forked from luck/tmp_suning_uos_patched
lkdtm: Verify that '__ro_after_init' works correctly
The new __ro_after_init section should be writable before init, but not after. Validate that it gets updated at init and can't be written to afterwards. Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: David Brown <david.brown@linaro.org> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Emese Revfy <re.emese@gmail.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mathias Krause <minipli@googlemail.com> Cc: Michael Ellerman <mpe@ellerman.id.au> Cc: PaX Team <pageexec@freemail.hu> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: kernel-hardening@lists.openwall.com Cc: linux-arch <linux-arch@vger.kernel.org> Link: http://lkml.kernel.org/r/1455748879-21872-6-git-send-email-keescook@chromium.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit is contained in:
parent
c74ba8b348
commit
7cca071ccb
@ -103,6 +103,7 @@ enum ctype {
|
|||||||
CT_EXEC_USERSPACE,
|
CT_EXEC_USERSPACE,
|
||||||
CT_ACCESS_USERSPACE,
|
CT_ACCESS_USERSPACE,
|
||||||
CT_WRITE_RO,
|
CT_WRITE_RO,
|
||||||
|
CT_WRITE_RO_AFTER_INIT,
|
||||||
CT_WRITE_KERN,
|
CT_WRITE_KERN,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -140,6 +141,7 @@ static char* cp_type[] = {
|
|||||||
"EXEC_USERSPACE",
|
"EXEC_USERSPACE",
|
||||||
"ACCESS_USERSPACE",
|
"ACCESS_USERSPACE",
|
||||||
"WRITE_RO",
|
"WRITE_RO",
|
||||||
|
"WRITE_RO_AFTER_INIT",
|
||||||
"WRITE_KERN",
|
"WRITE_KERN",
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -162,6 +164,7 @@ static DEFINE_SPINLOCK(lock_me_up);
|
|||||||
static u8 data_area[EXEC_SIZE];
|
static u8 data_area[EXEC_SIZE];
|
||||||
|
|
||||||
static const unsigned long rodata = 0xAA55AA55;
|
static const unsigned long rodata = 0xAA55AA55;
|
||||||
|
static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
|
||||||
|
|
||||||
module_param(recur_count, int, 0644);
|
module_param(recur_count, int, 0644);
|
||||||
MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test");
|
MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test");
|
||||||
@ -503,11 +506,28 @@ static void lkdtm_do_action(enum ctype which)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case CT_WRITE_RO: {
|
case CT_WRITE_RO: {
|
||||||
unsigned long *ptr;
|
/* Explicitly cast away "const" for the test. */
|
||||||
|
unsigned long *ptr = (unsigned long *)&rodata;
|
||||||
|
|
||||||
ptr = (unsigned long *)&rodata;
|
pr_info("attempting bad rodata write at %p\n", ptr);
|
||||||
|
*ptr ^= 0xabcd1234;
|
||||||
|
|
||||||
pr_info("attempting bad write at %p\n", ptr);
|
break;
|
||||||
|
}
|
||||||
|
case CT_WRITE_RO_AFTER_INIT: {
|
||||||
|
unsigned long *ptr = &ro_after_init;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify we were written to during init. Since an Oops
|
||||||
|
* is considered a "success", a failure is to just skip the
|
||||||
|
* real test.
|
||||||
|
*/
|
||||||
|
if ((*ptr & 0xAA) != 0xAA) {
|
||||||
|
pr_info("%p was NOT written during init!?\n", ptr);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
pr_info("attempting bad ro_after_init write at %p\n", ptr);
|
||||||
*ptr ^= 0xabcd1234;
|
*ptr ^= 0xabcd1234;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
@ -817,6 +837,9 @@ static int __init lkdtm_module_init(void)
|
|||||||
int n_debugfs_entries = 1; /* Assume only the direct entry */
|
int n_debugfs_entries = 1; /* Assume only the direct entry */
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
/* Make sure we can write to __ro_after_init values during __init */
|
||||||
|
ro_after_init |= 0xAA;
|
||||||
|
|
||||||
/* Register debugfs interface */
|
/* Register debugfs interface */
|
||||||
lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
|
lkdtm_debugfs_root = debugfs_create_dir("provoke-crash", NULL);
|
||||||
if (!lkdtm_debugfs_root) {
|
if (!lkdtm_debugfs_root) {
|
||||||
|
Loading…
Reference in New Issue
Block a user