1 From b273f76e399cdedc6b4f3494acd408698b5ad047 Mon Sep 17 00:00:00 2001
2 From: Christophe Leroy <christophe.leroy@c-s.fr>
3 Date: Fri, 14 Dec 2018 15:26:20 +0000
4 Subject: lkdtm: Add tests for NULL pointer dereference
6 [ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]
8 Introduce lkdtm tests for NULL pointer dereference: check access or exec
9 at NULL address, since these errors tend to be reported differently from
10 the general fault error text. For example from x86:
12 pr_alert("BUG: unable to handle kernel %s at %px\n",
13 address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
16 Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
17 Signed-off-by: Kees Cook <keescook@chromium.org>
18 Signed-off-by: Sasha Levin <sashal@kernel.org>
20 drivers/misc/lkdtm.h | 2 ++
21 drivers/misc/lkdtm_core.c | 2 ++
22 drivers/misc/lkdtm_perms.c | 18 ++++++++++++++++++
23 3 files changed, 22 insertions(+)
25 diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
26 index 687a0dbbe199..614612325332 100644
27 --- a/drivers/misc/lkdtm.h
28 +++ b/drivers/misc/lkdtm.h
29 @@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
30 void lkdtm_EXEC_VMALLOC(void);
31 void lkdtm_EXEC_RODATA(void);
32 void lkdtm_EXEC_USERSPACE(void);
33 +void lkdtm_EXEC_NULL(void);
34 void lkdtm_ACCESS_USERSPACE(void);
35 +void lkdtm_ACCESS_NULL(void);
37 /* lkdtm_refcount.c */
38 void lkdtm_REFCOUNT_INC_OVERFLOW(void);
39 diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
40 index 981b3ef71e47..199271708aed 100644
41 --- a/drivers/misc/lkdtm_core.c
42 +++ b/drivers/misc/lkdtm_core.c
43 @@ -220,7 +220,9 @@ struct crashtype crashtypes[] = {
44 CRASHTYPE(EXEC_VMALLOC),
45 CRASHTYPE(EXEC_RODATA),
46 CRASHTYPE(EXEC_USERSPACE),
47 + CRASHTYPE(EXEC_NULL),
48 CRASHTYPE(ACCESS_USERSPACE),
49 + CRASHTYPE(ACCESS_NULL),
51 CRASHTYPE(WRITE_RO_AFTER_INIT),
52 CRASHTYPE(WRITE_KERN),
53 diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
54 index fa54add6375a..62f76d506f04 100644
55 --- a/drivers/misc/lkdtm_perms.c
56 +++ b/drivers/misc/lkdtm_perms.c
57 @@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
58 vm_munmap(user_addr, PAGE_SIZE);
61 +void lkdtm_EXEC_NULL(void)
63 + execute_location(NULL, CODE_AS_IS);
66 void lkdtm_ACCESS_USERSPACE(void)
68 unsigned long user_addr, tmp = 0;
69 @@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
70 vm_munmap(user_addr, PAGE_SIZE);
73 +void lkdtm_ACCESS_NULL(void)
76 + unsigned long *ptr = (unsigned long *)NULL;
78 + pr_info("attempting bad read at %px\n", ptr);
82 + pr_info("attempting bad write at %px\n", ptr);
86 void __init lkdtm_perms_init(void)
88 /* Make sure we can write to __ro_after_init values during __init */