Openwrt-EcoNet/kernel-49
1
0
Fork 0
Code Activity
Files
kernel-49/drivers/misc/lkdtm_perms.c
Greg Kroah-Hartman 26400f8207 Merge 4.9.170 into android-4.9 
Changes in 4.9.170
	ARC: u-boot args: check that magic number is correct
	perf/core: Restore mmap record type correctly
	ext4: add missing brelse() in add_new_gdb_meta_bg()
	ext4: report real fs size after failed resize
	ALSA: echoaudio: add a check for ioremap_nocache
	ALSA: sb8: add a check for request_region
	IB/mlx4: Fix race condition between catas error reset and aliasguid flows
	mmc: davinci: remove extraneous __init annotation
	ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration
	thermal/int340x_thermal: Add additional UUIDs
	thermal/int340x_thermal: fix mode setting
	tools/power turbostat: return the exit status of a command
	perf config: Fix an error in the config template documentation
	perf config: Fix a memory leak in collect_config()
	perf build-id: Fix memory leak in print_sdt_events()
	perf top: Fix error handling in cmd_top()
	perf hist: Add missing map__put() in error case
	perf evsel: Free evsel->counts in perf_evsel__exit()
	perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test
	perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
	irqchip/mbigen: Don't clear eventid when freeing an MSI
	x86/hpet: Prevent potential NULL pointer dereference
	x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors
	iommu/vt-d: Check capability before disabling protected memory
	x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error
	fix incorrect error code mapping for OBJECTID_NOT_FOUND
	ext4: prohibit fstrim in norecovery mode
	gpio: pxa: handle corner case of unprobed device
	rsi: improve kernel thread handling to fix kernel panic
	9p: do not trust pdu content for stat item size
	9p locks: add mount option for lock retry interval
	f2fs: fix to do sanity check with current segment number
	serial: uartps: console_setup() can't be placed to init section
	HID: i2c-hid: override HID descriptors for certain devices
	ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
	ACPI / SBS: Fix GPE storm on recent MacBookPro's
	cifs: fallback to older infolevels on findfirst queryinfo retry
	kernel: hung_task.c: disable on suspend
	crypto: sha256/arm - fix crash bug in Thumb2 build
	crypto: sha512/arm - fix crash bug in Thumb2 build
	iommu/dmar: Fix buffer overflow during PCI bus notification
	soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()
	lkdtm: Add tests for NULL pointer dereference
	ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
	appletalk: Fix use-after-free in atalk_proc_exit
	lib/div64.c: off by one in shift
	include/linux/swap.h: use offsetof() instead of custom __swapoffset macro
	tpm/tpm_crb: Avoid unaligned reads in crb_recv()
	net: stmmac: Set dma ring length before enabling the DMA
	appletalk: Fix compile regression
	Linux 4.9.170

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2019-04-22 10:22:45 +03:00

218 lines
4.9 KiB
C
Raw Permalink Blame History

/*
* This is for all the tests related to validating kernel memory
* permissions: non-executable regions, non-writable regions, and
* even non-readable regions.
*/
#include "lkdtm.h"
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>
/* Whether or not to fill the target memory area with do_nothing(). */
#define CODE_WRITE true
#define CODE_AS_IS false
/* How many bytes to copy to be sure we've copied enough of do_nothing(). */
#define EXEC_SIZE 64
/* This is non-const, so it will end up in the .data section. */
static u8 data_area[EXEC_SIZE];
/* This is cost, so it will end up in the .rodata section. */
static const unsigned long rodata = 0xAA55AA55;
/* This is marked __ro_after_init, so it should ultimately be .rodata. */
static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
/*
* This just returns to the caller. It is designed to be copied into
* non-executable memory regions.
*/
static void do_nothing(void)
{
return;
}
/* Must immediately follow do_nothing for size calculuations to work out. */
static void do_overwritten(void)
{
pr_info("do_overwritten wasn't overwritten!\n");
return;
}
static noinline void execute_location(void *dst, bool write)
{
void (*func)(void) = dst;
pr_info("attempting ok execution at %p\n", do_nothing);
do_nothing();
if (write == CODE_WRITE) {
memcpy(dst, do_nothing, EXEC_SIZE);
flush_icache_range((unsigned long)dst,
(unsigned long)dst + EXEC_SIZE);
}
pr_info("attempting bad execution at %p\n", func);
func();
}
static void execute_user_location(void *dst)
{
/* Intentionally crossing kernel/user memory boundary. */
void (*func)(void) = dst;
pr_info("attempting ok execution at %p\n", do_nothing);
do_nothing();
if (copy_to_user((void __user *)dst, do_nothing, EXEC_SIZE))
return;
flush_icache_range((unsigned long)dst, (unsigned long)dst + EXEC_SIZE);
pr_info("attempting bad execution at %p\n", func);
func();
}
void lkdtm_WRITE_RO(void)
{
/* Explicitly cast away "const" for the test. */
unsigned long *ptr = (unsigned long *)&rodata;
pr_info("attempting bad rodata write at %p\n", ptr);
*ptr ^= 0xabcd1234;
}
void lkdtm_WRITE_RO_AFTER_INIT(void)
{
unsigned long *ptr = &ro_after_init;
/*
* Verify we were written to during init. Since an Oops
* is considered a "success", a failure is to just skip the
* real test.
*/
if ((*ptr & 0xAA) != 0xAA) {
pr_info("%p was NOT written during init!?\n", ptr);
return;
}
pr_info("attempting bad ro_after_init write at %p\n", ptr);
*ptr ^= 0xabcd1234;
}
void lkdtm_WRITE_KERN(void)
{
size_t size;
unsigned char *ptr;
size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
ptr = (unsigned char *)do_overwritten;
pr_info("attempting bad %zu byte write at %p\n", size, ptr);
memcpy(ptr, (unsigned char *)do_nothing, size);
flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
do_overwritten();
}
void lkdtm_EXEC_DATA(void)
{
execute_location(data_area, CODE_WRITE);
}
void lkdtm_EXEC_STACK(void)
{
u8 stack_area[EXEC_SIZE];
execute_location(stack_area, CODE_WRITE);
}
void lkdtm_EXEC_KMALLOC(void)
{
u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
execute_location(kmalloc_area, CODE_WRITE);
kfree(kmalloc_area);
}
void lkdtm_EXEC_VMALLOC(void)
{
u32 *vmalloc_area = vmalloc(EXEC_SIZE);
execute_location(vmalloc_area, CODE_WRITE);
vfree(vmalloc_area);
}
void lkdtm_EXEC_RODATA(void)
{
execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS);
}
void lkdtm_EXEC_USERSPACE(void)
{
unsigned long user_addr;
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE, 0);
if (user_addr >= TASK_SIZE) {
pr_warn("Failed to allocate user memory\n");
return;
}
execute_user_location((void *)user_addr);
vm_munmap(user_addr, PAGE_SIZE);
}
void lkdtm_EXEC_NULL(void)
{
execute_location(NULL, CODE_AS_IS);
}
void lkdtm_ACCESS_USERSPACE(void)
{
unsigned long user_addr, tmp = 0;
unsigned long *ptr;
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE, 0);
if (user_addr >= TASK_SIZE) {
pr_warn("Failed to allocate user memory\n");
return;
}
if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) {
pr_warn("copy_to_user failed\n");
vm_munmap(user_addr, PAGE_SIZE);
return;
}
ptr = (unsigned long *)user_addr;
pr_info("attempting bad read at %p\n", ptr);
tmp = *ptr;
tmp += 0xc0dec0de;
pr_info("attempting bad write at %p\n", ptr);
*ptr = tmp;
vm_munmap(user_addr, PAGE_SIZE);
}
void lkdtm_ACCESS_NULL(void)
{
unsigned long tmp;
unsigned long *ptr = (unsigned long *)NULL;
pr_info("attempting bad read at %px\n", ptr);
tmp = *ptr;
tmp += 0xc0dec0de;
pr_info("attempting bad write at %px\n", ptr);
*ptr = tmp;
}
void __init lkdtm_perms_init(void)
{
/* Make sure we can write to __ro_after_init values during __init */
ro_after_init |= 0xAA;
}
View Git Blame Copy Permalink