drivers/misc/lkdtm: add new file in LKDTM to test fortified strscpy (febebaf3) · Commits · jan.koester / Linux

drivers/misc/lkdtm/Makefile

+1 −0

Original line number	Diff line number	Diff line
		@@ -10,6 +10,7 @@ lkdtm-$(CONFIG_LKDTM) += rodata_objcopy.o
		lkdtm-$(CONFIG_LKDTM) += usercopy.o
		lkdtm-$(CONFIG_LKDTM) += stackleak.o
		lkdtm-$(CONFIG_LKDTM) += cfi.o
		lkdtm-$(CONFIG_LKDTM) += fortify.o

		KASAN_SANITIZE_rodata.o := n
		KASAN_SANITIZE_stackleak.o := n

drivers/misc/lkdtm/core.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -175,6 +175,7 @@ static const struct crashtype crashtypes[] = {
		CRASHTYPE(USERCOPY_KERNEL),
		CRASHTYPE(STACKLEAK_ERASING),
		CRASHTYPE(CFI_FORWARD_PROTO),
		CRASHTYPE(FORTIFIED_STRSCPY),
		#ifdef CONFIG_X86_32
		CRASHTYPE(DOUBLE_FAULT),
		#endif

drivers/misc/lkdtm/fortify.c

0 → 100644

+82 −0

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0
		/*
		* Copyright (c) 2020 Francis Laniel <laniel_francis@privacyrequired.com>
		*
		* Add tests related to fortified functions in this file.
		*/
		#include "lkdtm.h"
		#include <linux/string.h>
		#include <linux/slab.h>


		/*
		* Calls fortified strscpy to test that it returns the same result as vanilla
		* strscpy and generate a panic because there is a write overflow (i.e. src
		* length is greater than dst length).
		*/
		void lkdtm_FORTIFIED_STRSCPY(void)
		{
		char *src;
		char dst[5];

		struct {
		union {
		char big[10];
		char src[5];
		};
		} weird = { .big = "hello!" };
		char weird_dst[sizeof(weird.src) + 1];

		src = kstrdup("foobar", GFP_KERNEL);

		if (src == NULL)
		return;

		/* Vanilla strscpy returns -E2BIG if size is 0. */
		if (strscpy(dst, src, 0) != -E2BIG)
		pr_warn("FAIL: strscpy() of 0 length did not return -E2BIG\n");

		/* Vanilla strscpy returns -E2BIG if src is truncated. */
		if (strscpy(dst, src, sizeof(dst)) != -E2BIG)
		pr_warn("FAIL: strscpy() did not return -E2BIG while src is truncated\n");

		/* After above call, dst must contain "foob" because src was truncated. */
		if (strncmp(dst, "foob", sizeof(dst)) != 0)
		pr_warn("FAIL: after strscpy() dst does not contain \"foob\" but \"%s\"\n",
		dst);

		/* Shrink src so the strscpy() below succeeds. */
		src[3] = '\0';

		/*
		* Vanilla strscpy returns number of character copied if everything goes
		* well.
		*/
		if (strscpy(dst, src, sizeof(dst)) != 3)
		pr_warn("FAIL: strscpy() did not return 3 while src was copied entirely truncated\n");

		/* After above call, dst must contain "foo" because src was copied. */
		if (strncmp(dst, "foo", sizeof(dst)) != 0)
		pr_warn("FAIL: after strscpy() dst does not contain \"foo\" but \"%s\"\n",
		dst);

		/* Test when src is embedded inside a union. */
		strscpy(weird_dst, weird.src, sizeof(weird_dst));

		if (strcmp(weird_dst, "hello") != 0)
		pr_warn("FAIL: after strscpy() weird_dst does not contain \"hello\" but \"%s\"\n",
		weird_dst);

		/* Restore src to its initial value. */
		src[3] = 'b';

		/*
		* Use strlen here so size cannot be known at compile time and there is
		* a runtime write overflow.
		*/
		strscpy(dst, src, strlen(src));

		pr_warn("FAIL: No overflow in above strscpy()\n");

		kfree(src);
		}

drivers/misc/lkdtm/lkdtm.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -104,4 +104,7 @@ void lkdtm_STACKLEAK_ERASING(void);
		/* cfi.c */
		void lkdtm_CFI_FORWARD_PROTO(void);

		/* fortify.c */
		void lkdtm_FORTIFIED_STRSCPY(void);

		#endif

tools/testing/selftests/lkdtm/tests.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -68,3 +68,4 @@ USERCOPY_STACK_BEYOND
		USERCOPY_KERNEL
		STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
		CFI_FORWARD_PROTO
		FORTIFIED_STRSCPY