        printk(KERN_INFO "Testing -fstack-protector-all feature\n");
+        __stack_check_testing = (unsigned long)&__stack_chk_test_func;
+        __stack_chk_test_func();
+        if (__stack_check_testing) {
+                printk(KERN_ERR "-fstack-protector-all test failed\n");
+                WARN_ON(1);
+        }
+        return 0;
+}
 /*
 * Called when gcc's -fstack-protector feature is used, and
 * gcc detects corruption of the on-stack canary value
 */
 void __stack_chk_fail(void)
 {
+        if (__stack_check_testing == (unsigned long)&__stack_chk_test_func) {
+                long delta;
+                delta = (unsigned long)__builtin_return_address(0) -
+                                __stack_check_testing;
+                /*
+                 * The test needs to happen inside the test function, so
+                 * check if the return address is close to that function.
+                 * The function is only 2 dozen bytes long, but keep a wide
+                 * safety margin to avoid panic()s for normal users regardless
+                 * of the quality of the compiler.
+                 */
+                if (delta >= 0 && delta <= 400) {
+                        __stack_check_testing = 0;
+                        return;
+                }
+        }
        panic("stack-protector: Kernel stack is corrupted in: %p\n",
                __builtin_return_address(0));
 }
 EXPORT_SYMBOL(__stack_chk_fail);
+late_initcall(__stack_chk_test);
 #endif
author	Arjan van de Ven <arjan@linux.intel.com>	2008-02-15 18:33:12 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2008-05-26 10:15:32 -0400
commit	54371a43a66f4477889769b4fa00df936855dc8f (patch)
tree	71ac55110032a742f3a166bb11957936339ca3e7 /kernel/panic.c
parent	113c5413cf9051cc50b88befdc42e3402bb92115 (diff)

diff --git a/kernel/panic.c b/kernel/panic.c index 17aad578a2f2..50cf9257b234 100644 --- a/kernel/panic.c +++ b/kernel/panic.c
@@ -324,14 +324,82 @@ EXPORT_SYMBOL(warn_on_slowpath);
324	#endif	324	#endif
325		325
326	#ifdef CONFIG_CC_STACKPROTECTOR	326	#ifdef CONFIG_CC_STACKPROTECTOR
		327
		328	static unsigned long __stack_check_testing;
		329	/*
		330	* Self test function for the stack-protector feature.
		331	* This test requires that the local variable absolutely has
		332	* a stack slot, hence the barrier()s.
		333	*/
		334	static noinline void __stack_chk_test_func(void)
		335	{
		336	unsigned long foo;
		337	barrier();
		338	/*
		339	* we need to make sure we're not about to clobber the return address,
		340	* while real exploits do this, it's unhealthy on a running system.
		341	* Besides, if we would, the test is already failed anyway so
		342	* time to pull the emergency brake on it.
		343	*/
		344	if ((unsigned long)__builtin_return_address(0) ==
		345	(((unsigned long )&foo)+1)) {
		346	printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
		347	return;
		348	}
		349	#ifdef CONFIG_FRAME_POINTER
		350	/* We also don't want to clobber the frame pointer */
		351	if ((unsigned long)__builtin_return_address(0) ==
		352	(((unsigned long )&foo)+2)) {
		353	printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
		354	return;
		355	}
		356	#endif
		357	barrier();
		358	if (current->stack_canary == (((unsigned long )&foo)+1))
		359	(((unsigned long )&foo)+1) = 0;
		360	else
		361	printk(KERN_ERR "No -fstack-protector canary found\n");
		362	barrier();
		363	}
		364
		365	static int __stack_chk_test(void)
		366	{
		367	printk(KERN_INFO "Testing -fstack-protector-all feature\n");
		368	__stack_check_testing = (unsigned long)&__stack_chk_test_func;
		369	__stack_chk_test_func();
		370	if (__stack_check_testing) {
		371	printk(KERN_ERR "-fstack-protector-all test failed\n");
		372	WARN_ON(1);
		373	}
		374	return 0;
		375	}
327	/*	376	/*
328	* Called when gcc's -fstack-protector feature is used, and	377	* Called when gcc's -fstack-protector feature is used, and
329	* gcc detects corruption of the on-stack canary value	378	* gcc detects corruption of the on-stack canary value
330	*/	379	*/
331	void __stack_chk_fail(void)	380	void __stack_chk_fail(void)
332	{	381	{
		382	if (__stack_check_testing == (unsigned long)&__stack_chk_test_func) {
		383	long delta;
		384
		385	delta = (unsigned long)__builtin_return_address(0) -
		386	__stack_check_testing;
		387	/*
		388	* The test needs to happen inside the test function, so
		389	* check if the return address is close to that function.
		390	* The function is only 2 dozen bytes long, but keep a wide
		391	* safety margin to avoid panic()s for normal users regardless
		392	* of the quality of the compiler.
		393	*/
		394	if (delta >= 0 && delta <= 400) {
		395	__stack_check_testing = 0;
		396	return;
		397	}
		398	}
333	panic("stack-protector: Kernel stack is corrupted in: %p\n",	399	panic("stack-protector: Kernel stack is corrupted in: %p\n",
334	__builtin_return_address(0));	400	__builtin_return_address(0));
335	}	401	}
336	EXPORT_SYMBOL(__stack_chk_fail);	402	EXPORT_SYMBOL(__stack_chk_fail);
		403
		404	late_initcall(__stack_chk_test);
337	#endif	405	#endif