lkdtm: Add -fstack-protector-strong test

There wasn't an LKDTM test to distinguish between -fstack-protector and -fstack-protector-strong in use. This adds CORRUPT_STACK_STRONG to see the difference. Also adjusts the stack-clobber value to 0xff so execution won't potentially jump into userspace when the stack protector is missing. Signed-off-by: Kees Cook <keescook@chromium.org>
2017-08-04 14:34:40 -07:00
parent 7b25a85c9d
commit 93e78c6b14
3 changed files with 20 additions and 3 deletions
--- a/drivers/misc/lkdtm_bugs.c
+++ b/drivers/misc/lkdtm_bugs.c
@@ -85,16 +85,31 @@ void lkdtm_OVERFLOW(void)

 static noinline void __lkdtm_CORRUPT_STACK(void *stack)
 {
-	memset(stack, 'a', 64);
+	memset(stack, '\xff', 64);
 }

+/* This should trip the stack canary, not corrupt the return address. */
 noinline void lkdtm_CORRUPT_STACK(void)
 {
 	/* Use default char array length that triggers stack protection. */
-	char data[8];
+	char data[8] __aligned(sizeof(void *));
+
 	__lkdtm_CORRUPT_STACK(&data);

-	pr_info("Corrupted stack with '%16s'...\n", data);
+	pr_info("Corrupted stack containing char array ...\n");
+}
+
+/* Same as above but will only get a canary with -fstack-protector-strong */
+noinline void lkdtm_CORRUPT_STACK_STRONG(void)
+{
+	union {
+		unsigned short shorts[4];
+		unsigned long *ptr;
+	} data __aligned(sizeof(void *));
+
+	__lkdtm_CORRUPT_STACK(&data);
+
+	pr_info("Corrupted stack containing union ...\n");
 }

 void lkdtm_UNALIGNED_LOAD_STORE_WRITE(void)