kernel/drivers/misc/lkdtm/cfi.c, branch linux-6.2.y

lkdtm: cfi: Make PAC test work with GCC 7 and 8

2022-12-15T00:05:09Z

The CFI test uses the branch-protection=none compiler attribute to disable PAC return address protection on a function. While newer GCC versions support this attribute, older versions (GCC 7 and 8) instead supported the sign-return-address=none attribute, leading to a build failure when the test is built with older compilers. Fix it by checking which attribute is supported and using the correct one. Fixes: 2e53b877dc12 ("lkdtm: Add CFI_BACKWARD to test ROP mitigations") Reported-by: Daniel Díaz Signed-off-by: Kristina Martsenko Signed-off-by: Kees Cook Link: https://lore.kernel.org/all/CAEUSe78kDPxQmQqCWW-_9LCgJDFhAeMoVBFnX9QLx18Z4uT4VQ@mail.gmail.com/

lkdtm: Emit an indirect call for CFI tests

2022-09-26T17:13:13Z

Clang can convert the indirect calls in lkdtm_CFI_FORWARD_PROTO into direct calls. Move the call into a noinline function that accepts the target address as an argument to ensure the compiler actually emits an indirect call instead. Signed-off-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Tested-by: Kees Cook Tested-by: Nathan Chancellor Acked-by: Kees Cook Acked-by: Peter Zijlstra (Intel) Tested-by: Peter Zijlstra (Intel) Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220908215504.3686827-8-samitolvanen@google.com

lkdtm: cfi: use NULL for a null pointer rather than zero

2022-06-27T14:16:07Z

There is a pointer being initialized with a zero, use NULL instead. Cleans up sparse warning: drivers/misc/lkdtm/cfi.c:100:27: warning: Using plain integer as NULL pointer Acked-by: Kees Cook Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20220612202708.2754270-1-colin.i.king@gmail.com Signed-off-by: Greg Kroah-Hartman

lkdtm: cfi: Fix type width for masking PAC bits

2022-05-09T13:40:31Z

The masking for PAC bits wasn't handling 32-bit architectures correctly. Replace the u64 cast with uintptr_t. Link: https://lore.kernel.org/lkml/CAMuHMdVz-J-1ZQ08u0bsQihDkcRmEPrtX5B_oRJ+Ns5jrasnUw@mail.gmail.com Fixes: 2e53b877dc12 ("lkdtm: Add CFI_BACKWARD to test ROP mitigations") Cc: Greg Kroah-Hartman Cc: Arnd Bergmann Reported-by: kernel test robot Reported-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven Tested-by: Randy Dunlap Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220427001226.1224704-1-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman

lkdtm: Add CFI_BACKWARD to test ROP mitigations

2022-04-16T20:57:23Z

In order to test various backward-edge control flow integrity methods, add a test that manipulates the return address on the stack. Currently only arm64 Pointer Authentication and Shadow Call Stack is supported. $ echo CFI_BACKWARD | cat >/sys/kernel/debug/provoke-crash/DIRECT Under SCS, successful test of the mitigation is reported as: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... lkdtm: ok: control flow unchanged. Under PAC, successful test of the mitigation is reported by the PAC exception handler: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... Unable to handle kernel paging request at virtual address bfffffc0088d0514 Mem abort info: ESR = 0x86000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault [bfffffc0088d0514] address between user and kernel address ranges ... If the CONFIGs are missing (or the mitigation isn't working), failure is reported as: lkdtm: Performing direct entry CFI_BACKWARD lkdtm: Attempting unchecked stack return address redirection ... lkdtm: ok: redirected stack return address. lkdtm: Attempting checked stack return address redirection ... lkdtm: FAIL: stack return address was redirected! lkdtm: This is probably expected, since this kernel was built *without* CONFIG_ARM64_PTR_AUTH_KERNEL=y nor CONFIG_SHADOW_CALL_STACK=y Co-developed-by: Dan Li Signed-off-by: Dan Li Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Signed-off-by: Kees Cook Link: https://lore.kernel.org/lkml/20220416001103.1524653-1-keescook@chromium.org

lkdtm: Move crashtype definitions into each category

2022-04-12T23:16:48Z

It's long been annoying that to add a new LKDTM test one had to update lkdtm.h and core.c to get it "registered". Switch to a per-category list and update the crashtype walking code in core.c to handle it. This also means that all the lkdtm_* tests themselves can be static now. Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Signed-off-by: Kees Cook

lkdtm: Add CONFIG hints in errors where possible

2021-06-24T13:32:08Z

For various failure conditions, try to include some details about where to look for reasons about the failure. Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210623203936.3151093-8-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman

lkdtm: Add Control Flow Integrity test

2019-08-12T22:28:51Z

This adds a simple test for forward CFI (indirect function calls) with function prototype granularity (as implemented by Clang's CFI). Signed-off-by: Kees Cook