Commit a2915698 authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Merge tag 'lkdtm-next' of... 

Merge tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux into char-misc-next

Kees writes:

lkdtm updates and new tests

- Check NULL dereferences (Christophe Leroy)
- Print real addresses for debugging (Christophe Leroy)
- Drop CONFIG_BLOCK dependency

* tag 'lkdtm-next' of https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  lkdtm: Add tests for NULL pointer dereference
  lkdtm: Print real addresses
  lkdtm: Do not depend on BLOCK and clean up headers
parents bfeffd15 59a12205

drivers/misc/lkdtm/core.c

+2 −9
Original line number Diff line number Diff line
@@ -37,16 +37,9 @@ 
#include <linux/kprobes.h>

#include <linux/list.h>

#include <linux/init.h>

#include <linux/interrupt.h>

#include <linux/hrtimer.h>

#include <linux/slab.h>

#include <scsi/scsi_cmnd.h>

#include <linux/debugfs.h>



#ifdef CONFIG_IDE

#include <linux/ide.h>

#endif



#define DEFAULT_COUNT 10



static int lkdtm_debugfs_open(struct inode *inode, struct file *file);
@@ -102,10 +95,8 @@ static struct crashpoint crashpoints[] = { 
	CRASHPOINT("MEM_SWAPOUT",	 "shrink_inactive_list"),

	CRASHPOINT("TIMERADD",		 "hrtimer_start"),

	CRASHPOINT("SCSI_DISPATCH_CMD",	 "scsi_dispatch_cmd"),

# ifdef CONFIG_IDE

	CRASHPOINT("IDE_CORE_CP",	 "generic_ide_ioctl"),

#endif

#endif

};
@@ -152,7 +143,9 @@ static const struct crashtype crashtypes[] = { 
	CRASHTYPE(EXEC_VMALLOC),

	CRASHTYPE(EXEC_RODATA),

	CRASHTYPE(EXEC_USERSPACE),

	CRASHTYPE(EXEC_NULL),

	CRASHTYPE(ACCESS_USERSPACE),

	CRASHTYPE(ACCESS_NULL),

	CRASHTYPE(WRITE_RO),

	CRASHTYPE(WRITE_RO_AFTER_INIT),

	CRASHTYPE(WRITE_KERN),

drivers/misc/lkdtm/lkdtm.h

+2 −0
Original line number Diff line number Diff line
@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void); 
void lkdtm_EXEC_VMALLOC(void);

void lkdtm_EXEC_RODATA(void);

void lkdtm_EXEC_USERSPACE(void);

void lkdtm_EXEC_NULL(void);

void lkdtm_ACCESS_USERSPACE(void);

void lkdtm_ACCESS_NULL(void);



/* lkdtm_refcount.c */

void lkdtm_REFCOUNT_INC_OVERFLOW(void);

drivers/misc/lkdtm/perms.c

+27 −9
Original line number Diff line number Diff line
@@ -47,7 +47,7 @@ static noinline void execute_location(void *dst, bool write) 
{

	void (*func)(void) = dst;



	pr_info("attempting ok execution at %p\n", do_nothing);

	pr_info("attempting ok execution at %px\n", do_nothing);

	do_nothing();



	if (write == CODE_WRITE) {
@@ -55,7 +55,7 @@ static noinline void execute_location(void *dst, bool write) 
		flush_icache_range((unsigned long)dst,

				   (unsigned long)dst + EXEC_SIZE);

	}

	pr_info("attempting bad execution at %p\n", func);

	pr_info("attempting bad execution at %px\n", func);

	func();

}
@@ -66,14 +66,14 @@ static void execute_user_location(void *dst) 
	/* Intentionally crossing kernel/user memory boundary. */

	void (*func)(void) = dst;



	pr_info("attempting ok execution at %p\n", do_nothing);

	pr_info("attempting ok execution at %px\n", do_nothing);

	do_nothing();



	copied = access_process_vm(current, (unsigned long)dst, do_nothing,

				   EXEC_SIZE, FOLL_WRITE);

	if (copied < EXEC_SIZE)

		return;

	pr_info("attempting bad execution at %p\n", func);

	pr_info("attempting bad execution at %px\n", func);

	func();

}
@@ -82,7 +82,7 @@ void lkdtm_WRITE_RO(void) 
	/* Explicitly cast away "const" for the test. */

	unsigned long *ptr = (unsigned long *)&rodata;



	pr_info("attempting bad rodata write at %p\n", ptr);

	pr_info("attempting bad rodata write at %px\n", ptr);

	*ptr ^= 0xabcd1234;

}
@@ -100,7 +100,7 @@ void lkdtm_WRITE_RO_AFTER_INIT(void) 
		return;

	}



	pr_info("attempting bad ro_after_init write at %p\n", ptr);

	pr_info("attempting bad ro_after_init write at %px\n", ptr);

	*ptr ^= 0xabcd1234;

}
@@ -112,7 +112,7 @@ void lkdtm_WRITE_KERN(void) 
	size = (unsigned long)do_overwritten - (unsigned long)do_nothing;

	ptr = (unsigned char *)do_overwritten;



	pr_info("attempting bad %zu byte write at %p\n", size, ptr);

	pr_info("attempting bad %zu byte write at %px\n", size, ptr);

	memcpy(ptr, (unsigned char *)do_nothing, size);

	flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void) 
	vm_munmap(user_addr, PAGE_SIZE);

}



void lkdtm_EXEC_NULL(void)

{

	execute_location(NULL, CODE_AS_IS);

}



void lkdtm_ACCESS_USERSPACE(void)

{

	unsigned long user_addr, tmp = 0;
@@ -185,16 +190,29 @@ void lkdtm_ACCESS_USERSPACE(void) 


	ptr = (unsigned long *)user_addr;



	pr_info("attempting bad read at %p\n", ptr);

	pr_info("attempting bad read at %px\n", ptr);

	tmp = *ptr;

	tmp += 0xc0dec0de;



	pr_info("attempting bad write at %p\n", ptr);

	pr_info("attempting bad write at %px\n", ptr);

	*ptr = tmp;



	vm_munmap(user_addr, PAGE_SIZE);

}



void lkdtm_ACCESS_NULL(void)

{

	unsigned long tmp;

	unsigned long *ptr = (unsigned long *)NULL;



	pr_info("attempting bad read at %px\n", ptr);

	tmp = *ptr;

	tmp += 0xc0dec0de;



	pr_info("attempting bad write at %px\n", ptr);

	*ptr = tmp;

}



void __init lkdtm_perms_init(void)

{

	/* Make sure we can write to __ro_after_init values during __init */

lib/Kconfig.debug

+0 −1
Original line number Diff line number Diff line
@@ -1700,7 +1700,6 @@ if RUNTIME_TESTING_MENU 
config LKDTM

	tristate "Linux Kernel Dump Test Tool Module"

	depends on DEBUG_FS

	depends on BLOCK

	help

	This module enables testing of the different dumping mechanisms by

	inducing system failures at predefined crash points.

CRA Git | Maintained and supported by SUSTech CRA and CCSE