An error occurred fetching the project authors.
  1. 20 Oct, 2017 2 commits
  2. 15 Aug, 2017 1 commit
    • Kees Cook's avatar
      lkdtm: Add -fstack-protector-strong test · 93e78c6b
      Kees Cook authored
      There wasn't an LKDTM test to distinguish between -fstack-protector and
      -fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see
      the difference. Also adjusts the stack-clobber value to 0xff so execution
      won't potentially jump into userspace when the stack protector is missing.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      93e78c6b
  3. 04 Aug, 2017 1 commit
  4. 26 Jul, 2017 2 commits
    • Kees Cook's avatar
      lkdtm: Provide timing tests for atomic_t vs refcount_t · c7fea488
      Kees Cook authored
      While not a crash test, this does provide two tight atomic_t and
      refcount_t loops for performance comparisons:
      
      	cd /sys/kernel/debug/provoke-crash
      	perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT
      	perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT
      
      Looking a CPU cycles is the best way to example the fast-path (rather
      than instruction counts, since conditional jumps will be executed but
      will be negligible due to branch-prediction).
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      c7fea488
    • Kees Cook's avatar
      lkdtm: Provide more complete coverage for REFCOUNT tests · 95925c99
      Kees Cook authored
      The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow
      portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and
      expands their testing to poke each boundary condition.
      
      Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different
      saturation values and reach-zero behavior, those have to be build-time
      set so the tests can actually validate things are happening at the
      right places.
      
      Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and
      REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow
      is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for
      each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors
      (which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO).
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      95925c99
  5. 08 Apr, 2017 1 commit
    • Kees Cook's avatar
      lkdtm: add bad USER_DS test · e22aa9d7
      Kees Cook authored
      This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
      return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
      trying to deal with values other than USER_DS and KERNEL_DS across all
      architectures in a safe way is not sensible, this sets KERNEL_DS, but
      since that could be extremely dangerous if the protection is not present,
      it also raises SIGKILL for current, so that no matter what, the process
      will die. A successful test will be visible with a BUG(), like all the
      other LKDTM tests.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e22aa9d7
  6. 10 Feb, 2017 1 commit
  7. 25 Jan, 2017 1 commit
  8. 31 Oct, 2016 1 commit
  9. 15 Jul, 2016 2 commits
    • Kees Cook's avatar
      lkdtm: silence warnings about function declarations · 6d2e91a6
      Kees Cook authored
      When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and
      lkdtm_rodata.c was discovered. This fixes the issue and consolidates
      the common header and the pr_fmt macro for simplicity and regularity
      across each test source file.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      6d2e91a6
    • Arnd Bergmann's avatar
      lkdtm: hide unused functions · 2b271cb7
      Arnd Bergmann authored
      A conversion of the lkdtm core module added an "#ifdef CONFIG_KPROBES" check,
      but a number of functions then become unused:
      
      drivers/misc/lkdtm_core.c:340:16: error: 'lkdtm_debugfs_entry' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:122:12: error: 'jp_generic_ide_ioctl' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:114:12: error: 'jp_scsi_dispatch_cmd' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:106:12: error: 'jp_hrtimer_start' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:97:22: error: 'jp_shrink_inactive_list' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:89:13: error: 'jp_ll_rw_block' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:83:13: error: 'jp_tasklet_action' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:75:20: error: 'jp_handle_irq_event' defined but not used [-Werror=unused-function]
      drivers/misc/lkdtm_core.c:68:21: error: 'jp_do_irq' defined but not used [-Werror=unused-function]
      
      This adds the same #ifdef everywhere. There is probably a better way to do the
      same thing, but for now this avoids the new warnings.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: c479e3fd ("lkdtm: use struct arrays instead of enums")
      [kees: moved some code around to better consolidate the #ifdefs]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      2b271cb7
  10. 07 Jul, 2016 12 commits
  11. 10 Jun, 2016 5 commits
  12. 06 Apr, 2016 3 commits
  13. 01 Mar, 2016 5 commits
    • Kees Cook's avatar
      lkdtm: improve use-after-free tests · 7c0ae5be
      Kees Cook authored
      This improves the order of operations on the use-after-free tests to
      try to make sure we've executed any available sanity-checking code,
      and to report the poisoning that was found.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      7c0ae5be
    • David Windsor's avatar
      lkdtm: add test for atomic_t underflow/overflow · 5fd9e480
      David Windsor authored
      dmesg output of running this LKDTM test with PaX:
      
      [187095.475573] lkdtm: No crash points registered, enable through debugfs
      [187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
      [187118.030045] lkdtm: attempting atomic underflow
      [187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
      [187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.111321] RIP: 0010:[<ffffffffc00fc2fe>]  [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
      ...
      [187118.128074] lkdtm: attempting atomic overflow
      [187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
      [187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
      [187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
      [187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
      [187118.128092] RIP: 0010:[<ffffffffc00fc316>]  [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
      Signed-off-by: default avatarDavid Windsor <dave@progbits.org>
      [cleaned up whitespacing, keescook]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      5fd9e480
    • Laura Abbott's avatar
      lkdtm: Add read/write after free tests for buddy memory · 920d451f
      Laura Abbott authored
      The current tests for read/write after free work on slab
      allocated memory. Memory straight from the buddy allocator
      may behave slightly differently and have a different set
      of parameters to test. Add tests for those cases as well.
      
      On a basic x86 boot:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   22.292983] lkdtm: Writing to the buddy page before free
      [   22.293950] lkdtm: Attempting bad write to the buddy page after free
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   32.379896] lkdtm: Value in memory before free: 12345678
      [   32.383854] lkdtm: Attempting to read from freed memory
      [   32.389309] lkdtm: Buddy page was not poisoned
      
      On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:
      
       # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
      [   17.477360] lkdtm: Writing to the buddy page before free
      [   17.479089] lkdtm: Attempting bad write to the buddy page after free
      [   17.480904] BUG: unable to handle kernel paging request at
      ffff88000ebd8000
      
       # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
      [   14.607447] lkdtm: Value in memory before free: 12345678
      [   14.608161] lkdtm: Attempting to read from freed memory
      [   14.608860] BUG: unable to handle kernel paging request at
      ffff88000eba3000
      
      Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
      produce the same crash.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      920d451f
    • Laura Abbott's avatar
      lkdtm: Update WRITE_AFTER_FREE test · 250a8988
      Laura Abbott authored
      The SLUB allocator may use the first word of a freed block to store the
      freelist information. This may make it harder to test poisoning
      features. Change the WRITE_AFTER_FREE test to better match what
      the READ_AFTER_FREE test does and also print out a big more information.
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      250a8988
    • Laura Abbott's avatar
      lkdtm: Add READ_AFTER_FREE test · bc0b8cc6
      Laura Abbott authored
      In a similar manner to WRITE_AFTER_FREE, add a READ_AFTER_FREE
      test to test free poisoning features. Sample output when
      no sanitization is present:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   17.542473] lkdtm: Performing direct entry READ_AFTER_FREE
      [   17.543866] lkdtm: Value in memory before free: 12345678
      [   17.545212] lkdtm: Attempting bad read from freed memory
      [   17.546542] lkdtm: Memory was not poisoned
      
      with slub_debug=P:
      
       # echo READ_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
      [   22.415531] lkdtm: Performing direct entry READ_AFTER_FREE
      [   22.416366] lkdtm: Value in memory before free: 12345678
      [   22.417137] lkdtm: Attempting bad read from freed memory
      [   22.417897] lkdtm: Memory correctly poisoned, calling BUG
      Signed-off-by: default avatarLaura Abbott <labbott@fedoraproject.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      bc0b8cc6
  14. 22 Feb, 2016 1 commit
    • Kees Cook's avatar
      lkdtm: Verify that '__ro_after_init' works correctly · 7cca071c
      Kees Cook authored
      The new __ro_after_init section should be writable before init, but
      not after. Validate that it gets updated at init and can't be written
      to afterwards.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: David Brown <david.brown@linaro.org>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: Emese Revfy <re.emese@gmail.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mathias Krause <minipli@googlemail.com>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: PaX Team <pageexec@freemail.hu>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: kernel-hardening@lists.openwall.com
      Cc: linux-arch <linux-arch@vger.kernel.org>
      Link: http://lkml.kernel.org/r/1455748879-21872-6-git-send-email-keescook@chromium.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      7cca071c
  15. 10 Feb, 2016 1 commit
    • Arnd Bergmann's avatar
      lkdtm: mark execute_location as noinline · ececdc02
      Arnd Bergmann authored
      The kernel sometimes fails to link when lkdrm is built-in and
      compiled with clang:
      
      relocation truncated to fit: R_ARM_THM_CALL against `.bss'
      
      The reason here is that a relocation from .text to .bss fails to
      generate a trampoline because .bss is not an executable section.
      
      Marking the function 'noinline' turns the relative branch to .bss
      into an absolute branch to the function argument, and that works
      fine.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ececdc02
  16. 29 Oct, 2015 1 commit
    • Stephen Smalley's avatar
      lkdtm: fix ACCESS_USERSPACE test · 2cb202c1
      Stephen Smalley authored
      Add a copy_to_user() call to the ACCESS_USERSPACE test
      prior to attempting direct dereferencing of the user
      address to ensure the page is present.  Otherwise,
      a fault occurs on arm kernels even prior to the introduction
      of CONFIG_CPU_SW_DOMAIN_PAN, and there is no difference in
      behavior for CONFIG_CPU_SW_DOMAIN_PAN=n vs CONFIG_CPU_SW_DOMAIN_PAN=y.
      
      Before this change, for any value of CONFIG_CPU_SW_DOMAIN_PAN:
      lkdtm: Performing direct entry ACCESS_USERSPACE
      lkdtm: attempting bad read at b6fe8000
      Unable to handle kernel paging request at virtual address b6fe8000
      
      After this change, for CONFIG_CPU_SW_DOMAIN_PAN=n:
      lkdtm: Performing direct entry ACCESS_USERSPACE
      lkdtm: attempting bad read at b6efc000
      lkdtm: attempting bad write at b6efc000
      
      After this change, for CONFIG_CPU_SW_DOMAIN_PAN=y:
      lkdtm: Performing direct entry ACCESS_USERSPACE
      lkdtm: attempting bad read at b6f7d000
      Unhandled fault: page domain fault (0x01b) at 0xb6f7d000
      ...
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2cb202c1