Merge tag 'lkdtm-next' of...

obj-$(CONFIG_PANEL)             += panel.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_core.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_bugs.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_heap.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_perms.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_rodata_objcopy.o

lkdtm-$(CONFIG_LKDTM)		+= lkdtm_usercopy.o

OBJCOPYFLAGS :=

OBJCOPYFLAGS_lkdtm_rodata_objcopy.o := \

#ifndef __LKDTM_H

#define __LKDTM_H

/* lkdtm_bugs.c */

void __init lkdtm_bugs_init(int *recur_param);

void lkdtm_PANIC(void);

void lkdtm_BUG(void);

void lkdtm_WARNING(void);

void lkdtm_EXCEPTION(void);

void lkdtm_LOOP(void);

void lkdtm_OVERFLOW(void);

void lkdtm_CORRUPT_STACK(void);

void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void);

void lkdtm_SOFTLOCKUP(void);

void lkdtm_HARDLOCKUP(void);

void lkdtm_SPINLOCKUP(void);

void lkdtm_HUNG_TASK(void);

void lkdtm_ATOMIC_UNDERFLOW(void);

void lkdtm_ATOMIC_OVERFLOW(void);

/* lkdtm_heap.c */

void lkdtm_OVERWRITE_ALLOCATION(void);

void lkdtm_WRITE_AFTER_FREE(void);

void lkdtm_READ_AFTER_FREE(void);

void lkdtm_WRITE_BUDDY_AFTER_FREE(void);

void lkdtm_READ_BUDDY_AFTER_FREE(void);

/* lkdtm_perms.c */

void __init lkdtm_perms_init(void);

void lkdtm_WRITE_RO(void);

void lkdtm_WRITE_RO_AFTER_INIT(void);

void lkdtm_WRITE_KERN(void);

void lkdtm_EXEC_DATA(void);

void lkdtm_EXEC_STACK(void);

void lkdtm_EXEC_KMALLOC(void);

void lkdtm_EXEC_VMALLOC(void);

void lkdtm_EXEC_RODATA(void);

void lkdtm_EXEC_USERSPACE(void);

void lkdtm_ACCESS_USERSPACE(void);

/* lkdtm_rodata.c */

void lkdtm_rodata_do_nothing(void);

/* lkdtm_usercopy.c */

void __init lkdtm_usercopy_init(void);

void __exit lkdtm_usercopy_exit(void);

void lkdtm_USERCOPY_HEAP_SIZE_TO(void);

void lkdtm_USERCOPY_HEAP_SIZE_FROM(void);

void lkdtm_USERCOPY_HEAP_FLAG_TO(void);

void lkdtm_USERCOPY_HEAP_FLAG_FROM(void);

void lkdtm_USERCOPY_STACK_FRAME_TO(void);

void lkdtm_USERCOPY_STACK_FRAME_FROM(void);

void lkdtm_USERCOPY_STACK_BEYOND(void);

void lkdtm_USERCOPY_KERNEL(void);

#endif

/*

 * This is for all the tests related to logic bugs (e.g. bad dereferences,

 * bad alignment, bad loops, bad locking, bad scheduling, deep stacks, and

 * lockups) along with other things that don't fit well into existing LKDTM

 * test source files.

 */

#define pr_fmt(fmt) "lkdtm: " fmt

#include <linux/kernel.h>

#include <linux/sched.h>

#include "lkdtm.h"

/*

 * Make sure our attempts to over run the kernel stack doesn't trigger

 * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we

 * recurse past the end of THREAD_SIZE by default.

 */

#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)

#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)

#else

#define REC_STACK_SIZE (THREAD_SIZE / 8)

#endif

#define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)

static int recur_count = REC_NUM_DEFAULT;

static DEFINE_SPINLOCK(lock_me_up);

static int recursive_loop(int remaining)

{

	char buf[REC_STACK_SIZE];

	/* Make sure compiler does not optimize this away. */

	memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);

	if (!remaining)

		return 0;

	else

		return recursive_loop(remaining - 1);

}

/* If the depth is negative, use the default, otherwise keep parameter. */

void __init lkdtm_bugs_init(int *recur_param)

{

	if (*recur_param < 0)

		*recur_param = recur_count;

	else

		recur_count = *recur_param;

}

void lkdtm_PANIC(void)

{

	panic("dumptest");

}

void lkdtm_BUG(void)

{

	BUG();

}

void lkdtm_WARNING(void)

{

	WARN_ON(1);

}

void lkdtm_EXCEPTION(void)

{

	*((int *) 0) = 0;

}

void lkdtm_LOOP(void)

{

	for (;;)

		;

}

void lkdtm_OVERFLOW(void)

{

	(void) recursive_loop(recur_count);

}

noinline void lkdtm_CORRUPT_STACK(void)

{

	/* Use default char array length that triggers stack protection. */

	char data[8];

	memset((void *)data, 0, 64);

}

void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)

{

	static u8 data[5] __attribute__((aligned(4))) = {1, 2, 3, 4, 5};

	u32 *p;

	u32 val = 0x12345678;

	p = (u32 *)(data + 1);

	if (*p == 0)

		val = 0x87654321;

	*p = val;

}

void lkdtm_SOFTLOCKUP(void)

{

	preempt_disable();

	for (;;)

		cpu_relax();

}

void lkdtm_HARDLOCKUP(void)

{

	local_irq_disable();

	for (;;)

		cpu_relax();

}

void lkdtm_SPINLOCKUP(void)

{

	/* Must be called twice to trigger. */

	spin_lock(&lock_me_up);

	/* Let sparse know we intended to exit holding the lock. */

	__release(&lock_me_up);

}

void lkdtm_HUNG_TASK(void)

{

	set_current_state(TASK_UNINTERRUPTIBLE);

	schedule();

}

void lkdtm_ATOMIC_UNDERFLOW(void)

{

	atomic_t under = ATOMIC_INIT(INT_MIN);

	pr_info("attempting good atomic increment\n");

	atomic_inc(&under);

	atomic_dec(&under);

	pr_info("attempting bad atomic underflow\n");

	atomic_dec(&under);

}

void lkdtm_ATOMIC_OVERFLOW(void)

{

	atomic_t over = ATOMIC_INIT(INT_MAX);

	pr_info("attempting good atomic decrement\n");

	atomic_dec(&over);

	atomic_inc(&over);

	pr_info("attempting bad atomic overflow\n");

	atomic_inc(&over);

}

/*

 * This is for all the tests relating directly to heap memory, including

 * page allocation and slab allocations.

 */

#define pr_fmt(fmt) "lkdtm: " fmt

#include <linux/kernel.h>

#include <linux/slab.h>

#include "lkdtm.h"

/*

 * This tries to stay within the next largest power-of-2 kmalloc cache

 * to avoid actually overwriting anything important if it's not detected

 * correctly.

 */

void lkdtm_OVERWRITE_ALLOCATION(void)

{

	size_t len = 1020;

	u32 *data = kmalloc(len, GFP_KERNEL);

	data[1024 / sizeof(u32)] = 0x12345678;

	kfree(data);

}

void lkdtm_WRITE_AFTER_FREE(void)

{

	int *base, *again;

	size_t len = 1024;

	/*

	 * The slub allocator uses the first word to store the free

	 * pointer in some configurations. Use the middle of the

	 * allocation to avoid running into the freelist

	 */

	size_t offset = (len / sizeof(*base)) / 2;

	base = kmalloc(len, GFP_KERNEL);

	pr_info("Allocated memory %p-%p\n", base, &base[offset * 2]);

	pr_info("Attempting bad write to freed memory at %p\n",

		&base[offset]);

	kfree(base);

	base[offset] = 0x0abcdef0;

	/* Attempt to notice the overwrite. */

	again = kmalloc(len, GFP_KERNEL);

	kfree(again);

	if (again != base)

		pr_info("Hmm, didn't get the same memory range.\n");

}

void lkdtm_READ_AFTER_FREE(void)

{

	int *base, *val, saw;

	size_t len = 1024;

	/*

	 * The slub allocator uses the first word to store the free

	 * pointer in some configurations. Use the middle of the

	 * allocation to avoid running into the freelist

	 */

	size_t offset = (len / sizeof(*base)) / 2;

	base = kmalloc(len, GFP_KERNEL);

	if (!base) {

		pr_info("Unable to allocate base memory.\n");

		return;

	}

	val = kmalloc(len, GFP_KERNEL);

	if (!val) {

		pr_info("Unable to allocate val memory.\n");

		kfree(base);

		return;

	}

	*val = 0x12345678;

	base[offset] = *val;

	pr_info("Value in memory before free: %x\n", base[offset]);

	kfree(base);

	pr_info("Attempting bad read from freed memory\n");

	saw = base[offset];

	if (saw != *val) {

		/* Good! Poisoning happened, so declare a win. */

		pr_info("Memory correctly poisoned (%x)\n", saw);

		BUG();

	}

	pr_info("Memory was not poisoned\n");

	kfree(val);

}

void lkdtm_WRITE_BUDDY_AFTER_FREE(void)

{

	unsigned long p = __get_free_page(GFP_KERNEL);

	if (!p) {

		pr_info("Unable to allocate free page\n");

		return;

	}

	pr_info("Writing to the buddy page before free\n");

	memset((void *)p, 0x3, PAGE_SIZE);

	free_page(p);

	schedule();

	pr_info("Attempting bad write to the buddy page after free\n");

	memset((void *)p, 0x78, PAGE_SIZE);

	/* Attempt to notice the overwrite. */

	p = __get_free_page(GFP_KERNEL);

	free_page(p);

	schedule();

}

void lkdtm_READ_BUDDY_AFTER_FREE(void)

{

	unsigned long p = __get_free_page(GFP_KERNEL);

	int saw, *val;

	int *base;

	if (!p) {

		pr_info("Unable to allocate free page\n");

		return;

	}

	val = kmalloc(1024, GFP_KERNEL);

	if (!val) {

		pr_info("Unable to allocate val memory.\n");

		free_page(p);

		return;

	}

	base = (int *)p;

	*val = 0x12345678;

	base[0] = *val;

	pr_info("Value in memory before free: %x\n", base[0]);

	free_page(p);

	pr_info("Attempting to read from freed memory\n");

	saw = base[0];

	if (saw != *val) {

		/* Good! Poisoning happened, so declare a win. */

		pr_info("Memory correctly poisoned (%x)\n", saw);

		BUG();

	}

	pr_info("Buddy page was not poisoned\n");

	kfree(val);

}