From: Andrew Morton <akpm@linux-foundation.org>
To: akpm@linux-foundation.org, danielmicay@gmail.com, dja@axtens.net,
keescook@chromium.org, laniel_francis@privacyrequired.com,
linux-mm@kvack.org, mm-commits@vger.kernel.org,
torvalds@linux-foundation.org
Subject: [patch 29/95] drivers/misc/lkdtm: add new file in LKDTM to test fortified strscpy
Date: Tue, 15 Dec 2020 20:43:54 -0800 [thread overview]
Message-ID: <20201216044354.s5599strv%akpm@linux-foundation.org> (raw)
In-Reply-To: <20201215204156.f05ec694b907845bcfab5c44@linux-foundation.org>
From: Francis Laniel <laniel_francis@privacyrequired.com>
Subject: drivers/misc/lkdtm: add new file in LKDTM to test fortified strscpy
This new test ensures that fortified strscpy has the same behavior than
vanilla strscpy (e.g. returning -E2BIG when src content is truncated).
Finally, it generates a crash at runtime because there is a write overflow
in destination string.
Link: https://lkml.kernel.org/r/20201122162451.27551-5-laniel_francis@privacyrequired.com
Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Daniel Axtens <dja@axtens.net>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
drivers/misc/lkdtm/Makefile | 1
drivers/misc/lkdtm/core.c | 1
drivers/misc/lkdtm/fortify.c | 82 ++++++++++++++++++++++
drivers/misc/lkdtm/lkdtm.h | 3
tools/testing/selftests/lkdtm/tests.txt | 1
5 files changed, 88 insertions(+)
--- a/drivers/misc/lkdtm/core.c~add-new-file-in-lkdtm-to-test-fortified-strscpy
+++ a/drivers/misc/lkdtm/core.c
@@ -175,6 +175,7 @@ static const struct crashtype crashtypes
CRASHTYPE(USERCOPY_KERNEL),
CRASHTYPE(STACKLEAK_ERASING),
CRASHTYPE(CFI_FORWARD_PROTO),
+ CRASHTYPE(FORTIFIED_STRSCPY),
#ifdef CONFIG_X86_32
CRASHTYPE(DOUBLE_FAULT),
#endif
--- /dev/null
+++ a/drivers/misc/lkdtm/fortify.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2020 Francis Laniel <laniel_francis@privacyrequired.com>
+ *
+ * Add tests related to fortified functions in this file.
+ */
+#include "lkdtm.h"
+#include <linux/string.h>
+#include <linux/slab.h>
+
+
+/*
+ * Calls fortified strscpy to test that it returns the same result as vanilla
+ * strscpy and generate a panic because there is a write overflow (i.e. src
+ * length is greater than dst length).
+ */
+void lkdtm_FORTIFIED_STRSCPY(void)
+{
+ char *src;
+ char dst[5];
+
+ struct {
+ union {
+ char big[10];
+ char src[5];
+ };
+ } weird = { .big = "hello!" };
+ char weird_dst[sizeof(weird.src) + 1];
+
+ src = kstrdup("foobar", GFP_KERNEL);
+
+ if (src == NULL)
+ return;
+
+ /* Vanilla strscpy returns -E2BIG if size is 0. */
+ if (strscpy(dst, src, 0) != -E2BIG)
+ pr_warn("FAIL: strscpy() of 0 length did not return -E2BIG\n");
+
+ /* Vanilla strscpy returns -E2BIG if src is truncated. */
+ if (strscpy(dst, src, sizeof(dst)) != -E2BIG)
+ pr_warn("FAIL: strscpy() did not return -E2BIG while src is truncated\n");
+
+ /* After above call, dst must contain "foob" because src was truncated. */
+ if (strncmp(dst, "foob", sizeof(dst)) != 0)
+ pr_warn("FAIL: after strscpy() dst does not contain \"foob\" but \"%s\"\n",
+ dst);
+
+ /* Shrink src so the strscpy() below succeeds. */
+ src[3] = '\0';
+
+ /*
+ * Vanilla strscpy returns number of character copied if everything goes
+ * well.
+ */
+ if (strscpy(dst, src, sizeof(dst)) != 3)
+ pr_warn("FAIL: strscpy() did not return 3 while src was copied entirely truncated\n");
+
+ /* After above call, dst must contain "foo" because src was copied. */
+ if (strncmp(dst, "foo", sizeof(dst)) != 0)
+ pr_warn("FAIL: after strscpy() dst does not contain \"foo\" but \"%s\"\n",
+ dst);
+
+ /* Test when src is embedded inside a union. */
+ strscpy(weird_dst, weird.src, sizeof(weird_dst));
+
+ if (strcmp(weird_dst, "hello") != 0)
+ pr_warn("FAIL: after strscpy() weird_dst does not contain \"hello\" but \"%s\"\n",
+ weird_dst);
+
+ /* Restore src to its initial value. */
+ src[3] = 'b';
+
+ /*
+ * Use strlen here so size cannot be known at compile time and there is
+ * a runtime write overflow.
+ */
+ strscpy(dst, src, strlen(src));
+
+ pr_warn("FAIL: No overflow in above strscpy()\n");
+
+ kfree(src);
+}
--- a/drivers/misc/lkdtm/lkdtm.h~add-new-file-in-lkdtm-to-test-fortified-strscpy
+++ a/drivers/misc/lkdtm/lkdtm.h
@@ -104,4 +104,7 @@ void lkdtm_STACKLEAK_ERASING(void);
/* cfi.c */
void lkdtm_CFI_FORWARD_PROTO(void);
+/* fortify.c */
+void lkdtm_FORTIFIED_STRSCPY(void);
+
#endif
--- a/drivers/misc/lkdtm/Makefile~add-new-file-in-lkdtm-to-test-fortified-strscpy
+++ a/drivers/misc/lkdtm/Makefile
@@ -10,6 +10,7 @@ lkdtm-$(CONFIG_LKDTM) += rodata_objcopy
lkdtm-$(CONFIG_LKDTM) += usercopy.o
lkdtm-$(CONFIG_LKDTM) += stackleak.o
lkdtm-$(CONFIG_LKDTM) += cfi.o
+lkdtm-$(CONFIG_LKDTM) += fortify.o
KASAN_SANITIZE_rodata.o := n
KASAN_SANITIZE_stackleak.o := n
--- a/tools/testing/selftests/lkdtm/tests.txt~add-new-file-in-lkdtm-to-test-fortified-strscpy
+++ a/tools/testing/selftests/lkdtm/tests.txt
@@ -68,3 +68,4 @@ USERCOPY_STACK_BEYOND
USERCOPY_KERNEL
STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
CFI_FORWARD_PROTO
+FORTIFIED_STRSCPY
_
next prev parent reply other threads:[~2020-12-16 4:44 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-16 4:41 incoming Andrew Morton
2020-12-16 4:42 ` [patch 01/95] mm: fix a race on nr_swap_pages Andrew Morton
2020-12-16 4:42 ` [patch 02/95] mm/memory_hotplug: quieting offline operation Andrew Morton
2020-12-16 4:42 ` [patch 03/95] alpha: replace bogus in_interrupt() Andrew Morton
2020-12-16 4:42 ` [patch 04/95] procfs: delete duplicated words + other fixes Andrew Morton
2020-12-16 4:42 ` [patch 05/95] proc: provide details on indirect branch speculation Andrew Morton
2020-12-16 4:42 ` [patch 06/95] proc: fix lookup in /proc/net subdirectories after setns(2) Andrew Morton
2020-12-16 4:42 ` [patch 07/95] fs/proc: make pde_get() return nothing Andrew Morton
2020-12-16 4:42 ` [patch 08/95] asm-generic: force inlining of get_order() to work around gcc10 poor decision Andrew Morton
2020-12-16 4:42 ` [patch 09/95] kernel.h: split out mathematical helpers Andrew Morton
2020-12-16 4:42 ` [patch 10/95] kernel/acct.c: use #elif instead of #end and #elif Andrew Morton
2020-12-16 4:42 ` [patch 11/95] include/linux/bitmap.h: convert bitmap_empty() / bitmap_full() to return boolean Andrew Morton
2020-12-16 4:42 ` [patch 12/95] bitmap: remove unused function declaration Andrew Morton
2020-12-16 4:43 ` [patch 13/95] lib/test_free_pages.c: add basic progress indicators Andrew Morton
2020-12-16 4:43 ` [patch 14/95] lib/stackdepot.c: replace one-element array with flexible-array member Andrew Morton
2020-12-16 4:43 ` [patch 15/95] lib/stackdepot.c: use flex_array_size() helper in memcpy() Andrew Morton
2020-12-16 4:43 ` [patch 16/95] lib/stackdepot.c: use array_size() helper in jhash2() Andrew Morton
2020-12-16 4:43 ` [patch 17/95] lib/test_lockup.c: minimum fix to get it compiled on PREEMPT_RT Andrew Morton
2020-12-16 4:43 ` [patch 18/95] lib/list_kunit: follow new file name convention for KUnit tests Andrew Morton
2020-12-16 6:02 ` Linus Torvalds
2020-12-16 6:53 ` David Gow
2020-12-16 7:01 ` Linus Torvalds
2020-12-16 10:41 ` Andy Shevchenko
2020-12-17 9:21 ` David Gow
2020-12-17 12:02 ` Andy Shevchenko
2020-12-16 4:43 ` [patch 19/95] lib/linear_ranges_kunit: " Andrew Morton
2020-12-16 4:43 ` [patch 20/95] lib/bits_kunit: " Andrew Morton
2020-12-16 4:43 ` [patch 21/95] lib/cmdline: fix get_option() for strings starting with hyphen Andrew Morton
2020-12-16 4:43 ` [patch 22/95] lib/cmdline: allow NULL to be an output for get_option() Andrew Morton
2020-12-16 4:43 ` [patch 23/95] lib/cmdline_kunit: add a new test suite for cmdline API Andrew Morton
2020-12-16 4:43 ` [patch 24/95] ilog2: improve ilog2 for constant arguments Andrew Morton
2020-12-16 4:43 ` [patch 25/95] lib/string: remove unnecessary #undefs Andrew Morton
2020-12-16 4:43 ` [patch 26/95] lib: string.h: detect intra-object overflow in fortified string functions Andrew Morton
2020-12-16 4:43 ` [patch 27/95] lkdtm: tests for FORTIFY_SOURCE Andrew Morton
2020-12-16 4:43 ` [patch 28/95] string.h: add FORTIFY coverage for strscpy() Andrew Morton
2020-12-16 7:26 ` Linus Torvalds
2020-12-16 4:43 ` Andrew Morton [this message]
2020-12-16 4:43 ` [patch 30/95] drivers/misc/lkdtm/lkdtm.h: correct wrong filenames in comment Andrew Morton
2020-12-16 4:44 ` [patch 31/95] lib: cleanup kstrto*() usage Andrew Morton
2020-12-16 4:44 ` [patch 32/95] lib/lz4: explicitly support in-place decompression Andrew Morton
2020-12-16 4:44 ` [patch 33/95] bitops: introduce the for_each_set_clump macro Andrew Morton
2020-12-16 6:14 ` Linus Torvalds
2020-12-16 4:44 ` [patch 34/95] lib/test_bitmap.c: add for_each_set_clump test cases Andrew Morton
2020-12-16 4:44 ` [patch 35/95] gpio: thunderx: utilize for_each_set_clump macro Andrew Morton
2020-12-16 4:44 ` [patch 36/95] gpio: xilinx: utilize generic bitmap_get_value and _set_value Andrew Morton
2020-12-16 4:44 ` [patch 37/95] checkpatch: add new exception to repeated word check Andrew Morton
2020-12-16 4:44 ` [patch 38/95] checkpatch: fix false positives in REPEATED_WORD warning Andrew Morton
2020-12-16 4:44 ` [patch 39/95] checkpatch: ignore generated CamelCase defines and enum values Andrew Morton
2020-12-16 4:44 ` [patch 40/95] checkpatch: prefer static const declarations Andrew Morton
2020-12-16 4:44 ` [patch 41/95] checkpatch: allow --fix removal of unnecessary break statements Andrew Morton
2020-12-16 4:44 ` [patch 42/95] checkpatch: extend attributes check to handle more patterns Andrew Morton
2020-12-16 4:44 ` [patch 43/95] checkpatch: add a fixer for missing newline at eof Andrew Morton
2020-12-16 4:44 ` [patch 44/95] checkpatch: update __attribute__((section("name"))) quote removal Andrew Morton
2020-12-16 4:44 ` [patch 45/95] checkpatch: add fix option for GERRIT_CHANGE_ID Andrew Morton
2020-12-16 4:44 ` [patch 46/95] checkpatch: add __alias and __weak to suggested __attribute__ conversions Andrew Morton
2020-12-16 4:44 ` [patch 47/95] checkpatch: improve email parsing Andrew Morton
2020-12-16 4:44 ` [patch 48/95] checkpatch: fix spelling errors and remove repeated word Andrew Morton
2020-12-16 4:44 ` [patch 49/95] checkpatch: avoid COMMIT_LOG_LONG_LINE warning for signature tags Andrew Morton
2020-12-16 4:45 ` [patch 50/95] checkpatch: fix unescaped left brace Andrew Morton
2020-12-16 4:45 ` [patch 51/95] checkpatch: add fix option for ASSIGNMENT_CONTINUATIONS Andrew Morton
2020-12-16 4:45 ` [patch 52/95] checkpatch: add fix option for LOGICAL_CONTINUATIONS Andrew Morton
2020-12-16 4:45 ` [patch 53/95] checkpatch: add fix and improve warning msg for non-standard signature Andrew Morton
2020-12-16 4:45 ` [patch 54/95] checkpatch: add warning for unnecessary use of %h[xudi] and %hh[xudi] Andrew Morton
2020-12-16 4:45 ` [patch 55/95] checkpatch: add warning for lines starting with a '#' in commit log Andrew Morton
2020-12-16 4:45 ` [patch 56/95] checkpatch: fix TYPO_SPELLING check for words with apostrophe Andrew Morton
2020-12-16 4:45 ` [patch 57/95] checkpatch: add printk_once and printk_ratelimit to prefer pr_<level> warning Andrew Morton
2020-12-16 4:45 ` [patch 58/95] fs/nilfs2: remove some unused macros to tame gcc Andrew Morton
2020-12-16 4:45 ` [patch 59/95] kdump: append uts_namespace.name offset to VMCOREINFO Andrew Morton
2020-12-16 4:45 ` [patch 60/95] rapidio: remove unused rio_get_asm() and rio_get_device() Andrew Morton
2020-12-16 4:45 ` [patch 61/95] gcov: remove support for GCC < 4.9 Andrew Morton
2020-12-16 4:45 ` [patch 62/95] gcov: fix kernel-doc markup issue Andrew Morton
2020-12-16 4:45 ` [patch 63/95] bfs: don't use WARNING: string when it's just info Andrew Morton
2020-12-16 4:45 ` [patch 64/95] relay: remove unused buf_mapped and buf_unmapped callbacks Andrew Morton
2020-12-16 4:45 ` [patch 65/95] relay: require non-NULL callbacks in relay_open() Andrew Morton
2020-12-16 4:45 ` [patch 66/95] relay: make create_buf_file and remove_buf_file callbacks mandatory Andrew Morton
2020-12-16 4:45 ` [patch 67/95] relay: allow the use of const callback structs Andrew Morton
2020-12-16 4:46 ` [patch 68/95] drm/i915: make relay callbacks const Andrew Morton
2020-12-16 4:46 ` [patch 69/95] ath10k: " Andrew Morton
2020-12-16 4:46 ` [patch 70/95] ath11k: " Andrew Morton
2020-12-16 4:46 ` [patch 71/95] ath9k: " Andrew Morton
2020-12-16 4:46 ` [patch 72/95] blktrace: " Andrew Morton
2020-12-16 4:46 ` [patch 73/95] kernel/resource.c: fix kernel-doc markups Andrew Morton
2020-12-16 4:46 ` [patch 74/95] ubsan: remove redundant -Wno-maybe-uninitialized Andrew Morton
2020-12-16 4:46 ` [patch 75/95] ubsan: move cc-option tests into Kconfig Andrew Morton
2020-12-16 4:46 ` [patch 76/95] ubsan: disable object-size sanitizer under GCC Andrew Morton
2020-12-16 4:46 ` [patch 77/95] ubsan: disable UBSAN_TRAP for all*config Andrew Morton
2020-12-16 4:46 ` [patch 78/95] ubsan: enable for all*config builds Andrew Morton
2020-12-16 4:46 ` [patch 79/95] ubsan: remove UBSAN_MISC in favor of individual options Andrew Morton
2020-12-16 4:46 ` [patch 80/95] ubsan: expand tests and reporting Andrew Morton
2020-12-16 4:46 ` [patch 81/95] kcov: don't instrument with UBSAN Andrew Morton
2020-12-16 4:46 ` [patch 82/95] lib/ubsan.c: mark type_check_kinds with static keyword Andrew Morton
2020-12-16 4:46 ` [patch 83/95] reboot: refactor and comment the cpu selection code Andrew Morton
2020-12-16 4:46 ` [patch 84/95] reboot: allow to specify reboot mode via sysfs Andrew Morton
2020-12-16 4:47 ` [patch 85/95] reboot: remove cf9_safe from allowed types and rename cf9_force Andrew Morton
2020-12-16 4:47 ` [patch 86/95] reboot: allow to override reboot type if quirks are found Andrew Morton
2020-12-16 4:47 ` [patch 87/95] reboot: hide from sysfs not applicable settings Andrew Morton
2020-12-16 4:47 ` [patch 88/95] fault-injection: handle EI_ETYPE_TRUE Andrew Morton
2020-12-16 4:47 ` [patch 89/95] lib/lzo/lzo1x_compress.c: make lzogeneric1x_1_compress() static Andrew Morton
2020-12-16 4:47 ` [patch 90/95] apparmor: remove duplicate macro list_entry_is_head() Andrew Morton
2020-12-16 4:47 ` [patch 91/95] mm: unexport follow_pte_pmd Andrew Morton
2020-12-16 4:47 ` [patch 92/95] mm: simplify follow_pte{,pmd} Andrew Morton
2020-12-16 4:47 ` [patch 93/95] mm: fix some spelling mistakes in comments Andrew Morton
2020-12-16 4:47 ` [patch 94/95] mmap locking API: don't check locking if the mm isn't live yet Andrew Morton
2020-12-16 5:07 ` Jann Horn
2020-12-16 18:08 ` Jason Gunthorpe
2020-12-16 4:47 ` [patch 95/95] mm/gup: assert that the mmap lock is held in __get_user_pages() Andrew Morton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201216044354.s5599strv%akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=danielmicay@gmail.com \
--cc=dja@axtens.net \
--cc=keescook@chromium.org \
--cc=laniel_francis@privacyrequired.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mm-commits@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).