x86: add CONFIG_CC_STACKPROTECTOR self-test
Arjan van de Ven [Fri, 15 Feb 2008 23:33:12 +0000 (15:33 -0800)]
This patch adds a simple self-test capability to the stackprotector
feature. The test deliberately overflows a stack buffer and then
checks if the canary trap function gets called.

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

kernel/panic.c

index 17aad57..50cf925 100644 (file)
@@ -324,14 +324,82 @@ EXPORT_SYMBOL(warn_on_slowpath);
 #endif
 
 #ifdef CONFIG_CC_STACKPROTECTOR
+
+static unsigned long __stack_check_testing;
+/*
+ * Self test function for the stack-protector feature.
+ * This test requires that the local variable absolutely has
+ * a stack slot, hence the barrier()s.
+ */
+static noinline void __stack_chk_test_func(void)
+{
+       unsigned long foo;
+       barrier();
+       /*
+        * we need to make sure we're not about to clobber the return address,
+        * while real exploits do this, it's unhealthy on a running system.
+        * Besides, if we would, the test is already failed anyway so
+        * time to pull the emergency brake on it.
+        */
+       if ((unsigned long)__builtin_return_address(0) == 
+                                       *(((unsigned long *)&foo)+1)) {
+               printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+               return;
+       }
+#ifdef CONFIG_FRAME_POINTER
+       /* We also don't want to clobber the frame pointer */
+       if ((unsigned long)__builtin_return_address(0) == 
+                                       *(((unsigned long *)&foo)+2)) {
+               printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+               return;
+       }
+#endif
+       barrier();
+       if (current->stack_canary == *(((unsigned long *)&foo)+1))
+               *(((unsigned long *)&foo)+1) = 0;
+       else
+               printk(KERN_ERR "No -fstack-protector canary found\n");
+       barrier();
+}
+
+static int __stack_chk_test(void)
+{
+       printk(KERN_INFO "Testing -fstack-protector-all feature\n");
+       __stack_check_testing = (unsigned long)&__stack_chk_test_func;
+       __stack_chk_test_func();
+       if (__stack_check_testing) {
+               printk(KERN_ERR "-fstack-protector-all test failed\n");
+               WARN_ON(1);
+       }
+       return 0;
+}
 /*
  * Called when gcc's -fstack-protector feature is used, and
  * gcc detects corruption of the on-stack canary value
  */
 void __stack_chk_fail(void)
 {
+       if (__stack_check_testing == (unsigned long)&__stack_chk_test_func) {
+               long delta;
+
+               delta = (unsigned long)__builtin_return_address(0) -
+                               __stack_check_testing;
+               /*
+                * The test needs to happen inside the test function, so
+                * check if the return address is close to that function.
+                * The function is only 2 dozen bytes long, but keep a wide
+                * safety margin to avoid panic()s for normal users regardless
+                * of the quality of the compiler.
+                */
+               if (delta >= 0 && delta <= 400) {
+                       __stack_check_testing = 0;
+                       return;
+               }
+       }
        panic("stack-protector: Kernel stack is corrupted in: %p\n",
                __builtin_return_address(0));
 }
 EXPORT_SYMBOL(__stack_chk_fail);
+
+late_initcall(__stack_chk_test);
 #endif