diff options
author | Kees Cook <keescook@chromium.org> | 2014-02-09 13:48:48 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2014-02-14 12:30:20 -0800 |
commit | dc2b9e9069780774c01a06e0ea8dce0c705f1812 (patch) | |
tree | 1be055211e27aeddf72cc09c33b5c55daae4db8a | |
parent | aac416fc38cdfd45139a6917eb3f6b77cd00a24f (diff) |
lkdtm: add "WRITE_KERN" test
Add "WRITE_KERN" crash target to validate that kernel executable memory
is not writable.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/misc/lkdtm.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index d6ee1aae3e72..d30301149242 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -102,6 +102,7 @@ enum ctype { CT_EXEC_USERSPACE, CT_ACCESS_USERSPACE, CT_WRITE_RO, + CT_WRITE_KERN, }; static char* cp_name[] = { @@ -138,6 +139,7 @@ static char* cp_type[] = { "EXEC_USERSPACE", "ACCESS_USERSPACE", "WRITE_RO", + "WRITE_KERN", }; static struct jprobe lkdtm; @@ -317,6 +319,13 @@ static void do_nothing(void) return; } +/* Must immediately follow do_nothing for size calculuations to work out. */ +static void do_overwritten(void) +{ + pr_info("do_overwritten wasn't overwritten!\n"); + return; +} + static noinline void corrupt_stack(void) { /* Use default char array length that triggers stack protection. */ @@ -496,6 +505,22 @@ static void lkdtm_do_action(enum ctype which) break; } + case CT_WRITE_KERN: { + size_t size; + unsigned char *ptr; + + size = (unsigned long)do_overwritten - + (unsigned long)do_nothing; + ptr = (unsigned char *)do_overwritten; + + pr_info("attempting bad %zu byte write at %p\n", size, ptr); + memcpy(ptr, (unsigned char *)do_nothing, size); + flush_icache_range((unsigned long)ptr, + (unsigned long)(ptr + size)); + + do_overwritten(); + break; + } case CT_NONE: default: break; |