* [PATCH 0/4] lkdtm: various improvements
@ 2013-06-22 18:37 Kees Cook
2013-06-22 18:37 ` [PATCH 1/4] lkdtm: fix stack protector trigger Kees Cook
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Kees Cook @ 2013-06-22 18:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom
This series adds several new test targets that have been useful when
testing various kernel crash conditions while working on Chrome OS,
and corrects the CORRUPT_STACK trigger as well.
Thanks,
-Kees
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH 1/4] lkdtm: fix stack protector trigger
2013-06-22 18:37 [PATCH 0/4] lkdtm: various improvements Kees Cook
@ 2013-06-22 18:37 ` Kees Cook
2013-07-08 13:09 ` Kees Cook
2013-06-22 18:37 ` [PATCH 2/4] lkdtm: add "WARNING" trigger Kees Cook
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2013-06-22 18:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom,
Kees Cook
The -fstack-protector compiler flag will only build stack protections if
a character array is seen. Additionally, the offset to the saved
instruction pointer changes based on architecture, so stomp much harder
(64 bytes) when corrupting the stack.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 08aad69..adb6bde 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -295,10 +295,10 @@ static void lkdtm_do_action(enum ctype which)
(void) recursive_loop(0);
break;
case CT_CORRUPT_STACK: {
- volatile u32 data[8];
- volatile u32 *p = data;
+ /* Make sure the compiler creates and uses an 8 char array. */
+ volatile char data[8];
- p[12] = 0x12345678;
+ memset((void *)data, 0, 64);
break;
}
case CT_UNALIGNED_LOAD_STORE_WRITE: {
--
1.7.9.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/4] lkdtm: add "WARNING" trigger
2013-06-22 18:37 [PATCH 0/4] lkdtm: various improvements Kees Cook
2013-06-22 18:37 ` [PATCH 1/4] lkdtm: fix stack protector trigger Kees Cook
@ 2013-06-22 18:37 ` Kees Cook
2013-06-22 18:37 ` [PATCH 3/4] lkdtm: add "SPINLOCKUP" trigger Kees Cook
2013-06-22 18:37 ` [PATCH 4/4] lkdtm: add "EXEC_*" triggers Kees Cook
3 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2013-06-22 18:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom,
Kees Cook
For additional testing, add "WARNING" as a trigger that calls WARN_ON(1).
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index adb6bde..b1323fc 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -68,6 +68,7 @@ enum ctype {
CT_NONE,
CT_PANIC,
CT_BUG,
+ CT_WARNING,
CT_EXCEPTION,
CT_LOOP,
CT_OVERFLOW,
@@ -95,6 +96,7 @@ static char* cp_name[] = {
static char* cp_type[] = {
"PANIC",
"BUG",
+ "WARNING",
"EXCEPTION",
"LOOP",
"OVERFLOW",
@@ -284,6 +286,9 @@ static void lkdtm_do_action(enum ctype which)
case CT_BUG:
BUG();
break;
+ case CT_WARNING:
+ WARN_ON(1);
+ break;
case CT_EXCEPTION:
*((int *) 0) = 0;
break;
--
1.7.9.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/4] lkdtm: add "SPINLOCKUP" trigger
2013-06-22 18:37 [PATCH 0/4] lkdtm: various improvements Kees Cook
2013-06-22 18:37 ` [PATCH 1/4] lkdtm: fix stack protector trigger Kees Cook
2013-06-22 18:37 ` [PATCH 2/4] lkdtm: add "WARNING" trigger Kees Cook
@ 2013-06-22 18:37 ` Kees Cook
2013-06-22 18:37 ` [PATCH 4/4] lkdtm: add "EXEC_*" triggers Kees Cook
3 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2013-06-22 18:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom,
Kees Cook
For additional lockup testing, add "SPINLOCKUP" to trigger a spinlock
deadlock when triggered twice.
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index b1323fc..8bc7f0b 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -78,6 +78,7 @@ enum ctype {
CT_WRITE_AFTER_FREE,
CT_SOFTLOCKUP,
CT_HARDLOCKUP,
+ CT_SPINLOCKUP,
CT_HUNG_TASK,
};
@@ -106,6 +107,7 @@ static char* cp_type[] = {
"WRITE_AFTER_FREE",
"SOFTLOCKUP",
"HARDLOCKUP",
+ "SPINLOCKUP",
"HUNG_TASK",
};
@@ -123,6 +125,7 @@ static enum cname cpoint = CN_INVALID;
static enum ctype cptype = CT_NONE;
static int count = DEFAULT_COUNT;
static DEFINE_SPINLOCK(count_lock);
+static DEFINE_SPINLOCK(lock_me_up);
module_param(recur_count, int, 0644);
MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test, "\
@@ -345,6 +348,10 @@ static void lkdtm_do_action(enum ctype which)
for (;;)
cpu_relax();
break;
+ case CT_SPINLOCKUP:
+ /* Must be called twice to trigger. */
+ spin_lock(&lock_me_up);
+ break;
case CT_HUNG_TASK:
set_current_state(TASK_UNINTERRUPTIBLE);
schedule();
--
1.7.9.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/4] lkdtm: add "EXEC_*" triggers
2013-06-22 18:37 [PATCH 0/4] lkdtm: various improvements Kees Cook
` (2 preceding siblings ...)
2013-06-22 18:37 ` [PATCH 3/4] lkdtm: add "SPINLOCKUP" trigger Kees Cook
@ 2013-06-22 18:37 ` Kees Cook
3 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2013-06-22 18:37 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom,
Kees Cook
Add new crash locations that attempt to execute non-executable memory
regions (data segment, stack, kmalloc, vmalloc).
Signed-off-by: Kees Cook <keescook@chromium.org>
---
drivers/misc/lkdtm.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index 8bc7f0b..34712c8 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -50,6 +50,7 @@
#define DEFAULT_COUNT 10
#define REC_NUM_DEFAULT 10
+#define EXEC_SIZE 64
enum cname {
CN_INVALID,
@@ -80,6 +81,10 @@ enum ctype {
CT_HARDLOCKUP,
CT_SPINLOCKUP,
CT_HUNG_TASK,
+ CT_EXEC_DATA,
+ CT_EXEC_STACK,
+ CT_EXEC_KMALLOC,
+ CT_EXEC_VMALLOC,
};
static char* cp_name[] = {
@@ -109,6 +114,10 @@ static char* cp_type[] = {
"HARDLOCKUP",
"SPINLOCKUP",
"HUNG_TASK",
+ "EXEC_DATA",
+ "EXEC_STACK",
+ "EXEC_KMALLOC",
+ "EXEC_VMALLOC",
};
static struct jprobe lkdtm;
@@ -127,6 +136,8 @@ static int count = DEFAULT_COUNT;
static DEFINE_SPINLOCK(count_lock);
static DEFINE_SPINLOCK(lock_me_up);
+static u8 data_area[EXEC_SIZE];
+
module_param(recur_count, int, 0644);
MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test, "\
"default is 10");
@@ -280,6 +291,19 @@ static int recursive_loop(int a)
return recursive_loop(a);
}
+static void do_nothing(void)
+{
+ return;
+}
+
+static void execute_location(void *dst)
+{
+ void (*func)(void) = dst;
+
+ memcpy(dst, do_nothing, EXEC_SIZE);
+ func();
+}
+
static void lkdtm_do_action(enum ctype which)
{
switch (which) {
@@ -356,6 +380,26 @@ static void lkdtm_do_action(enum ctype which)
set_current_state(TASK_UNINTERRUPTIBLE);
schedule();
break;
+ case CT_EXEC_DATA:
+ execute_location(data_area);
+ break;
+ case CT_EXEC_STACK: {
+ u8 stack_area[EXEC_SIZE];
+ execute_location(stack_area);
+ break;
+ }
+ case CT_EXEC_KMALLOC: {
+ u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
+ execute_location(kmalloc_area);
+ kfree(kmalloc_area);
+ break;
+ }
+ case CT_EXEC_VMALLOC: {
+ u32 *vmalloc_area = vmalloc(EXEC_SIZE);
+ execute_location(vmalloc_area);
+ vfree(vmalloc_area);
+ break;
+ }
case CT_NONE:
default:
break;
--
1.7.9.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 1/4] lkdtm: fix stack protector trigger
2013-06-22 18:37 ` [PATCH 1/4] lkdtm: fix stack protector trigger Kees Cook
@ 2013-07-08 13:09 ` Kees Cook
2013-07-08 16:42 ` Greg Kroah-Hartman
0 siblings, 1 reply; 8+ messages in thread
From: Kees Cook @ 2013-07-08 13:09 UTC (permalink / raw)
To: LKML
Cc: Greg Kroah-Hartman, Arnd Bergmann, Ankita Garg, Simon Kagstrom,
Kees Cook
Hi,
I'd like to get this series added to lkdtm. Can someone take a moment
to review or ack them?
Thanks,
-Kees
On Sat, Jun 22, 2013 at 11:37 AM, Kees Cook <keescook@chromium.org> wrote:
> The -fstack-protector compiler flag will only build stack protections if
> a character array is seen. Additionally, the offset to the saved
> instruction pointer changes based on architecture, so stomp much harder
> (64 bytes) when corrupting the stack.
>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/misc/lkdtm.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
> index 08aad69..adb6bde 100644
> --- a/drivers/misc/lkdtm.c
> +++ b/drivers/misc/lkdtm.c
> @@ -295,10 +295,10 @@ static void lkdtm_do_action(enum ctype which)
> (void) recursive_loop(0);
> break;
> case CT_CORRUPT_STACK: {
> - volatile u32 data[8];
> - volatile u32 *p = data;
> + /* Make sure the compiler creates and uses an 8 char array. */
> + volatile char data[8];
>
> - p[12] = 0x12345678;
> + memset((void *)data, 0, 64);
> break;
> }
> case CT_UNALIGNED_LOAD_STORE_WRITE: {
> --
> 1.7.9.5
>
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/4] lkdtm: fix stack protector trigger
2013-07-08 13:09 ` Kees Cook
@ 2013-07-08 16:42 ` Greg Kroah-Hartman
2013-07-08 16:59 ` Kees Cook
0 siblings, 1 reply; 8+ messages in thread
From: Greg Kroah-Hartman @ 2013-07-08 16:42 UTC (permalink / raw)
To: Kees Cook; +Cc: LKML, Arnd Bergmann, Ankita Garg, Simon Kagstrom
On Mon, Jul 08, 2013 at 06:09:50AM -0700, Kees Cook wrote:
> Hi,
>
> I'd like to get this series added to lkdtm. Can someone take a moment
> to review or ack them?
I don't see these in my queue at all, did you copy me the first time
around on them?
Care to resend them? Everything is on hold until 3.11-rc1 is out for
new stuff like this, so you'll have to wait until then at the earliest.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/4] lkdtm: fix stack protector trigger
2013-07-08 16:42 ` Greg Kroah-Hartman
@ 2013-07-08 16:59 ` Kees Cook
0 siblings, 0 replies; 8+ messages in thread
From: Kees Cook @ 2013-07-08 16:59 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: LKML, Arnd Bergmann, Ankita Garg, Simon Kagstrom
On Mon, Jul 8, 2013 at 9:42 AM, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
> On Mon, Jul 08, 2013 at 06:09:50AM -0700, Kees Cook wrote:
>> Hi,
>>
>> I'd like to get this series added to lkdtm. Can someone take a moment
>> to review or ack them?
>
> I don't see these in my queue at all, did you copy me the first time
> around on them?
Yup. June 22nd.
> Care to resend them? Everything is on hold until 3.11-rc1 is out for
> new stuff like this, so you'll have to wait until then at the earliest.
Sure, no problem.
-Kees
--
Kees Cook
Chrome OS Security
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-07-08 16:59 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-22 18:37 [PATCH 0/4] lkdtm: various improvements Kees Cook
2013-06-22 18:37 ` [PATCH 1/4] lkdtm: fix stack protector trigger Kees Cook
2013-07-08 13:09 ` Kees Cook
2013-07-08 16:42 ` Greg Kroah-Hartman
2013-07-08 16:59 ` Kees Cook
2013-06-22 18:37 ` [PATCH 2/4] lkdtm: add "WARNING" trigger Kees Cook
2013-06-22 18:37 ` [PATCH 3/4] lkdtm: add "SPINLOCKUP" trigger Kees Cook
2013-06-22 18:37 ` [PATCH 4/4] lkdtm: add "EXEC_*" triggers Kees Cook
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.