lkdtm: tests for FORTIFY_SOURCE

Add code to test both:

 - runtime detection of the overrun of a structure. This covers the
   __builtin_object_size(x, 0) case. This test is called FORTIFY_OBJECT.

 - runtime detection of the overrun of a char array within a structure.
   This covers the __builtin_object_size(x, 1) case which can be used
   for some string functions. This test is called FORTIFY_SUBOBJECT.

Link: https://lkml.kernel.org/r/20201122162451.27551-3-laniel_francis@privacyrequired.com
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com>
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Daniel Micay <danielmicay@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index a0675d4154d2fdaff4e8f8f1c08d7a79143246e7..110f5a8538e9662b39f5bf5003d5a00647c76ebb 100644 (file)
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -482,3 +482,53 @@ noinline void lkdtm_CORRUPT_PAC(void)
        pr_err("XFAIL: this test is arm64-only\n");
 #endif
 }
+
+void lkdtm_FORTIFY_OBJECT(void)
+{
+       struct target {
+               char a[10];
+       } target[2] = {};
+       int result;
+
+       /*
+        * Using volatile prevents the compiler from determining the value of
+        * 'size' at compile time. Without that, we would get a compile error
+        * rather than a runtime error.
+        */
+       volatile int size = 11;
+
+       pr_info("trying to read past the end of a struct\n");
+
+       result = memcmp(&target[0], &target[1], size);
+
+       /* Print result to prevent the code from being eliminated */
+       pr_err("FAIL: fortify did not catch an object overread!\n"
+              "\"%d\" was the memcmp result.\n", result);
+}
+
+void lkdtm_FORTIFY_SUBOBJECT(void)
+{
+       struct target {
+               char a[10];
+               char b[10];
+       } target;
+       char *src;
+
+       src = kmalloc(20, GFP_KERNEL);
+       strscpy(src, "over ten bytes", 20);
+
+       pr_info("trying to strcpy past the end of a member of a struct\n");
+
+       /*
+        * strncpy(target.a, src, 20); will hit a compile error because the
+        * compiler knows at build time that target.a < 20 bytes. Use strcpy()
+        * to force a runtime error.
+        */
+       strcpy(target.a, src);
+
+       /* Use target.a to prevent the code from being eliminated */
+       pr_err("FAIL: fortify did not catch an sub-object overrun!\n"
+              "\"%s\" was copied.\n", target.a);
+
+       kfree(src);
+}

diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 97803f213d9d455625c830840aae89acf4caa155..b8c51a633fcc8e8a229ea1037df2ef54fc0f471f 100644 (file)
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -117,6 +117,8 @@ static const struct crashtype crashtypes[] = {
        CRASHTYPE(UNSET_SMEP),
        CRASHTYPE(CORRUPT_PAC),
        CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),
+       CRASHTYPE(FORTIFY_OBJECT),
+       CRASHTYPE(FORTIFY_SUBOBJECT),
        CRASHTYPE(OVERWRITE_ALLOCATION),
        CRASHTYPE(WRITE_AFTER_FREE),
        CRASHTYPE(READ_AFTER_FREE),

diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 6dec4c9b442ff34e9c516e54ee8d4706af7ad0bd..49e6b945feb7ec668d32ce971ed6a63b8134a28a 100644 (file)
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -32,6 +32,8 @@ void lkdtm_STACK_GUARD_PAGE_TRAILING(void);
 void lkdtm_UNSET_SMEP(void);
 void lkdtm_DOUBLE_FAULT(void);
 void lkdtm_CORRUPT_PAC(void);
+void lkdtm_FORTIFY_OBJECT(void);
+void lkdtm_FORTIFY_SUBOBJECT(void);
 
 /* lkdtm_heap.c */
 void __init lkdtm_heap_init(void);