Commit 325bf6d8 authored by Kees Cook's avatar Kees Cook
Browse files

lkdtm: Update tests for memcpy() run-time warnings 



Clarify the LKDTM FORTIFY tests, and add tests for the mem*() family of
functions, now that run-time checking is distinct.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-kselftest@vger.kernel.org
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent 54d9469b

drivers/misc/lkdtm/fortify.c

+83 −13
Original line number Diff line number Diff line
@@ -10,28 +10,31 @@ 


static volatile int fortify_scratch_space;



static void lkdtm_FORTIFIED_OBJECT(void)

static void lkdtm_FORTIFY_STR_OBJECT(void)

{

	struct target {

		char a[10];

	} target[2] = {};

		int foo;

	} target[3] = {};

	/*

	 * Using volatile prevents the compiler from determining the value of

	 * 'size' at compile time. Without that, we would get a compile error

	 * rather than a runtime error.

	 */

	volatile int size = 11;

	volatile int size = 20;



	pr_info("trying to strcmp() past the end of a struct\n");



	pr_info("trying to read past the end of a struct\n");

	strncpy(target[0].a, target[1].a, size);



	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = memcmp(&target[0], &target[1], size);

	fortify_scratch_space = target[0].a[3];



	pr_err("FAIL: fortify did not block an object overread!\n");

	pr_err("FAIL: fortify did not block a strncpy() object write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);

}



static void lkdtm_FORTIFIED_SUBOBJECT(void)

static void lkdtm_FORTIFY_STR_MEMBER(void)

{

	struct target {

		char a[10];
@@ -44,7 +47,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) 
	strscpy(src, "over ten bytes", size);

	size = strlen(src) + 1;



	pr_info("trying to strncpy past the end of a member of a struct\n");

	pr_info("trying to strncpy() past the end of a struct member...\n");



	/*

	 * strncpy(target.a, src, 20); will hit a compile error because the
@@ -56,7 +59,72 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) 
	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = target.a[3];



	pr_err("FAIL: fortify did not block an sub-object overrun!\n");

	pr_err("FAIL: fortify did not block a strncpy() struct member write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);



	kfree(src);

}



static void lkdtm_FORTIFY_MEM_OBJECT(void)

{

	int before[10];

	struct target {

		char a[10];

		int foo;

	} target = {};

	int after[10];

	/*

	 * Using volatile prevents the compiler from determining the value of

	 * 'size' at compile time. Without that, we would get a compile error

	 * rather than a runtime error.

	 */

	volatile int size = 20;



	memset(before, 0, sizeof(before));

	memset(after, 0, sizeof(after));

	fortify_scratch_space = before[5];

	fortify_scratch_space = after[5];



	pr_info("trying to memcpy() past the end of a struct\n");



	pr_info("0: %zu\n", __builtin_object_size(&target, 0));

	pr_info("1: %zu\n", __builtin_object_size(&target, 1));

	pr_info("s: %d\n", size);

	memcpy(&target, &before, size);



	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = target.a[3];



	pr_err("FAIL: fortify did not block a memcpy() object write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);

}



static void lkdtm_FORTIFY_MEM_MEMBER(void)

{

	struct target {

		char a[10];

		char b[10];

	} target;

	volatile int size = 20;

	char *src;



	src = kmalloc(size, GFP_KERNEL);

	strscpy(src, "over ten bytes", size);

	size = strlen(src) + 1;



	pr_info("trying to memcpy() past the end of a struct member...\n");



	/*

	 * strncpy(target.a, src, 20); will hit a compile error because the

	 * compiler knows at build time that target.a < 20 bytes. Use a

	 * volatile to force a runtime error.

	 */

	memcpy(target.a, src, size);



	/* Store result to global to prevent the code from being eliminated */

	fortify_scratch_space = target.a[3];



	pr_err("FAIL: fortify did not block a memcpy() struct member write overflow!\n");

	pr_expected_config(CONFIG_FORTIFY_SOURCE);



	kfree(src);
@@ -67,7 +135,7 @@ static void lkdtm_FORTIFIED_SUBOBJECT(void) 
 * strscpy and generate a panic because there is a write overflow (i.e. src

 * length is greater than dst length).

 */

static void lkdtm_FORTIFIED_STRSCPY(void)

static void lkdtm_FORTIFY_STRSCPY(void)

{

	char *src;

	char dst[5];
@@ -136,9 +204,11 @@ static void lkdtm_FORTIFIED_STRSCPY(void) 
}



static struct crashtype crashtypes[] = {

	CRASHTYPE(FORTIFIED_OBJECT),

	CRASHTYPE(FORTIFIED_SUBOBJECT),

	CRASHTYPE(FORTIFIED_STRSCPY),

	CRASHTYPE(FORTIFY_STR_OBJECT),

	CRASHTYPE(FORTIFY_STR_MEMBER),

	CRASHTYPE(FORTIFY_MEM_OBJECT),

	CRASHTYPE(FORTIFY_MEM_MEMBER),

	CRASHTYPE(FORTIFY_STRSCPY),

};



struct crashtype_category fortify_crashtypes = {

tools/testing/selftests/lkdtm/tests.txt

+5 −3
Original line number Diff line number Diff line
@@ -75,7 +75,9 @@ USERCOPY_KERNEL 
STACKLEAK_ERASING OK: the rest of the thread stack is properly erased

CFI_FORWARD_PROTO

CFI_BACKWARD call trace:|ok: control flow unchanged

FORTIFIED_STRSCPY

FORTIFIED_OBJECT

FORTIFIED_SUBOBJECT

FORTIFY_STRSCPY detected buffer overflow

FORTIFY_STR_OBJECT detected buffer overflow

FORTIFY_STR_MEMBER detected buffer overflow

FORTIFY_MEM_OBJECT detected buffer overflow

FORTIFY_MEM_MEMBER detected field-spanning write

PPC_SLB_MULTIHIT Recovered