From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Christophe Leroy <christophe.leroy@c-s.fr>,
Kees Cook <keescook@chromium.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.19 44/57] lkdtm: Add tests for NULL pointer dereference
Date: Fri, 29 Mar 2019 21:28:37 -0400 [thread overview]
Message-ID: <20190330012854.32212-44-sashal@kernel.org> (raw)
In-Reply-To: <20190330012854.32212-1-sashal@kernel.org>
From: Christophe Leroy <christophe.leroy@c-s.fr>
[ Upstream commit 59a12205d3c32aee4c13ca36889fdf7cfed31126 ]
Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:
pr_alert("BUG: unable to handle kernel %s at %px\n",
address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
(void *)address);
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/lkdtm/core.c | 2 ++
drivers/misc/lkdtm/lkdtm.h | 2 ++
drivers/misc/lkdtm/perms.c | 18 ++++++++++++++++++
3 files changed, 22 insertions(+)
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index 2154d1bfd18b..07caaa2cfe1e 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -152,7 +152,9 @@ static const struct crashtype crashtypes[] = {
CRASHTYPE(EXEC_VMALLOC),
CRASHTYPE(EXEC_RODATA),
CRASHTYPE(EXEC_USERSPACE),
+ CRASHTYPE(EXEC_NULL),
CRASHTYPE(ACCESS_USERSPACE),
+ CRASHTYPE(ACCESS_NULL),
CRASHTYPE(WRITE_RO),
CRASHTYPE(WRITE_RO_AFTER_INIT),
CRASHTYPE(WRITE_KERN),
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 9e513dcfd809..8c3f2e6af256 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -45,7 +45,9 @@ void lkdtm_EXEC_KMALLOC(void);
void lkdtm_EXEC_VMALLOC(void);
void lkdtm_EXEC_RODATA(void);
void lkdtm_EXEC_USERSPACE(void);
+void lkdtm_EXEC_NULL(void);
void lkdtm_ACCESS_USERSPACE(void);
+void lkdtm_ACCESS_NULL(void);
/* lkdtm_refcount.c */
void lkdtm_REFCOUNT_INC_OVERFLOW(void);
diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
index fa54add6375a..62f76d506f04 100644
--- a/drivers/misc/lkdtm/perms.c
+++ b/drivers/misc/lkdtm/perms.c
@@ -164,6 +164,11 @@ void lkdtm_EXEC_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
}
+void lkdtm_EXEC_NULL(void)
+{
+ execute_location(NULL, CODE_AS_IS);
+}
+
void lkdtm_ACCESS_USERSPACE(void)
{
unsigned long user_addr, tmp = 0;
@@ -195,6 +200,19 @@ void lkdtm_ACCESS_USERSPACE(void)
vm_munmap(user_addr, PAGE_SIZE);
}
+void lkdtm_ACCESS_NULL(void)
+{
+ unsigned long tmp;
+ unsigned long *ptr = (unsigned long *)NULL;
+
+ pr_info("attempting bad read at %px\n", ptr);
+ tmp = *ptr;
+ tmp += 0xc0dec0de;
+
+ pr_info("attempting bad write at %px\n", ptr);
+ *ptr = tmp;
+}
+
void __init lkdtm_perms_init(void)
{
/* Make sure we can write to __ro_after_init values during __init */
--
2.19.1
prev parent reply other threads:[~2019-03-30 1:38 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 1:27 [PATCH AUTOSEL 4.19 01/57] drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 02/57] gpio: pxa: handle corner case of unprobed device Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 03/57] rsi: improve kernel thread handling to fix kernel panic Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 04/57] f2fs: fix to avoid NULL pointer dereference on se->discard_map Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 05/57] 9p: do not trust pdu content for stat item size Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 06/57] 9p locks: add mount option for lock retry interval Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 07/57] ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 08/57] f2fs: fix to do sanity check with current segment number Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 09/57] netfilter: xt_cgroup: shrink size of v2 path Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 10/57] serial: uartps: console_setup() can't be placed to init section Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 11/57] powerpc/pseries: Remove prrn_work workqueue Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 12/57] media: au0828: cannot kfree dev before usb disconnect Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 13/57] Bluetooth: Fix debugfs NULL pointer dereference Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 14/57] HID: i2c-hid: override HID descriptors for certain devices Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 15/57] pinctrl: core: make sure strcmp() doesn't get a null parameter Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 16/57] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 17/57] usbip: fix vhci_hcd controller counting Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 18/57] ACPI / SBS: Fix GPE storm on recent MacBookPro's Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 19/57] HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2 Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 20/57] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 21/57] compiler.h: update definition of unreachable() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 22/57] netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 23/57] f2fs: cleanup dirty pages if recover failed Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 24/57] net: stmmac: Set OWN bit for jumbo frames Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 25/57] cifs: fallback to older infolevels on findfirst queryinfo retry Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 26/57] kernel: hung_task.c: disable on suspend Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 27/57] platform/x86: Add Intel AtomISP2 dummy / power-management driver Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 28/57] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-04-01 17:36 ` Heitke, Kenneth
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 29/57] drm/ttm: Fix bo_global and mem_global kfree error Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 30/57] ALSA: hda: fix front speakers on Huawei MBXP Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 31/57] ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 32/57] net/rds: fix warn in rds_message_alloc_sgs Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 33/57] blk-mq: protect debugfs_create_files() from failures Sasha Levin
2019-03-30 5:43 ` Greg Kroah-Hartman
2019-04-03 16:17 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 34/57] xfrm: destroy xfrm_state synchronously on net exit path Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 35/57] crypto: sha256/arm - fix crash bug in Thumb2 build Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 36/57] crypto: sha512/arm " Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 37/57] net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 39/57] scsi: core: Avoid that system resume triggers a kernel warning Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it Sasha Levin
2019-03-30 5:43 ` Greg Kroah-Hartman
2019-04-03 16:16 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 41/57] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 42/57] ext4: prohibit fstrim in norecovery mode Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 43/57] lkdtm: Print real addresses Sasha Levin
2019-03-30 1:28 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330012854.32212-44-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=christophe.leroy@c-s.fr \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).