summaryrefslogtreecommitdiff
path: root/drivers/misc/lkdtm_bugs.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-08-04 14:34:40 -0700
committerKees Cook <keescook@chromium.org>2017-08-15 12:27:35 -0700
commit93e78c6b14c42abe4018c815aeea2aa491522fae (patch)
treee45b36fdeb5f0daef6b312145783498ce96eba2f /drivers/misc/lkdtm_bugs.c
parent7b25a85c9d9f796c5be7ad3fb8b9553d3e2ed958 (diff)
lkdtm: Add -fstack-protector-strong test
There wasn't an LKDTM test to distinguish between -fstack-protector and -fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see the difference. Also adjusts the stack-clobber value to 0xff so execution won't potentially jump into userspace when the stack protector is missing. Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'drivers/misc/lkdtm_bugs.c')
-rw-r--r--drivers/misc/lkdtm_bugs.c21
1 files changed, 18 insertions, 3 deletions
diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c
index 041fe6e9532a..9e0b4f959987 100644
--- a/drivers/misc/lkdtm_bugs.c
+++ b/drivers/misc/lkdtm_bugs.c
@@ -85,16 +85,31 @@ void lkdtm_OVERFLOW(void)
static noinline void __lkdtm_CORRUPT_STACK(void *stack)
{
- memset(stack, 'a', 64);
+ memset(stack, '\xff', 64);
}
+/* This should trip the stack canary, not corrupt the return address. */
noinline void lkdtm_CORRUPT_STACK(void)
{
/* Use default char array length that triggers stack protection. */
- char data[8];
+ char data[8] __aligned(sizeof(void *));
+
+ __lkdtm_CORRUPT_STACK(&data);
+
+ pr_info("Corrupted stack containing char array ...\n");
+}
+
+/* Same as above but will only get a canary with -fstack-protector-strong */
+noinline void lkdtm_CORRUPT_STACK_STRONG(void)
+{
+ union {
+ unsigned short shorts[4];
+ unsigned long *ptr;
+ } data __aligned(sizeof(void *));
+
__lkdtm_CORRUPT_STACK(&data);
- pr_info("Corrupted stack with '%16s'...\n", data);
+ pr_info("Corrupted stack containing union ...\n");
}
void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)