BACKPORT: lkdtm: add bad USER_DS test

(cherry-picked from e22aa9d781)

This adds CORRUPT_USER_DS to check that the get_fs() test on syscall
return (via __VERIFY_PRE_USERMODE_STATE) still sees USER_DS. Since
trying to deal with values other than USER_DS and KERNEL_DS across all
architectures in a safe way is not sensible, this sets KERNEL_DS, but
since that could be extremely dangerous if the protection is not present,
it also raises SIGKILL for current, so that no matter what, the process
will die. A successful test will be visible with a BUG(), like all the
other LKDTM tests.

Change-Id: I1d2585de65032f0f6b9baea2a71f92bfc296c94b
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Satya Tangirala <satyat@google.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>

drivers/misc/lkdtm.c

@@ -48,6 +48,8 @@
 #include <linux/mman.h>
 #include <asm/cacheflush.h>
 #include <linux/list.h>
+#include <linux/sched.h>
+#include <linux/uaccess.h>
 
 #ifdef CONFIG_IDE
 #include <linux/ide.h>
@@ -95,6 +97,7 @@ enum ctype {
 	CT_OVERFLOW,
 	CT_CORRUPT_LIST_ADD,
 	CT_CORRUPT_LIST_DEL,
+	CT_CORRUPT_USER_DS,
 	CT_CORRUPT_STACK,
 	CT_UNALIGNED_LOAD_STORE_WRITE,
 	CT_OVERWRITE_ALLOCATION,
@@ -135,6 +138,7 @@ static char* cp_type[] = {
 	"OVERFLOW",
 	"CORRUPT_LIST_ADD",
 	"CORRUPT_LIST_DEL",
+	"CORRUPT_USER_DS",
 	"CORRUPT_STACK",
 	"UNALIGNED_LOAD_STORE_WRITE",
 	"OVERWRITE_ALLOCATION",
@@ -618,6 +622,14 @@ static void lkdtm_do_action(enum ctype which)
 			pr_err("list_del() corruption not detected!\n");
 		break;
 	}
+	case CT_CORRUPT_USER_DS: {
+		pr_info("setting bad task size limit\n");
+		set_fs(KERNEL_DS);
+
+		/* Make sure we do not keep running with a KERNEL_DS! */
+		force_sig(SIGKILL, current);
+		break;
+	}
 	case CT_NONE:
 	default:
 		break;