From 4bc04315211c053502cf84e81d78af41af66c581 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 24 Mar 2017 10:51:25 -0700 Subject: [PATCH] BACKPORT: lkdtm: add bad USER_DS test (cherry-picked from e22aa9d781a27a961581c57442911309fb86a48e) This adds CORRUPT_USER_DS to check that the get_fs() test on syscall return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since trying to deal with values other than USER_DS and KERNEL_DS across all architectures in a safe way is not sensible, this sets KERNEL_DS, but since that could be extremely dangerous if the protection is not present, it also raises SIGKILL for current, so that no matter what, the process will die. A successful test will be visible with a BUG(), like all the other LKDTM tests. Change-Id: I1d2585de65032f0f6b9baea2a71f92bfc296c94b Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman Signed-off-by: Satya Tangirala --- drivers/misc/lkdtm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c index 42a0a99007be..8e06e1020ad9 100644 --- a/drivers/misc/lkdtm.c +++ b/drivers/misc/lkdtm.c @@ -48,6 +48,8 @@ #include #include #include +#include +#include #ifdef CONFIG_IDE #include @@ -95,6 +97,7 @@ enum ctype { CT_OVERFLOW, CT_CORRUPT_LIST_ADD, CT_CORRUPT_LIST_DEL, + CT_CORRUPT_USER_DS, CT_CORRUPT_STACK, CT_UNALIGNED_LOAD_STORE_WRITE, CT_OVERWRITE_ALLOCATION, @@ -135,6 +138,7 @@ static char* cp_type[] = { "OVERFLOW", "CORRUPT_LIST_ADD", "CORRUPT_LIST_DEL", + "CORRUPT_USER_DS", "CORRUPT_STACK", "UNALIGNED_LOAD_STORE_WRITE", "OVERWRITE_ALLOCATION", @@ -618,6 +622,14 @@ static void lkdtm_do_action(enum ctype which) pr_err("list_del() corruption not detected!\n"); break; } + case CT_CORRUPT_USER_DS: { + pr_info("setting bad task size limit\n"); + set_fs(KERNEL_DS); + + /* Make sure we do not keep running with a KERNEL_DS! */ + force_sig(SIGKILL, current); + break; + } case CT_NONE: default: break;