Commit c6f7c753 authored by Christoph Hellwig's avatar Christoph Hellwig Committed by Al Viro
Browse files

lkdtm: remove set_fs-based tests 



Once we can't manipulate the address limit, we also can't test what
happens when the manipulation is abused.

Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 81b1e242

drivers/misc/lkdtm/bugs.c

+0 −10
Original line number Diff line number Diff line
@@ -312,16 +312,6 @@ void lkdtm_CORRUPT_LIST_DEL(void) 
		pr_err("list_del() corruption not detected!\n");

}



/* Test if unbalanced set_fs(KERNEL_DS)/set_fs(USER_DS) check exists. */

void lkdtm_CORRUPT_USER_DS(void)

{

	pr_info("setting bad task size limit\n");

	set_fs(KERNEL_DS);



	/* Make sure we do not keep running with a KERNEL_DS! */

	force_sig(SIGKILL);

}



/* Test that VMAP_STACK is actually allocating with a leading guard page */

void lkdtm_STACK_GUARD_PAGE_LEADING(void)

{

drivers/misc/lkdtm/core.c

+0 −2
Original line number Diff line number Diff line
@@ -112,7 +112,6 @@ static const struct crashtype crashtypes[] = { 
	CRASHTYPE(CORRUPT_STACK_STRONG),

	CRASHTYPE(CORRUPT_LIST_ADD),

	CRASHTYPE(CORRUPT_LIST_DEL),

	CRASHTYPE(CORRUPT_USER_DS),

	CRASHTYPE(STACK_GUARD_PAGE_LEADING),

	CRASHTYPE(STACK_GUARD_PAGE_TRAILING),

	CRASHTYPE(UNSET_SMEP),
@@ -172,7 +171,6 @@ static const struct crashtype crashtypes[] = { 
	CRASHTYPE(USERCOPY_STACK_FRAME_FROM),

	CRASHTYPE(USERCOPY_STACK_BEYOND),

	CRASHTYPE(USERCOPY_KERNEL),

	CRASHTYPE(USERCOPY_KERNEL_DS),

	CRASHTYPE(STACKLEAK_ERASING),

	CRASHTYPE(CFI_FORWARD_PROTO),

#ifdef CONFIG_X86_32

drivers/misc/lkdtm/lkdtm.h

+0 −2
Original line number Diff line number Diff line
@@ -27,7 +27,6 @@ void lkdtm_OVERFLOW_UNSIGNED(void); 
void lkdtm_ARRAY_BOUNDS(void);

void lkdtm_CORRUPT_LIST_ADD(void);

void lkdtm_CORRUPT_LIST_DEL(void);

void lkdtm_CORRUPT_USER_DS(void);

void lkdtm_STACK_GUARD_PAGE_LEADING(void);

void lkdtm_STACK_GUARD_PAGE_TRAILING(void);

void lkdtm_UNSET_SMEP(void);
@@ -96,7 +95,6 @@ void lkdtm_USERCOPY_STACK_FRAME_TO(void); 
void lkdtm_USERCOPY_STACK_FRAME_FROM(void);

void lkdtm_USERCOPY_STACK_BEYOND(void);

void lkdtm_USERCOPY_KERNEL(void);

void lkdtm_USERCOPY_KERNEL_DS(void);



/* lkdtm_stackleak.c */

void lkdtm_STACKLEAK_ERASING(void);

drivers/misc/lkdtm/usercopy.c

+0 −15
Original line number Diff line number Diff line
@@ -325,21 +325,6 @@ free_user: 
	vm_munmap(user_addr, PAGE_SIZE);

}



void lkdtm_USERCOPY_KERNEL_DS(void)

{

	char __user *user_ptr =

		(char __user *)(0xFUL << (sizeof(unsigned long) * 8 - 4));

	mm_segment_t old_fs = get_fs();

	char buf[10] = {0};



	pr_info("attempting copy_to_user() to noncanonical address: %px\n",

		user_ptr);

	set_fs(KERNEL_DS);

	if (copy_to_user(user_ptr, buf, sizeof(buf)) == 0)

		pr_err("copy_to_user() to noncanonical address succeeded!?\n");

	set_fs(old_fs);

}



void __init lkdtm_usercopy_init(void)

{

	/* Prepare cache that lacks SLAB_USERCOPY flag. */

tools/testing/selftests/lkdtm/tests.txt

+0 −2
Original line number Diff line number Diff line
@@ -9,7 +9,6 @@ EXCEPTION 
#CORRUPT_STACK_STRONG Crashes entire system on success

CORRUPT_LIST_ADD list_add corruption

CORRUPT_LIST_DEL list_del corruption

CORRUPT_USER_DS Invalid address limit on user-mode return

STACK_GUARD_PAGE_LEADING

STACK_GUARD_PAGE_TRAILING

UNSET_SMEP CR4 bits went missing
@@ -67,6 +66,5 @@ USERCOPY_STACK_FRAME_TO 
USERCOPY_STACK_FRAME_FROM

USERCOPY_STACK_BEYOND

USERCOPY_KERNEL

USERCOPY_KERNEL_DS

STACKLEAK_ERASING OK: the rest of the thread stack is properly erased

CFI_FORWARD_PROTO

CRA Git | Maintained and supported by SUSTech CRA and CCSE