summaryrefslogtreecommitdiff
path: root/drivers/misc/lkdtm.c
diff options
context:
space:
mode:
Diffstat (limited to 'drivers/misc/lkdtm.c')
-rw-r--r--drivers/misc/lkdtm.c107
1 files changed, 16 insertions, 91 deletions
diff --git a/drivers/misc/lkdtm.c b/drivers/misc/lkdtm.c
index a2edb2e..2fc0586 100644
--- a/drivers/misc/lkdtm.c
+++ b/drivers/misc/lkdtm.c
@@ -44,25 +44,13 @@
#include <scsi/scsi_cmnd.h>
#include <linux/debugfs.h>
#include <linux/vmalloc.h>
-#include <linux/mman.h>
#ifdef CONFIG_IDE
#include <linux/ide.h>
#endif
-/*
- * Make sure our attempts to over run the kernel stack doesn't trigger
- * a compiler warning when CONFIG_FRAME_WARN is set. Then make sure we
- * recurse past the end of THREAD_SIZE by default.
- */
-#if defined(CONFIG_FRAME_WARN) && (CONFIG_FRAME_WARN > 0)
-#define REC_STACK_SIZE (CONFIG_FRAME_WARN / 2)
-#else
-#define REC_STACK_SIZE (THREAD_SIZE / 8)
-#endif
-#define REC_NUM_DEFAULT ((THREAD_SIZE / REC_STACK_SIZE) * 2)
-
#define DEFAULT_COUNT 10
+#define REC_NUM_DEFAULT 10
#define EXEC_SIZE 64
enum cname {
@@ -98,9 +86,6 @@ enum ctype {
CT_EXEC_STACK,
CT_EXEC_KMALLOC,
CT_EXEC_VMALLOC,
- CT_EXEC_USERSPACE,
- CT_ACCESS_USERSPACE,
- CT_WRITE_RO,
};
static char* cp_name[] = {
@@ -134,9 +119,6 @@ static char* cp_type[] = {
"EXEC_STACK",
"EXEC_KMALLOC",
"EXEC_VMALLOC",
- "EXEC_USERSPACE",
- "ACCESS_USERSPACE",
- "WRITE_RO",
};
static struct jprobe lkdtm;
@@ -157,10 +139,9 @@ static DEFINE_SPINLOCK(lock_me_up);
static u8 data_area[EXEC_SIZE];
-static const unsigned long rodata = 0xAA55AA55;
-
module_param(recur_count, int, 0644);
-MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test");
+MODULE_PARM_DESC(recur_count, " Recursion level for the stack overflow test, "\
+ "default is 10");
module_param(cpoint_name, charp, 0444);
MODULE_PARM_DESC(cpoint_name, " Crash Point, where kernel is to be crashed");
module_param(cpoint_type, charp, 0444);
@@ -299,16 +280,16 @@ static int lkdtm_parse_commandline(void)
return -EINVAL;
}
-static int recursive_loop(int remaining)
+static int recursive_loop(int a)
{
- char buf[REC_STACK_SIZE];
+ char buf[1024];
- /* Make sure compiler does not optimize this away. */
- memset(buf, (remaining & 0xff) | 0x1, REC_STACK_SIZE);
- if (!remaining)
+ memset(buf,0xFF,1024);
+ recur_count--;
+ if (!recur_count)
return 0;
else
- return recursive_loop(remaining - 1);
+ return recursive_loop(a);
}
static void do_nothing(void)
@@ -316,14 +297,6 @@ static void do_nothing(void)
return;
}
-static noinline void corrupt_stack(void)
-{
- /* Use default char array length that triggers stack protection. */
- char data[8];
-
- memset((void *)data, 0, 64);
-}
-
static void execute_location(void *dst)
{
void (*func)(void) = dst;
@@ -332,15 +305,6 @@ static void execute_location(void *dst)
func();
}
-static void execute_user_location(void *dst)
-{
- void (*func)(void) = dst;
-
- if (copy_to_user(dst, do_nothing, EXEC_SIZE))
- return;
- func();
-}
-
static void lkdtm_do_action(enum ctype which)
{
switch (which) {
@@ -361,11 +325,15 @@ static void lkdtm_do_action(enum ctype which)
;
break;
case CT_OVERFLOW:
- (void) recursive_loop(recur_count);
+ (void) recursive_loop(0);
break;
- case CT_CORRUPT_STACK:
- corrupt_stack();
+ case CT_CORRUPT_STACK: {
+ /* Make sure the compiler creates and uses an 8 char array. */
+ volatile char data[8];
+
+ memset((void *)data, 0, 64);
break;
+ }
case CT_UNALIGNED_LOAD_STORE_WRITE: {
static u8 data[5] __attribute__((aligned(4))) = {1, 2,
3, 4, 5};
@@ -433,49 +401,6 @@ static void lkdtm_do_action(enum ctype which)
vfree(vmalloc_area);
break;
}
- case CT_EXEC_USERSPACE: {
- unsigned long user_addr;
-
- user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
- PROT_READ | PROT_WRITE | PROT_EXEC,
- MAP_ANONYMOUS | MAP_PRIVATE, 0);
- if (user_addr >= TASK_SIZE) {
- pr_warn("Failed to allocate user memory\n");
- return;
- }
- execute_user_location((void *)user_addr);
- vm_munmap(user_addr, PAGE_SIZE);
- break;
- }
- case CT_ACCESS_USERSPACE: {
- unsigned long user_addr, tmp;
- unsigned long *ptr;
-
- user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
- PROT_READ | PROT_WRITE | PROT_EXEC,
- MAP_ANONYMOUS | MAP_PRIVATE, 0);
- if (user_addr >= TASK_SIZE) {
- pr_warn("Failed to allocate user memory\n");
- return;
- }
-
- ptr = (unsigned long *)user_addr;
- tmp = *ptr;
- tmp += 0xc0dec0de;
- *ptr = tmp;
-
- vm_munmap(user_addr, PAGE_SIZE);
-
- break;
- }
- case CT_WRITE_RO: {
- unsigned long *ptr;
-
- ptr = (unsigned long *)&rodata;
- *ptr ^= 0xabcd1234;
-
- break;
- }
case CT_NONE:
default:
break;
generated by cgit v0.10.2 at 2024-09-27 17:53:32 (GMT)