lkdtm: Add tests for NULL pointer dereference

[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]

Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:

    pr_alert("BUG: unable to handle kernel %s at %px\n",
        address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
        (void *)address);

Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/misc/lkdtm.h b/drivers/misc/lkdtm.h
index fdf954c2107f935a36ca719ee6cd760a3d6e9182..6abc97b245e419afd5d5a4227468768d2fb1e675 100644 (file)
--- a/drivers/misc/lkdtm.h
+++ b/drivers/misc/lkdtm.h
@@ -40,7 +40,9 @@ void lkdtm_EXEC_KMALLOC(void);
 void lkdtm_EXEC_VMALLOC(void);
 void lkdtm_EXEC_RODATA(void);
 void lkdtm_EXEC_USERSPACE(void);
+void lkdtm_EXEC_NULL(void);
 void lkdtm_ACCESS_USERSPACE(void);
+void lkdtm_ACCESS_NULL(void);
 
 /* lkdtm_rodata.c */
 void lkdtm_rodata_do_nothing(void);

diff --git a/drivers/misc/lkdtm_core.c b/drivers/misc/lkdtm_core.c
index b2989f2d31265f445bb0bd356cb8856b93a3bda3..035e51bea4507b6d34d6b6cd6fb38f3a14a9a8df 100644 (file)
--- a/drivers/misc/lkdtm_core.c
+++ b/drivers/misc/lkdtm_core.c
@@ -214,7 +214,9 @@ struct crashtype crashtypes[] = {
        CRASHTYPE(EXEC_VMALLOC),
        CRASHTYPE(EXEC_RODATA),
        CRASHTYPE(EXEC_USERSPACE),
+       CRASHTYPE(EXEC_NULL),
        CRASHTYPE(ACCESS_USERSPACE),
+       CRASHTYPE(ACCESS_NULL),
        CRASHTYPE(WRITE_RO),
        CRASHTYPE(WRITE_RO_AFTER_INIT),
        CRASHTYPE(WRITE_KERN),

diff --git a/drivers/misc/lkdtm_perms.c b/drivers/misc/lkdtm_perms.c
index 45f1c0f966123c7b3870e4f42d724270f4f75e5f..1a9dcdaa95f054e3851fe4be9e123154c8b0cc17 100644 (file)
--- a/drivers/misc/lkdtm_perms.c
+++ b/drivers/misc/lkdtm_perms.c
@@ -160,6 +160,11 @@ void lkdtm_EXEC_USERSPACE(void)
        vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_EXEC_NULL(void)
+{
+       execute_location(NULL, CODE_AS_IS);
+}
+
 void lkdtm_ACCESS_USERSPACE(void)
 {
        unsigned long user_addr, tmp = 0;
@@ -191,6 +196,19 @@ void lkdtm_ACCESS_USERSPACE(void)
        vm_munmap(user_addr, PAGE_SIZE);
 }
 
+void lkdtm_ACCESS_NULL(void)
+{
+       unsigned long tmp;
+       unsigned long *ptr = (unsigned long *)NULL;
+
+       pr_info("attempting bad read at %px\n", ptr);
+       tmp = *ptr;
+       tmp += 0xc0dec0de;
+
+       pr_info("attempting bad write at %px\n", ptr);
+       *ptr = tmp;
+}
+
 void __init lkdtm_perms_init(void)
 {
        /* Make sure we can write to __ro_after_init values during __init */