summaryrefslogtreecommitdiff
path: root/kernel/panic.c
diff options
context:
space:
mode:
authorArjan van de Ven <arjan@linux.intel.com>2008-02-15 15:33:12 -0800
committerThomas Gleixner <tglx@linutronix.de>2008-05-26 16:15:32 +0200
commit54371a43a66f4477889769b4fa00df936855dc8f (patch)
tree71ac55110032a742f3a166bb11957936339ca3e7 /kernel/panic.c
parent113c5413cf9051cc50b88befdc42e3402bb92115 (diff)
downloadlwn-54371a43a66f4477889769b4fa00df936855dc8f.tar.gz
lwn-54371a43a66f4477889769b4fa00df936855dc8f.zip
x86: add CONFIG_CC_STACKPROTECTOR self-test
This patch adds a simple self-test capability to the stackprotector feature. The test deliberately overflows a stack buffer and then checks if the canary trap function gets called. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'kernel/panic.c')
-rw-r--r--kernel/panic.c68
1 files changed, 68 insertions, 0 deletions
diff --git a/kernel/panic.c b/kernel/panic.c
index 17aad578a2f2..50cf9257b234 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -324,14 +324,82 @@ EXPORT_SYMBOL(warn_on_slowpath);
#endif
#ifdef CONFIG_CC_STACKPROTECTOR
+
+static unsigned long __stack_check_testing;
+/*
+ * Self test function for the stack-protector feature.
+ * This test requires that the local variable absolutely has
+ * a stack slot, hence the barrier()s.
+ */
+static noinline void __stack_chk_test_func(void)
+{
+ unsigned long foo;
+ barrier();
+ /*
+ * we need to make sure we're not about to clobber the return address,
+ * while real exploits do this, it's unhealthy on a running system.
+ * Besides, if we would, the test is already failed anyway so
+ * time to pull the emergency brake on it.
+ */
+ if ((unsigned long)__builtin_return_address(0) ==
+ *(((unsigned long *)&foo)+1)) {
+ printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+ return;
+ }
+#ifdef CONFIG_FRAME_POINTER
+ /* We also don't want to clobber the frame pointer */
+ if ((unsigned long)__builtin_return_address(0) ==
+ *(((unsigned long *)&foo)+2)) {
+ printk(KERN_ERR "No -fstack-protector-stack-frame!\n");
+ return;
+ }
+#endif
+ barrier();
+ if (current->stack_canary == *(((unsigned long *)&foo)+1))
+ *(((unsigned long *)&foo)+1) = 0;
+ else
+ printk(KERN_ERR "No -fstack-protector canary found\n");
+ barrier();
+}
+
+static int __stack_chk_test(void)
+{
+ printk(KERN_INFO "Testing -fstack-protector-all feature\n");
+ __stack_check_testing = (unsigned long)&__stack_chk_test_func;
+ __stack_chk_test_func();
+ if (__stack_check_testing) {
+ printk(KERN_ERR "-fstack-protector-all test failed\n");
+ WARN_ON(1);
+ }
+ return 0;
+}
/*
* Called when gcc's -fstack-protector feature is used, and
* gcc detects corruption of the on-stack canary value
*/
void __stack_chk_fail(void)
{
+ if (__stack_check_testing == (unsigned long)&__stack_chk_test_func) {
+ long delta;
+
+ delta = (unsigned long)__builtin_return_address(0) -
+ __stack_check_testing;
+ /*
+ * The test needs to happen inside the test function, so
+ * check if the return address is close to that function.
+ * The function is only 2 dozen bytes long, but keep a wide
+ * safety margin to avoid panic()s for normal users regardless
+ * of the quality of the compiler.
+ */
+ if (delta >= 0 && delta <= 400) {
+ __stack_check_testing = 0;
+ return;
+ }
+ }
panic("stack-protector: Kernel stack is corrupted in: %p\n",
__builtin_return_address(0));
}
EXPORT_SYMBOL(__stack_chk_fail);
+
+late_initcall(__stack_chk_test);
#endif