| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250828073311.1116593-15-wangjinchao600@gmail.com>
Date: Thu, 28 Aug 2025 15:32:47 +0800
From: Jinchao Wang <wangjinchao600@...il.com>
To: Andrew Morton <akpm@...ux-foundation.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
"Naveen N . Rao" <naveen@...nel.org>,
linux-mm@...ck.org,
linux-trace-kernel@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
Jinchao Wang <wangjinchao600@...il.com>
Subject: [PATCH 14/17] mm/ksw: add simplified silent corruption test
Introduce a lightweight test case simulating “silent” stack corruption
where hapless() is unaware its local variable may have been modified.
This test is much simpler than real production scenarios but demonstrates
the core logic.
Test logic:
- buggy(): exposes a local variable via a global pointer without resetting
it, creating a dangling reference.
- unwitting(): a background kernel thread accesses the global pointer and
modifies the pointed memory.
- hapless(): operates on its local variable, unaware it may be modified.
This controlled, minimal scenario provides a simple way to validate
KStackWatch’s detection of unintended stack modifications or silient
corruption.
Signed-off-by: Jinchao Wang <wangjinchao600@...il.com>
---
mm/kstackwatch/kstackwatch_test.c | 90 ++++++++++++++++++++++++++++++-
1 file changed, 89 insertions(+), 1 deletion(-)
diff --git a/mm/kstackwatch/kstackwatch_test.c b/mm/kstackwatch/kstackwatch_test.c
index 138163472b03..1f0d616db7c5 100644
--- a/mm/kstackwatch/kstackwatch_test.c
+++ b/mm/kstackwatch/kstackwatch_test.c
@@ -22,6 +22,9 @@ static struct proc_dir_entry *test_proc;
#define BUFFER_SIZE 4
#define MAX_DEPTH 4
+/* global variables for silient corruption test */
+static u64 *g_corrupt_ptr;
+
/*
* Test Case 0: Write to the canary position directly (Canary Test)
* use a u64 buffer array to ensure the canary will be placed
@@ -63,6 +66,86 @@ static void canary_test_overflow(void)
pr_info("KSW: test: canary overflow test completed\n");
}
+static void do_something(int min_ms, int max_ms)
+{
+ u32 rand;
+
+ get_random_bytes(&rand, sizeof(rand));
+ rand = min_ms + rand % (max_ms - min_ms + 1);
+ msleep(rand);
+}
+
+static void silent_corruption_buggy(int i)
+{
+ u64 local_var;
+
+ pr_info("KSW: test: starting %s\n", __func__);
+
+ pr_info("KSW: test: %s %d local_var addr: 0x%px\n", __func__, i,
+ &local_var);
+ WRITE_ONCE(g_corrupt_ptr, &local_var);
+
+ //buggy: return without reset g_corrupt_ptr
+}
+
+static int silent_corruption_unwitting(void *data)
+{
+ pr_debug("KSW: test: starting %s\n", __func__);
+ u64 *local_ptr;
+
+ do {
+ local_ptr = READ_ONCE(g_corrupt_ptr);
+ do_something(0, 300);
+ } while (!local_ptr);
+
+ local_ptr[0] = 0;
+
+ return 0;
+}
+
+static void silent_corruption_hapless(int i)
+{
+ u64 local_var;
+
+ pr_debug("KSW: test: starting %s %d\n", __func__, i);
+ get_random_bytes(&local_var, sizeof(local_var));
+ local_var = 0xff0000 + local_var % 0xffff;
+ pr_debug("KSW: test: %s local_var addr: 0x%px\n", __func__, &local_var);
+
+ do_something(50, 150);
+ if (local_var >= 0xff0000)
+ pr_info("KSW: test: %s %d happy with 0x%llx", __func__, i,
+ local_var);
+ else
+ pr_info("KSW: test: %s %d unhappy with 0x%llx", __func__, i,
+ local_var);
+}
+
+/*
+ * Test Case 2: Silient Corruption
+ * buggy() does not protect its local var correctly
+ * unwitting() simply does its intended work
+ * hapless() is unaware know what happened
+ */
+static void silent_corruption_test(void)
+{
+ struct task_struct *unwitting;
+
+ pr_info("KSW: test: starting %s\n", __func__);
+ WRITE_ONCE(g_corrupt_ptr, NULL);
+
+ unwitting = kthread_run(silent_corruption_unwitting, NULL,
+ "unwitting");
+ if (IS_ERR(unwitting)) {
+ pr_err("KSW: test: failed to create thread2\n");
+ return;
+ }
+
+ silent_corruption_buggy(0);
+ for (int i = 0; i < 10; i++)
+ silent_corruption_hapless(i);
+}
+
static ssize_t test_proc_write(struct file *file, const char __user *buffer,
size_t count, loff_t *pos)
{
@@ -90,6 +173,10 @@ static ssize_t test_proc_write(struct file *file, const char __user *buffer,
pr_info("KSW: test: triggering canary overflow test\n");
canary_test_overflow();
break;
+ case 2:
+ pr_info("KSW: test: triggering silent corruption test\n");
+ silent_corruption_test();
+ break;
default:
pr_err("KSW: test: Unknown test number %d\n", test_num);
return -EINVAL;
@@ -110,7 +197,8 @@ static ssize_t test_proc_read(struct file *file, char __user *buffer,
"==================================\n"
"Usage:\n"
" echo 'test0' > /proc/kstackwatch_test - Canary write test\n"
- " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n";
+ " echo 'test1' > /proc/kstackwatch_test - Canary overflow test\n"
+ " echo 'test2' > /proc/kstackwatch_test - Silent corruption test\n";
return simple_read_from_buffer(buffer, count, pos, usage,
strlen(usage));
--
2.43.0
Powered by blists - more mailing lists