The LKDTM modules keep expanding, and it's getting weird to have each file
get a prefix. Instead, move to a subdirectory for cleaner handling.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Function handle_IRQ_event was retired in v2.6.39 and replaced with
handle_irq_event but nobody changed it in lkdtm so INT_HW_IRQ_EN has
been broken for a while.

Fixes: 33b054b8 ("genirq: Remove handle_IRQ_event")
Signed-off-by: Travis Brown <travisb@arista.com>
Signed-off-by: Ivan Delalande <colona@arista.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This updates the USERCOPY_HEAP_FLAG_* tests to USERCOPY_HEAP_WHITELIST_*,
since the final form of usercopy whitelisting ended up using an offset/size
window instead of the earlier proposed allocation flags.
Signed-off-by: Kees Cook <keescook@chromium.org>

The jprobes subsystem is being removed, so convert to using kprobes instead.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20171020133127.GA18360@beastSigned-off-by: Ingo Molnar <mingo@kernel.org>

Since nothing in the crashtypes table ever changes, mark it const. Adds
some missing "static" markings as well.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

The jprobe subsystem is being removed, so convert to using kprobe instead.

Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

There wasn't an LKDTM test to distinguish between -fstack-protector and
-fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see
the difference. Also adjusts the stack-clobber value to 0xff so execution
won't potentially jump into userspace when the stack protector is missing.
Signed-off-by: Kees Cook <keescook@chromium.org>

Two new tests STACK_GUARD_PAGE_LEADING and STACK_GUARD_PAGE_TRAILING
attempt to read the byte before and after, respectively, of the current
stack frame, which should fault.
Signed-off-by: Kees Cook <keescook@chromium.org>

While not a crash test, this does provide two tight atomic_t and
refcount_t loops for performance comparisons:

	cd /sys/kernel/debug/provoke-crash
	perf stat -B -- cat <(echo ATOMIC_TIMING) > DIRECT
	perf stat -B -- cat <(echo REFCOUNT_TIMING) > DIRECT

Looking a CPU cycles is the best way to example the fast-path (rather
than instruction counts, since conditional jumps will be executed but
will be negligible due to branch-prediction).
Signed-off-by: Kees Cook <keescook@chromium.org>

The existing REFCOUNT_* LKDTM tests were designed only for testing a narrow
portion of CONFIG_REFCOUNT_FULL. This moves the tests to their own file and
expands their testing to poke each boundary condition.

Since the protections (CONFIG_REFCOUNT_FULL and x86-fast) use different
saturation values and reach-zero behavior, those have to be build-time
set so the tests can actually validate things are happening at the
right places.

Notably, the x86-fast protection will fail REFCOUNT_INC_ZERO and
REFCOUNT_ADD_ZERO since those conditions are not checked (only overflow
is critical to protecting refcount_t). CONFIG_REFCOUNT_FULL will warn for
each REFCOUNT_*_NEGATIVE test since it provides zero-pinning behaviors
(which allows it to pass REFCOUNT_INC_ZERO and REFCOUNT_ADD_ZERO).
Signed-off-by: Kees Cook <keescook@chromium.org>

This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Since we'll be using refcount_t instead of atomic_t for refcounting,
change the LKDTM tests to reflect the new interface and test conditions.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Hans Liljestrand <ishkamiel@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arnd@arndb.de
Cc: dhowells@redhat.com
Cc: dwindsor@gmail.com
Cc: elena.reshetova@intel.com
Cc: gregkh@linuxfoundation.org
Cc: h.peter.anvin@intel.com
Cc: kernel-hardening@lists.openwall.com
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1486164412-7338-3-git-send-email-keescook@chromium.orgSigned-off-by: Ingo Molnar <mingo@kernel.org>

No jprobe is registered when the module is loaded without specifying a
crashpoint that uses a jprobe. At the moment, we unconditionally try to
unregister the jprobe on module unload which results in an Oops. Add a
check to fix this.
Signed-off-by: Juerg Haefliger <juerg.haefliger@hpe.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

When building under CONFIG_DEBUG_LIST, list addition and removal will be
sanity-checked. This validates that the check is working as expected by
setting up classic corruption attacks against list manipulations, available
with the new lkdtm tests CORRUPT_LIST_ADD and CORRUPT_LIST_DEL.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Rik van Riel <riel@redhat.com>

When building under W=1, the lack of lkdtm.h in lkdtm_usercopy.c and
lkdtm_rodata.c was discovered. This fixes the issue and consolidates
the common header and the pr_fmt macro for simplicity and regularity
across each test source file.
Signed-off-by: Kees Cook <keescook@chromium.org>

A conversion of the lkdtm core module added an "#ifdef CONFIG_KPROBES" check,
but a number of functions then become unused:

drivers/misc/lkdtm_core.c:340:16: error: 'lkdtm_debugfs_entry' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:122:12: error: 'jp_generic_ide_ioctl' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:114:12: error: 'jp_scsi_dispatch_cmd' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:106:12: error: 'jp_hrtimer_start' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:97:22: error: 'jp_shrink_inactive_list' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:89:13: error: 'jp_ll_rw_block' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:83:13: error: 'jp_tasklet_action' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:75:20: error: 'jp_handle_irq_event' defined but not used [-Werror=unused-function]
drivers/misc/lkdtm_core.c:68:21: error: 'jp_do_irq' defined but not used [-Werror=unused-function]

This adds the same #ifdef everywhere. There is probably a better way to do the
same thing, but for now this avoids the new warnings.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: c479e3fd ("lkdtm: use struct arrays instead of enums")
[kees: moved some code around to better consolidate the #ifdefs]
Signed-off-by: Kees Cook <keescook@chromium.org>

This removes the use of enums in favor of much more readable and compact
structure arrays. This requires changing all the enum passing to pointers
instead, but the results are much cleaner.
Signed-off-by: Kees Cook <keescook@chromium.org>

In preparation of referencing the jprobe entry points in a structure,
this moves them to the start of the source since they operate mostly
separately from everything else.
Signed-off-by: Kees Cook <keescook@chromium.org>

This reorganizes module parameters and global variables in the source
so they're grouped together with comments. Also moves early function
declarations to the top of the file.
Signed-off-by: Kees Cook <keescook@chromium.org>

The global variables used to track the active crashpoint and crashtype
are hard to distinguish from local variable names, so add a "lkdtm_"
prefix to them (or in the case of "lkdtm", add a "_jprobe" suffix).
Signed-off-by: Kees Cook <keescook@chromium.org>

The "count" variable name was not easy to understand, since it was regularly
obscured by local variables of the same name, and it's purpose wasn't clear.
This renames it (and its lock) to "crash_count", which is more readable.
Signed-off-by: Kees Cook <keescook@chromium.org>

There wasn't a good reason for keeping the enum and the names out of sync
by 1 position just to avoid "NONE" and "INVALID" from being in the string
lists.
Signed-off-by: Kees Cook <keescook@chromium.org>

This splits all the remaining tests from lkdtm_core.c into the new
lkdtm_bugs.c file to help separate things better for readability.
Signed-off-by: Kees Cook <keescook@chromium.org>

This splits the *_AFTER_FREE and related tests into the new lkdtm_heap.c
file to help separate things better for readability.
Signed-off-by: Kees Cook <keescook@chromium.org>

This splits the EXEC_*, WRITE_* and related tests into the new lkdtm_perms.c
file to help separate things better for readability.
Signed-off-by: Kees Cook <keescook@chromium.org>

This splits the USERCOPY_* tests into the new lkdtm_usercopy.c file to
help separate things better for readability.
Signed-off-by: Kees Cook <keescook@chromium.org>

There is no good reason to have the alloc_size parameter currently. The
compiler-tricking value used to exercise the stack can just use a stack
address instead. Similarly hard-code cache_size.
Signed-off-by: Kees Cook <keescook@chromium.org>

The upcoming HARDENED_USERCOPY checks will also block access to the
kernel text, so provide a test for this as well.
Signed-off-by: Kees Cook <keescook@chromium.org>

Each direction of the atomic wrapping should be individually testable.
Signed-off-by: Kees Cook <keescook@chromium.org>

This adds test to detect copy_to_user/copy_from_user problems that are
protected by PAX_USERCOPY (and will be protected by HARDENED_USERCOPY).
Explicitly tests both "to" and "from" directions of heap object size
problems, heap object markings and, stack frame misalignment.
Signed-off-by: Kees Cook <keescook@chromium.org>

This adds a function that lives in the .rodata section. The section
flags are corrected using objcopy since there is no way with gcc to
declare section flags in an architecture-agnostic way.
Signed-off-by: Kees Cook <keescook@chromium.org>

This cleans up comments a bit to improve readability, adjusts the
name of the module after the source file renaming, and corrects the
MAINTAINERS for the upcoming lkdtm files.
Signed-off-by: Kees Cook <keescook@chromium.org>

Kbuild lacks a way to do in-place objcopy or other modifications of
built targets, so in order to move functions into non-text sections
without renaming the kernel module, the build of lkdtm must be split
into separate source files. This renames lkdtm.c to lkdtm_core.c in
preparation for adding the source file for the .rodata section.
Signed-off-by: Kees Cook <keescook@chromium.org>

This frees the allocated page if there is a kmalloc failure.
Signed-off-by: Kees Cook <keescook@chromium.org>

This case is supposed to read from a memory after it has been freed,
but we missed freeing base if the memory 'val' could not be allocated.
Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>

This case is supposed to read from a page after after it is freed, but
it missed freeing val if we are not able to get a free page.
Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>

This improves the order of operations on the use-after-free tests to
try to make sure we've executed any available sanity-checking code,
and to report the poisoning that was found.
Signed-off-by: Kees Cook <keescook@chromium.org>

dmesg output of running this LKDTM test with PaX:

[187095.475573] lkdtm: No crash points registered, enable through debugfs
[187118.020257] lkdtm: Performing direct entry WRAP_ATOMIC
[187118.030045] lkdtm: attempting atomic underflow
[187118.030929] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.071667] PAX: refcount overflow occured at: lkdtm_do_action+0x19e/0x400 [lkdtm]
[187118.081423] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.083403] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.102596] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.111321] RIP: 0010:[<ffffffffc00fc2fe>]  [<ffffffffc00fc2fe>] lkdtm_do_action+0x19e/0x400 [lkdtm]
...
[187118.128074] lkdtm: attempting atomic overflow
[187118.128080] PAX: refcount overflow detected in: bash:1790, uid/euid: 0/0
[187118.128082] PAX: refcount overflow occured at: lkdtm_do_action+0x1b6/0x400 [lkdtm]
[187118.128085] CPU: 3 PID: 1790 Comm: bash Not tainted 4.2.6-pax-refcount-split+ #2
[187118.128086] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[187118.128088] task: ffff8800da8de040 ti: ffff8800da8e4000 task.ti: ffff8800da8e4000
[187118.128092] RIP: 0010:[<ffffffffc00fc316>]  [<ffffffffc00fc316>] lkdtm_do_action+0x1b6/0x400 [lkdtm]
Signed-off-by: David Windsor <dave@progbits.org>
[cleaned up whitespacing, keescook]
Signed-off-by: Kees Cook <keescook@chromium.org>

The current tests for read/write after free work on slab
allocated memory. Memory straight from the buddy allocator
may behave slightly differently and have a different set
of parameters to test. Add tests for those cases as well.

On a basic x86 boot:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   22.291950] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   22.292983] lkdtm: Writing to the buddy page before free
[   22.293950] lkdtm: Attempting bad write to the buddy page after free

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   32.375601] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   32.379896] lkdtm: Value in memory before free: 12345678
[   32.383854] lkdtm: Attempting to read from freed memory
[   32.389309] lkdtm: Buddy page was not poisoned

On x86 with CONFIG_DEBUG_PAGEALLOC and debug_pagealloc=on:

 # echo WRITE_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   17.475533] lkdtm: Performing direct entry WRITE_BUDDY_AFTER_FREE
[   17.477360] lkdtm: Writing to the buddy page before free
[   17.479089] lkdtm: Attempting bad write to the buddy page after free
[   17.480904] BUG: unable to handle kernel paging request at
ffff88000ebd8000

 # echo READ_BUDDY_AFTER_FREE > /sys/kernel/debug/provoke-crash/DIRECT
[   14.606433] lkdtm: Performing direct entry READ_BUDDY_AFTER_FREE
[   14.607447] lkdtm: Value in memory before free: 12345678
[   14.608161] lkdtm: Attempting to read from freed memory
[   14.608860] BUG: unable to handle kernel paging request at
ffff88000eba3000

Note that arches without ARCH_SUPPORTS_DEBUG_PAGEALLOC may not
produce the same crash.
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Kees Cook <keescook@chromium.org>

The SLUB allocator may use the first word of a freed block to store the
freelist information. This may make it harder to test poisoning
features. Change the WRITE_AFTER_FREE test to better match what
the READ_AFTER_FREE test does and also print out a big more information.
Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
Signed-off-by: Kees Cook <keescook@chromium.org>