diff options
author | Kees Cook <keescook@chromium.org> | 2017-08-04 14:34:40 -0700 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2017-08-15 12:27:35 -0700 |
commit | 93e78c6b14c42abe4018c815aeea2aa491522fae (patch) | |
tree | e45b36fdeb5f0daef6b312145783498ce96eba2f /drivers/misc/lkdtm_bugs.c | |
parent | 7b25a85c9d9f796c5be7ad3fb8b9553d3e2ed958 (diff) |
lkdtm: Add -fstack-protector-strong test
There wasn't an LKDTM test to distinguish between -fstack-protector and
-fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see
the difference. Also adjusts the stack-clobber value to 0xff so execution
won't potentially jump into userspace when the stack protector is missing.
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'drivers/misc/lkdtm_bugs.c')
-rw-r--r-- | drivers/misc/lkdtm_bugs.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/drivers/misc/lkdtm_bugs.c b/drivers/misc/lkdtm_bugs.c index 041fe6e9532a..9e0b4f959987 100644 --- a/drivers/misc/lkdtm_bugs.c +++ b/drivers/misc/lkdtm_bugs.c @@ -85,16 +85,31 @@ void lkdtm_OVERFLOW(void) static noinline void __lkdtm_CORRUPT_STACK(void *stack) { - memset(stack, 'a', 64); + memset(stack, '\xff', 64); } +/* This should trip the stack canary, not corrupt the return address. */ noinline void lkdtm_CORRUPT_STACK(void) { /* Use default char array length that triggers stack protection. */ - char data[8]; + char data[8] __aligned(sizeof(void *)); + + __lkdtm_CORRUPT_STACK(&data); + + pr_info("Corrupted stack containing char array ...\n"); +} + +/* Same as above but will only get a canary with -fstack-protector-strong */ +noinline void lkdtm_CORRUPT_STACK_STRONG(void) +{ + union { + unsigned short shorts[4]; + unsigned long *ptr; + } data __aligned(sizeof(void *)); + __lkdtm_CORRUPT_STACK(&data); - pr_info("Corrupted stack with '%16s'...\n", data); + pr_info("Corrupted stack containing union ...\n"); } void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void) |