releases/4.14.113/lkdtm-add-tests-for-null-pointer-dereference.patch

   1 From b273f76e399cdedc6b4f3494acd408698b5ad047 Mon Sep 17 00:00:00 2001
   2 From: Christophe Leroy <christophe.leroy@c-s.fr>
   3 Date: Fri, 14 Dec 2018 15:26:20 +0000
   4 Subject: lkdtm: Add tests for NULL pointer dereference
   5
   6 [ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]
   7
   8 Introduce lkdtm tests for NULL pointer dereference: check access or exec
   9 at NULL address, since these errors tend to be reported differently from
  10 the general fault error text. For example from x86:
  11
  12     pr_alert("BUG: unable to handle kernel %s at %px\n",
  13         address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
  14         (void *)address);
  15
  16 Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
  17 Signed-off-by: Kees Cook <keescook@chromium.org>
  18 Signed-off-by: Sasha Levin <sashal@kernel.org>
  19 ---
  20  drivers/misc/lkdtm.h       |  2 ++
  21  drivers/misc/lkdtm_core.c  |  2 ++
  22  drivers/misc/lkdtm_perms.c | 18 ++++++++++++++++++
  23  3 files changed, 22 insertions(+)
  24
  25 diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
  26 index 687a0dbbe199..614612325332 100644
  27 --- a/drivers/misc/lkdtm.h
  28 +++ b/drivers/misc/lkdtm.h
  29 @@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
  30  void lkdtm_EXEC_VMALLOC(void);
  31  void lkdtm_EXEC_RODATA(void);
  32  void lkdtm_EXEC_USERSPACE(void);
  33 +void lkdtm_EXEC_NULL(void);
  34  void lkdtm_ACCESS_USERSPACE(void);
  35 +void lkdtm_ACCESS_NULL(void);
  36
  37  /* lkdtm_refcount.c */
  38  void lkdtm_REFCOUNT_INC_OVERFLOW(void);
  39 diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
  40 index 981b3ef71e47..199271708aed 100644
  41 --- a/drivers/misc/lkdtm_core.c
  42 +++ b/drivers/misc/lkdtm_core.c
  43 @@ -220,7 +220,9 @@ struct crashtype crashtypes[] = {
  44         CRASHTYPE(EXEC_VMALLOC),
  45         CRASHTYPE(EXEC_RODATA),
  46         CRASHTYPE(EXEC_USERSPACE),
  47 +       CRASHTYPE(EXEC_NULL),
  48         CRASHTYPE(ACCESS_USERSPACE),
  49 +       CRASHTYPE(ACCESS_NULL),
  50         CRASHTYPE(WRITE_RO),
  51         CRASHTYPE(WRITE_RO_AFTER_INIT),
  52         CRASHTYPE(WRITE_KERN),
  53 diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
  54 index fa54add6375a..62f76d506f04 100644
  55 --- a/drivers/misc/lkdtm_perms.c
  56 +++ b/drivers/misc/lkdtm_perms.c
  57 @@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
  58         vm_munmap(user_addr, PAGE_SIZE);
  59  }
  60
  61 +void lkdtm_EXEC_NULL(void)
  62 +{
  63 +       execute_location(NULL, CODE_AS_IS);
  64 +}
  65 +
  66  void lkdtm_ACCESS_USERSPACE(void)
  67  {
  68         unsigned long user_addr, tmp = 0;
  69 @@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
  70         vm_munmap(user_addr, PAGE_SIZE);
  71  }
  72
  73 +void lkdtm_ACCESS_NULL(void)
  74 +{
  75 +       unsigned long tmp;
  76 +       unsigned long *ptr = (unsigned long *)NULL;
  77 +
  78 +       pr_info("attempting bad read at %px\n", ptr);
  79 +       tmp = *ptr;
  80 +       tmp += 0xc0dec0de;
  81 +
  82 +       pr_info("attempting bad write at %px\n", ptr);
  83 +       *ptr = tmp;
  84 +}
  85 +
  86  void __init lkdtm_perms_init(void)
  87  {
  88         /* Make sure we can write to __ro_after_init values during __init */
  89 --
  90 2.19.1
  91