From: Elena Reshetova <elena.reshetova@intel.com>
To: kernel-hardening@lists.openwall.com
Cc: keescook@chromium.org, Hans Liljestrand <ishkamiel@gmail.com>,
Elena Reshetova <elena.reshetova@intel.com>,
David Windsor <dwindsor@gmail.com>
Subject: [kernel-hardening] [RFC PATCH 13/13] lkdtm: add tests for atomic over-/underflow
Date: Mon, 3 Oct 2016 09:41:26 +0300 [thread overview]
Message-ID: <1475476886-26232-14-git-send-email-elena.reshetova@intel.com> (raw)
In-Reply-To: <1475476886-26232-1-git-send-email-elena.reshetova@intel.com>
From: Hans Liljestrand <ishkamiel@gmail.com>
This adds additional tests for modified atomic
functions.
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
drivers/misc/lkdtm.h | 17 ++++
drivers/misc/lkdtm_bugs.c | 205 ++++++++++++++++++++++++++++++++++++++++++++++
drivers/misc/lkdtm_core.c | 17 ++++
3 files changed, 239 insertions(+)
diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index cfa1039..224713a 100644
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -20,7 +20,24 @@ void lkdtm_HARDLOCKUP(void);
void lkdtm_SPINLOCKUP(void);
void lkdtm_HUNG_TASK(void);
void lkdtm_ATOMIC_UNDERFLOW(void);
+void lkdtm_ATOMIC_DEC_RETURN_UNDERFLOW(void);
+void lkdtm_ATOMIC_SUB_UNDERFLOW(void);
+void lkdtm_ATOMIC_SUB_RETURN_UNDERFLOW(void);
void lkdtm_ATOMIC_OVERFLOW(void);
+void lkdtm_ATOMIC_INC_RETURN_OVERFLOW(void);
+void lkdtm_ATOMIC_ADD_OVERFLOW(void);
+void lkdtm_ATOMIC_ADD_RETURN_OVERFLOW(void);
+void lkdtm_ATOMIC_ADD_UNLESS_OVERFLOW(void);
+void lkdtm_ATOMIC_INC_AND_TEST_OVERFLOW(void);
+void lkdtm_ATOMIC_LONG_UNDERFLOW(void);
+void lkdtm_ATOMIC_LONG_DEC_RETURN_UNDERFLOW(void);
+void lkdtm_ATOMIC_LONG_SUB_UNDERFLOW(void);
+void lkdtm_ATOMIC_LONG_SUB_RETURN_UNDERFLOW(void);
+void lkdtm_ATOMIC_LONG_OVERFLOW(void);
+void lkdtm_ATOMIC_LONG_INC_RETURN_OVERFLOW(void);
+void lkdtm_ATOMIC_LONG_ADD_OVERFLOW(void);
+void lkdtm_ATOMIC_LONG_ADD_RETURN_OVERFLOW(void);
+void lkdtm_ATOMIC_LONG_SUB_AND_TEST(void);
void lkdtm_CORRUPT_LIST_ADD(void);
void lkdtm_CORRUPT_LIST_DEL(void);
diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
index f336206..f6a09c6 100644
--- a/drivers/misc/lkdtm_bugs.c
+++ b/drivers/misc/lkdtm_bugs.c
@@ -140,6 +140,42 @@ void lkdtm_ATOMIC_UNDERFLOW(void)
atomic_dec(&under);
}
+void lkdtm_ATOMIC_DEC_RETURN_UNDERFLOW(void)
+{
+ atomic_t under = ATOMIC_INIT(INT_MIN);
+
+ pr_info("attempting good atomic_dec_return\n");
+ atomic_inc(&under);
+ atomic_dec_return(&under);
+
+ pr_info("attempting bad atomic_dec_return\n");
+ atomic_dec_return(&under);
+}
+
+void lkdtm_ATOMIC_SUB_UNDERFLOW(void) {
+ atomic_t under = ATOMIC_INIT(INT_MIN);
+
+ pr_info("attempting good atomic subtract\n");
+ atomic_add(10, &under);
+ atomic_sub(10, &under);
+
+ pr_info("attempting bad atomic subtract underflow\n");
+ atomic_sub(10, &under);
+}
+
+void lkdtm_ATOMIC_SUB_RETURN_UNDERFLOW(void)
+{
+ atomic_t under = ATOMIC_INIT(INT_MIN);
+
+ pr_info("attempting good atomic_sub_return\n");
+ atomic_add(10, &under);
+ atomic_sub_return(10, &under);
+
+ pr_info("attempting bad atomic_sub_return underflow\n");
+ atomic_sub_return(10, &under);
+
+}
+
void lkdtm_ATOMIC_OVERFLOW(void)
{
atomic_t over = ATOMIC_INIT(INT_MAX);
@@ -214,3 +250,172 @@ void lkdtm_CORRUPT_LIST_DEL(void)
else
pr_err("list_del() corruption not detected!\n");
}
+
+void lkdtm_ATOMIC_INC_RETURN_OVERFLOW(void)
+{
+ atomic_t over = ATOMIC_INIT(INT_MAX);
+
+ pr_info("attempting good atomic_inc_return\n");
+ atomic_dec(&over);
+ atomic_inc_return(&over);
+
+ pr_info("attempting bad atomic_inc_return overflow\n");
+ atomic_inc_return(&over);
+}
+
+void lkdtm_ATOMIC_ADD_OVERFLOW(void) {
+ atomic_t over = ATOMIC_INIT(INT_MAX);
+
+ pr_info("attempting good atomic add\n");
+ atomic_sub(10, &over);
+ atomic_add(10, &over);
+
+ pr_info("attempting bad atomic add overflow\n");
+ atomic_add(10, &over);
+}
+
+void lkdtm_ATOMIC_ADD_RETURN_OVERFLOW(void)
+{
+ atomic_t over = ATOMIC_INIT(INT_MAX);
+
+ pr_info("attempting good atomic_add_return\n");
+ atomic_sub(10, &over);
+ atomic_add_return(10, &over);
+
+ pr_info("attempting bad atomic_add_return overflow\n");
+ atomic_add_return(10, &over);
+}
+
+void lkdtm_ATOMIC_ADD_UNLESS_OVERFLOW(void)
+{
+ atomic_t over = ATOMIC_INIT(INT_MAX);
+
+ pr_info("attempting good atomic_add_unless\n");
+ atomic_sub(10, &over);
+ atomic_add_unless(&over, 10, 0);
+
+ pr_info("attempting bad atomic_add_unless overflow\n");
+ atomic_add_unless(&over, 10, 0);
+}
+
+void lkdtm_ATOMIC_INC_AND_TEST_OVERFLOW(void)
+{
+ atomic_t over = ATOMIC_INIT(INT_MAX);
+
+ pr_info("attempting good atomic_inc_and_test\n");
+ atomic_dec(&over);
+ atomic_inc_and_test(&over);
+
+ pr_info("attempting bad atomic_inc_and_test overflow\n");
+ atomic_inc_and_test(&over);
+}
+
+void lkdtm_ATOMIC_LONG_UNDERFLOW(void)
+{
+ atomic_long_t under = ATOMIC_LONG_INIT(LONG_MIN);
+
+ pr_info("attempting good atomic_long_dec\n");
+ atomic_long_inc(&under);
+ atomic_long_dec(&under);
+
+ pr_info("attempting bad atomic_long_dec underflow\n");
+ atomic_long_dec(&under);
+}
+
+void lkdtm_ATOMIC_LONG_DEC_RETURN_UNDERFLOW(void)
+{
+ atomic_long_t under = ATOMIC_LONG_INIT(LONG_MIN);
+
+ pr_info("attempting good atomic_long_dec_return\n");
+ atomic_long_inc(&under);
+ atomic_long_dec_return(&under);
+
+ pr_info("attempting bad atomic_long_dec_return underflow\n");
+ atomic_long_dec_return(&under);
+}
+
+void lkdtm_ATOMIC_LONG_SUB_UNDERFLOW(void)
+{
+ atomic_long_t under = ATOMIC_INIT(LONG_MIN);
+
+ pr_info("attempting good atomic_long_sub\n");
+ atomic_long_add(10, &under);
+ atomic_long_sub(10, &under);
+
+ pr_info("attempting bad atomic_long_sub underflow\n");
+ atomic_long_sub(10, &under);
+
+}
+
+void lkdtm_ATOMIC_LONG_SUB_RETURN_UNDERFLOW(void)
+{
+ atomic_long_t under = ATOMIC_INIT(LONG_MIN);
+
+ pr_info("attempting good atomic_long_sub_return \n");
+ atomic_long_add(10, &under);
+ atomic_long_sub_return(10, &under);
+
+ pr_info("attempting bad atomic_long_sub_return underflow\n");
+ atomic_long_sub_return(10, &under);
+
+}
+
+void lkdtm_ATOMIC_LONG_OVERFLOW(void)
+{
+ atomic_long_t over = ATOMIC_LONG_INIT(LONG_MAX);
+
+ pr_info("attempting good atomic_long_inc\n");
+ atomic_long_dec(&over);
+ atomic_long_inc(&over);
+
+ pr_info("attempting bad atomic_long_inc overflow\n");
+ atomic_long_inc(&over);
+}
+
+void lkdtm_ATOMIC_LONG_INC_RETURN_OVERFLOW(void)
+{
+ atomic_long_t over = ATOMIC_LONG_INIT(LONG_MAX);
+
+ pr_info("attempting good atomic_ong_inc_return\n");
+ atomic_long_dec(&over);
+ atomic_long_inc_return(&over);
+
+ pr_info("attempting bad atomic_long_inc_return overflow\n");
+ atomic_long_inc_return(&over);
+}
+
+void lkdtm_ATOMIC_LONG_ADD_OVERFLOW(void)
+{
+ atomic_long_t over = ATOMIC_LONG_INIT(LONG_MAX);
+
+ pr_info("attempting good atomic_long_add\n");
+ atomic_long_sub(10, &over);
+ atomic_long_add(10, &over);
+
+ pr_info("attempting bad atomic_long_add overflow\n");
+ atomic_long_add(10, &over);
+}
+
+void lkdtm_ATOMIC_LONG_ADD_RETURN_OVERFLOW(void)
+{
+ atomic_long_t over = ATOMIC_LONG_INIT(LONG_MAX);
+
+ pr_info("attempting good atomic_long_add_return\n");
+ atomic_long_sub(10, &over);
+ atomic_long_add_return(10, &over);
+
+ pr_info("attempting bad atomic_long_add_return overflow\n");
+ atomic_long_add_return(10, &over);
+}
+
+void lkdtm_ATOMIC_LONG_SUB_AND_TEST(void)
+{
+ atomic_long_t over = ATOMIC_LONG_INIT(LONG_MIN);
+
+ pr_info("attempting good atomic_long_sub_and_test\n");
+ atomic_long_add(10, &over);
+ atomic_long_sub_and_test(10, &over);
+
+ pr_info("attempting bad atomic_long_sub_and_test overflow\n");
+ atomic_long_sub_and_test(10, &over);
+}
diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index 7eeb71a..4b05803 100644
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -221,7 +221,24 @@ struct crashtype crashtypes[] = {
CRASHTYPE(WRITE_RO_AFTER_INIT),
CRASHTYPE(WRITE_KERN),
CRASHTYPE(ATOMIC_UNDERFLOW),
+ CRASHTYPE(ATOMIC_DEC_RETURN_UNDERFLOW),
+ CRASHTYPE(ATOMIC_SUB_UNDERFLOW),
+ CRASHTYPE(ATOMIC_SUB_RETURN_UNDERFLOW),
CRASHTYPE(ATOMIC_OVERFLOW),
+ CRASHTYPE(ATOMIC_INC_RETURN_OVERFLOW),
+ CRASHTYPE(ATOMIC_ADD_OVERFLOW),
+ CRASHTYPE(ATOMIC_ADD_RETURN_OVERFLOW),
+ CRASHTYPE(ATOMIC_ADD_UNLESS_OVERFLOW),
+ CRASHTYPE(ATOMIC_INC_AND_TEST_OVERFLOW),
+ CRASHTYPE(ATOMIC_LONG_UNDERFLOW),
+ CRASHTYPE(ATOMIC_LONG_DEC_RETURN_UNDERFLOW),
+ CRASHTYPE(ATOMIC_LONG_SUB_UNDERFLOW),
+ CRASHTYPE(ATOMIC_LONG_SUB_RETURN_UNDERFLOW),
+ CRASHTYPE(ATOMIC_LONG_OVERFLOW),
+ CRASHTYPE(ATOMIC_LONG_INC_RETURN_OVERFLOW),
+ CRASHTYPE(ATOMIC_LONG_ADD_OVERFLOW),
+ CRASHTYPE(ATOMIC_LONG_ADD_RETURN_OVERFLOW),
+ CRASHTYPE(ATOMIC_LONG_SUB_AND_TEST),
CRASHTYPE(USERCOPY_HEAP_SIZE_TO),
CRASHTYPE(USERCOPY_HEAP_SIZE_FROM),
CRASHTYPE(USERCOPY_HEAP_FLAG_TO),
--
2.7.4
next prev parent reply other threads:[~2016-10-03 6:41 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-03 6:41 [kernel-hardening] [RFC PATCH 00/13] HARDENING_ATOMIC feature Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 01/13] Add architecture independent hardened atomic base Elena Reshetova
2016-10-03 21:10 ` [kernel-hardening] " Kees Cook
2016-10-03 21:26 ` David Windsor
2016-10-03 21:38 ` Kees Cook
2016-10-04 7:05 ` [kernel-hardening] " Reshetova, Elena
2016-10-05 15:37 ` [kernel-hardening] " Dave Hansen
2016-10-04 7:07 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 6:54 ` Reshetova, Elena
2016-10-04 7:23 ` Reshetova, Elena
2016-10-12 8:26 ` [kernel-hardening] " AKASHI Takahiro
2016-10-12 17:25 ` Reshetova, Elena
2016-10-12 22:50 ` Kees Cook
2016-10-13 14:31 ` Hans Liljestrand
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 02/13] percpu-refcount: leave atomic counter unprotected Elena Reshetova
2016-10-03 21:12 ` [kernel-hardening] " Kees Cook
2016-10-04 6:24 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 13:06 ` [kernel-hardening] " Hans Liljestrand
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 03/13] kernel: identify wrapping atomic usage Elena Reshetova
2016-10-03 21:13 ` [kernel-hardening] " Kees Cook
2016-10-04 6:28 ` [kernel-hardening] " Reshetova, Elena
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 04/13] mm: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 05/13] fs: " Elena Reshetova
2016-10-03 21:57 ` Jann Horn
2016-10-03 22:21 ` Kees Cook
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 06/13] net: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 07/13] net: atm: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 08/13] security: " Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 09/13] drivers: identify wrapping atomic usage (part 1/2) Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 10/13] drivers: identify wrapping atomic usage (part 2/2) Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 11/13] x86: identify wrapping atomic usage Elena Reshetova
2016-10-03 6:41 ` [kernel-hardening] [RFC PATCH 12/13] x86: x86 implementation for HARDENED_ATOMIC Elena Reshetova
2016-10-03 9:47 ` Jann Horn
2016-10-04 7:15 ` Reshetova, Elena
2016-10-04 12:46 ` Jann Horn
2016-10-03 19:27 ` Dave Hansen
2016-10-03 22:49 ` David Windsor
2016-10-04 12:41 ` Jann Horn
2016-10-04 18:51 ` Kees Cook
2016-10-04 19:48 ` Jann Horn
2016-10-05 15:39 ` Dave Hansen
2016-10-05 16:18 ` Jann Horn
2016-10-05 16:32 ` Dave Hansen
2016-10-03 21:29 ` [kernel-hardening] " Kees Cook
2016-10-03 6:41 ` Elena Reshetova [this message]
2016-10-03 21:35 ` [kernel-hardening] Re: [RFC PATCH 13/13] lkdtm: add tests for atomic over-/underflow Kees Cook
2016-10-04 6:27 ` [kernel-hardening] " Reshetova, Elena
2016-10-04 6:40 ` [kernel-hardening] " Hans Liljestrand
2016-10-03 8:14 ` [kernel-hardening] [RFC PATCH 00/13] HARDENING_ATOMIC feature AKASHI Takahiro
2016-10-03 8:13 ` Reshetova, Elena
2016-10-03 21:01 ` [kernel-hardening] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1475476886-26232-14-git-send-email-elena.reshetova@intel.com \
--to=elena.reshetova@intel.com \
--cc=dwindsor@gmail.com \
--cc=ishkamiel@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.