drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks

Adds LKDTM tests for arithmetic overflow (both signed and unsigned), as
well as array bounds checking.

Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Acked-by: Dmitry Vyukov <[email protected]>
Cc: Alexander Potapenko <[email protected]>
Cc: Andrey Konovalov <[email protected]>
Cc: Andrey Ryabinin <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: Arnd Bergmann <[email protected]>
Cc: Dan Carpenter <[email protected]>
Cc: Elena Petrova <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Linus Torvalds <[email protected]>

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index cc92bc3ed8203761a44dc76fcaa277c05a31bfa6..886459e0ddd98c15ed2c61bc2e96483abc9adda5 100644 (file)
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -11,6 +11,7 @@
 #include <linux/sched/signal.h>
 #include <linux/sched/task_stack.h>
 #include <linux/uaccess.h>
+#include <linux/slab.h>
 
 #ifdef CONFIG_X86_32
 #include <asm/desc.h>
@@ -175,6 +176,80 @@ void lkdtm_HUNG_TASK(void)
        schedule();
 }
 
+volatile unsigned int huge = INT_MAX - 2;
+volatile unsigned int ignored;
+
+void lkdtm_OVERFLOW_SIGNED(void)
+{
+       int value;
+
+       value = huge;
+       pr_info("Normal signed addition ...\n");
+       value += 1;
+       ignored = value;
+
+       pr_info("Overflowing signed addition ...\n");
+       value += 4;
+       ignored = value;
+}
+
+
+void lkdtm_OVERFLOW_UNSIGNED(void)
+{
+       unsigned int value;
+
+       value = huge;
+       pr_info("Normal unsigned addition ...\n");
+       value += 1;
+       ignored = value;
+
+       pr_info("Overflowing unsigned addition ...\n");
+       value += 4;
+       ignored = value;
+}
+
+/* Intentially using old-style flex array definition of 1 byte. */
+struct array_bounds_flex_array {
+       int one;
+       int two;
+       char data[1];
+};
+
+struct array_bounds {
+       int one;
+       int two;
+       char data[8];
+       int three;
+};
+
+void lkdtm_ARRAY_BOUNDS(void)
+{
+       struct array_bounds_flex_array *not_checked;
+       struct array_bounds *checked;
+       volatile int i;
+
+       not_checked = kmalloc(sizeof(*not_checked) * 2, GFP_KERNEL);
+       checked = kmalloc(sizeof(*checked) * 2, GFP_KERNEL);
+
+       pr_info("Array access within bounds ...\n");
+       /* For both, touch all bytes in the actual member size. */
+       for (i = 0; i < sizeof(checked->data); i++)
+               checked->data[i] = 'A';
+       /*
+        * For the uninstrumented flex array member, also touch 1 byte
+        * beyond to verify it is correctly uninstrumented.
+        */
+       for (i = 0; i < sizeof(not_checked->data) + 1; i++)
+               not_checked->data[i] = 'A';
+
+       pr_info("Array access beyond bounds ...\n");
+       for (i = 0; i < sizeof(checked->data) + 1; i++)
+               checked->data[i] = 'B';
+
+       kfree(not_checked);
+       kfree(checked);
+}
+
 void lkdtm_CORRUPT_LIST_ADD(void)
 {
        /*

diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 5ce4ac8c06fc049204a0baa4cf59921c6ae258ec..a5e344df91663294e4e205c0a04e898956fb697f 100644 (file)
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -130,6 +130,9 @@ static const struct crashtype crashtypes[] = {
        CRASHTYPE(HARDLOCKUP),
        CRASHTYPE(SPINLOCKUP),
        CRASHTYPE(HUNG_TASK),
+       CRASHTYPE(OVERFLOW_SIGNED),
+       CRASHTYPE(OVERFLOW_UNSIGNED),
+       CRASHTYPE(ARRAY_BOUNDS),
        CRASHTYPE(EXEC_DATA),
        CRASHTYPE(EXEC_STACK),
        CRASHTYPE(EXEC_KMALLOC),

diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 8d13d01766247f1f56bb953445ac75746b5aa0bd..601a2156a0d48ccf417421282487ba9b36b1070b 100644 (file)
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -22,6 +22,9 @@ void lkdtm_SOFTLOCKUP(void);
 void lkdtm_HARDLOCKUP(void);
 void lkdtm_SPINLOCKUP(void);
 void lkdtm_HUNG_TASK(void);
+void lkdtm_OVERFLOW_SIGNED(void);
+void lkdtm_OVERFLOW_UNSIGNED(void);
+void lkdtm_ARRAY_BOUNDS(void);
 void lkdtm_CORRUPT_LIST_ADD(void);
 void lkdtm_CORRUPT_LIST_DEL(void);
 void lkdtm_CORRUPT_USER_DS(void);