lkdtm: add "WRITE_KERN" test

Add "WRITE_KERN" crash target to validate that kernel executable memory is not writable. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-09 13:48:48 -08:00 · 2014-02-09 13:48:48 -08:00 · dc2b9e9069
commit dc2b9e9069
parent aac416fc38
1 changed files with 25 additions and 0 deletions
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@ -102,6 +102,7 @@ enum ctype {
 	CT_EXEC_USERSPACE,
 	CT_ACCESS_USERSPACE,
 	CT_WRITE_RO,
 	CT_WRITE_KERN,
 };
 static char* cp_name[] = {
@ -138,6 +139,7 @@ static char* cp_type[] = {
 	"EXEC_USERSPACE",
 	"ACCESS_USERSPACE",
 	"WRITE_RO",
 	"WRITE_KERN",
 };
 static struct jprobe lkdtm;
@ -317,6 +319,13 @@ static void do_nothing(void)
 	return;
 }
 /* Must immediately follow do_nothing for size calculuations to work out. */
 static void do_overwritten(void)
 {
 	pr_info("do_overwritten wasn't overwritten!\n");
 	return;
 }
 static noinline void corrupt_stack(void)
 {
 	/* Use default char array length that triggers stack protection. */
@ -496,6 +505,22 @@ static void lkdtm_do_action(enum ctype which)
 		break;
 	}
 	case CT_WRITE_KERN: {
 		size_t size;
 		unsigned char *ptr;
 		size = (unsigned long)do_overwritten -
 		       (unsigned long)do_nothing;
 		ptr = (unsigned char *)do_overwritten;
 		pr_info("attempting bad %zu byte write at %p\n", size, ptr);
 		memcpy(ptr, (unsigned char *)do_nothing, size);
 		flush_icache_range((unsigned long)ptr,
 				   (unsigned long)(ptr + size));
 		do_overwritten();
 		break;
 	}
 	case CT_NONE:
 	default:
 		break;