lkdtm: Add -fstack-protector-strong test

There wasn't an LKDTM test to distinguish between -fstack-protector and
-fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see
the difference. Also adjusts the stack-clobber value to 0xff so execution
won't potentially jump into userspace when the stack protector is missing.

Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook 2017-08-04 14:34:40 -07:00
parent 7b25a85c9d
commit 93e78c6b14
3 changed files with 20 additions and 3 deletions

View File

@ -14,6 +14,7 @@ void lkdtm_EXCEPTION(void);
void lkdtm_LOOP(void);
void lkdtm_OVERFLOW(void);
void lkdtm_CORRUPT_STACK(void);
void lkdtm_CORRUPT_STACK_STRONG(void);
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void);
void lkdtm_SOFTLOCKUP(void);
void lkdtm_HARDLOCKUP(void);

View File

@ -85,16 +85,31 @@ void lkdtm_OVERFLOW(void)
static noinline void __lkdtm_CORRUPT_STACK(void *stack)
{
memset(stack, 'a', 64);
memset(stack, '\xff', 64);
}
/* This should trip the stack canary, not corrupt the return address. */
noinline void lkdtm_CORRUPT_STACK(void)
{
/* Use default char array length that triggers stack protection. */
char data[8];
char data[8] __aligned(sizeof(void *));
__lkdtm_CORRUPT_STACK(&data);
pr_info("Corrupted stack with '%16s'...\n", data);
pr_info("Corrupted stack containing char array ...\n");
}
/* Same as above but will only get a canary with -fstack-protector-strong */
noinline void lkdtm_CORRUPT_STACK_STRONG(void)
{
union {
unsigned short shorts[4];
unsigned long *ptr;
} data __aligned(sizeof(void *));
__lkdtm_CORRUPT_STACK(&data);
pr_info("Corrupted stack containing union ...\n");
}
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)

View File

@ -201,6 +201,7 @@ struct crashtype crashtypes[] = {
CRASHTYPE(CORRUPT_LIST_DEL),
CRASHTYPE(CORRUPT_USER_DS),
CRASHTYPE(CORRUPT_STACK),
CRASHTYPE(CORRUPT_STACK_STRONG),
CRASHTYPE(STACK_GUARD_PAGE_LEADING),
CRASHTYPE(STACK_GUARD_PAGE_TRAILING),
CRASHTYPE(UNALIGNED_LOAD_STORE_WRITE),