aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--kernel/panic.c68
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/panic.c b/kernel/panic.c
index 17aad578a2f2..50cf9257b234 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -324,14 +324,82 @@ EXPORT_SYMBOL(warn_on_slowpath);
324#endif 324#endif
325 325
326#ifdef CONFIG_CC_STACKPROTECTOR 326#ifdef CONFIG_CC_STACKPROTECTOR
327
328static unsigned long __stack_check_testing;
329/*
330 * Self test function for the stack-protector feature.
331 * This test requires that the local variable absolutely has
332 * a stack slot, hence the barrier()s.
333 */
334static noinline void __stack_chk_test_func(void)
335{
336 unsigned long foo;
337 barrier();
338 /*
339 * we need to make sure we're not about to clobber the return address,
340 * while real exploits do this, it's unhealthy on a running system.
341 * Besides, if we would, the test is already failed anyway so
342 * time to pull the emergency brake on it.
343 */
344 if ((unsigned long)__builtin_return_address(0) ==
345 *(((unsigned long *)&foo)+1)) {
346 printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
347 return;
348 }
349#ifdef CONFIG_FRAME_POINTER
350 /* We also don't want to clobber the frame pointer */
351 if ((unsigned long)__builtin_return_address(0) ==
352 *(((unsigned long *)&foo)+2)) {
353 printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
354 return;
355 }
356#endif
357 barrier();
358 if (current->stack_canary == *(((unsigned long *)&foo)+1))
359 *(((unsigned long *)&foo)+1) = 0;
360 else
361 printk(KERN_ERR "No -fstack-protector canary found\n");
362 barrier();
363}
364
365static int __stack_chk_test(void)
366{
367 printk(KERN_INFO "Testing -fstack-protector-all feature\n");
368 __stack_check_testing = (unsigned long)&__stack_chk_test_func;
369 __stack_chk_test_func();
370 if (__stack_check_testing) {
371 printk(KERN_ERR "-fstack-protector-all test failed\n");
372 WARN_ON(1);
373 }
374 return 0;
375}
327/* 376/*
328 * Called when gcc's -fstack-protector feature is used, and 377 * Called when gcc's -fstack-protector feature is used, and
329 * gcc detects corruption of the on-stack canary value 378 * gcc detects corruption of the on-stack canary value
330 */ 379 */
331void __stack_chk_fail(void) 380void __stack_chk_fail(void)
332{ 381{
382 if (__stack_check_testing == (unsigned long)&__stack_chk_test_func) {
383 long delta;
384
385 delta = (unsigned long)__builtin_return_address(0) -
386 __stack_check_testing;
387 /*
388 * The test needs to happen inside the test function, so
389 * check if the return address is close to that function.
390 * The function is only 2 dozen bytes long, but keep a wide
391 * safety margin to avoid panic()s for normal users regardless
392 * of the quality of the compiler.
393 */
394 if (delta >= 0 && delta <= 400) {
395 __stack_check_testing = 0;
396 return;
397 }
398 }
333 panic("stack-protector: Kernel stack is corrupted in: %p\n", 399 panic("stack-protector: Kernel stack is corrupted in: %p\n",
334 __builtin_return_address(0)); 400 __builtin_return_address(0));
335} 401}
336EXPORT_SYMBOL(__stack_chk_fail); 402EXPORT_SYMBOL(__stack_chk_fail);
403
404late_initcall(__stack_chk_test);
337#endif 405#endif