Merge tag 'usercopy-v4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull usercopy test updates from Kees Cook: "This improves the usercopy tests: - check zeroing on failed copy_from_user()/get_user() (caught bug on ARM) - adjust tests for SMAP/PAN (can't zero userspace memory on failure)" * tag 'usercopy-v4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: usercopy: Add tests for all get_user() sizes usercopy: Adjust tests to deal with SMAP/PAN usercopy: add testcases to check zeroing on failure
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-02-21 20:53:23 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-02-21 20:53:23 -0500
commit: 4a0853bf88c8f56e1c01eda02e6625aed09d55d9 (patch)
tree: 767b2d9cd3da81e2c21adcc63ce9fadec7008bf3
parent: 6d1dd93ea0d0f0fb61b5450a2668896028ce3f75 (diff)
parent: 4c5d7bc63775b40631b75f6c59a3a3005455262d (diff)
1 files changed, 103 insertions, 14 deletions
diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c
index 0ecef3e4690e..6f335a3d4ae2 100644
--- a/lib/test_user_copy.c
+++ b/lib/test_user_copy.c
@@ -25,6 +25,23 @@
 #include <linux/uaccess.h>
 #include <linux/vmalloc.h>
+/*
+ * Several 32-bit architectures support 64-bit {get,put}_user() calls.
+ * As there doesn't appear to be anything that can safely determine
+ * their capability at compile-time, we just have to opt-out certain archs.
+ */
+#if BITS_PER_LONG == 64 || (!defined(CONFIG_AVR32)  &&          \
+                            !defined(CONFIG_BLACKFIN) &&        \
+                            !defined(CONFIG_M32R) &&            \
+                            !defined(CONFIG_M68K) &&            \
+                            !defined(CONFIG_MICROBLAZE) &&      \
+                            !defined(CONFIG_MN10300) &&         \
+                            !defined(CONFIG_NIOS2) &&           \
+                            !defined(CONFIG_PPC32) &&           \
+                            !defined(CONFIG_SUPERH))
+# define TEST_U64
+#endif
 #define test(condition, msg)            \
 ({                                      \
        int cond = (condition);         \
@@ -40,7 +57,12 @@ static int __init test_user_copy_init(void)
        char __user *usermem;
        char *bad_usermem;
        unsigned long user_addr;
-        unsigned long value = 0x5A;
+        u8 val_u8;
+        u16 val_u16;
+        u32 val_u32;
+#ifdef TEST_U64
+        u64 val_u64;
+#endif
        kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
        if (!kmem)
@@ -58,33 +80,100 @@ static int __init test_user_copy_init(void)
        usermem = (char __user *)user_addr;
        bad_usermem = (char *)user_addr;
-        /* Legitimate usage: none of these should fail. */
+        /*
-        ret |= test(copy_from_user(kmem, usermem, PAGE_SIZE),
+         * Legitimate usage: none of these copies should fail.
-                    "legitimate copy_from_user failed");
+         */
+        memset(kmem, 0x3a, PAGE_SIZE * 2);
        ret |= test(copy_to_user(usermem, kmem, PAGE_SIZE),
                    "legitimate copy_to_user failed");
-        ret |= test(get_user(value, (unsigned long __user *)usermem),
+        memset(kmem, 0x0, PAGE_SIZE);
-                    "legitimate get_user failed");
+        ret |= test(copy_from_user(kmem, usermem, PAGE_SIZE),
-        ret |= test(put_user(value, (unsigned long __user *)usermem),
+                    "legitimate copy_from_user failed");
-                    "legitimate put_user failed");
+        ret |= test(memcmp(kmem, kmem + PAGE_SIZE, PAGE_SIZE),
+                    "legitimate usercopy failed to copy data");
-        /* Invalid usage: none of these should succeed. */
+#define test_legit(size, check)                                           \
+        do {                                                              \
+                val_##size = check;                                       \
+                ret |= test(put_user(val_##size, (size __user *)usermem), \
+                    "legitimate put_user (" #size ") failed");            \
+                val_##size = 0;                                           \
+                ret |= test(get_user(val_##size, (size __user *)usermem), \
+                    "legitimate get_user (" #size ") failed");            \
+                ret |= test(val_##size != check,                          \
+                    "legitimate get_user (" #size ") failed to do copy"); \
+                if (val_##size != check) {                                \
+                        pr_info("0x%llx != 0x%llx\n",                     \
+                                (unsigned long long)val_##size,           \
+                                (unsigned long long)check);               \
+                }                                                         \
+        } while (0)
+        test_legit(u8,  0x5a);
+        test_legit(u16, 0x5a5b);
+        test_legit(u32, 0x5a5b5c5d);
+#ifdef TEST_U64
+        test_legit(u64, 0x5a5b5c5d6a6b6c6d);
+#endif
+#undef test_legit
+        /*
+         * Invalid usage: none of these copies should succeed.
+         */
+        /* Prepare kernel memory with check values. */
+        memset(kmem, 0x5a, PAGE_SIZE);
+        memset(kmem + PAGE_SIZE, 0, PAGE_SIZE);
+        /* Reject kernel-to-kernel copies through copy_from_user(). */
        ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
                                    PAGE_SIZE),
                    "illegal all-kernel copy_from_user passed");
+        /* Destination half of buffer should have been zeroed. */
+        ret |= test(memcmp(kmem + PAGE_SIZE, kmem, PAGE_SIZE),
+                    "zeroing failure for illegal all-kernel copy_from_user");
+#if 0
+        /*
+         * When running with SMAP/PAN/etc, this will Oops the kernel
+         * due to the zeroing of userspace memory on failure. This needs
+         * to be tested in LKDTM instead, since this test module does not
+         * expect to explode.
+         */
        ret |= test(!copy_from_user(bad_usermem, (char __user *)kmem,
                                    PAGE_SIZE),
                    "illegal reversed copy_from_user passed");
+#endif
        ret |= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,
                                  PAGE_SIZE),
                    "illegal all-kernel copy_to_user passed");
        ret |= test(!copy_to_user((char __user *)kmem, bad_usermem,
                                  PAGE_SIZE),
                    "illegal reversed copy_to_user passed");
-        ret |= test(!get_user(value, (unsigned long __user *)kmem),
-                    "illegal get_user passed");
+#define test_illegal(size, check)                                           \
-        ret |= test(!put_user(value, (unsigned long __user *)kmem),
+        do {                                                                \
-                    "illegal put_user passed");
+                val_##size = (check);                                       \
+                ret |= test(!get_user(val_##size, (size __user *)kmem),     \
+                    "illegal get_user (" #size ") passed");                 \
+                ret |= test(val_##size != (size)0,                          \
+                    "zeroing failure for illegal get_user (" #size ")");    \
+                if (val_##size != (size)0) {                                \
+                        pr_info("0x%llx != 0\n",                            \
+                                (unsigned long long)val_##size);            \
+                }                                                           \
+                ret |= test(!put_user(val_##size, (size __user *)kmem),     \
+                    "illegal put_user (" #size ") passed");                 \
+        } while (0)
+        test_illegal(u8,  0x5a);
+        test_illegal(u16, 0x5a5b);
+        test_illegal(u32, 0x5a5b5c5d);
+#ifdef TEST_U64
+        test_illegal(u64, 0x5a5b5c5d6a6b6c6d);
+#endif
+#undef test_illegal
        vm_munmap(user_addr, PAGE_SIZE * 2);
        kfree(kmem);
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-02-21 20:53:23 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-02-21 20:53:23 -0500
commit	4a0853bf88c8f56e1c01eda02e6625aed09d55d9 (patch)
tree	767b2d9cd3da81e2c21adcc63ce9fadec7008bf3
parent	6d1dd93ea0d0f0fb61b5450a2668896028ce3f75 (diff)
parent	4c5d7bc63775b40631b75f6c59a3a3005455262d (diff)

diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c index 0ecef3e4690e..6f335a3d4ae2 100644 --- a/lib/test_user_copy.c +++ b/lib/test_user_copy.c
@@ -25,6 +25,23 @@
25	#include <linux/uaccess.h>	25	#include <linux/uaccess.h>
26	#include <linux/vmalloc.h>	26	#include <linux/vmalloc.h>
27		27
		28	/*
		29	* Several 32-bit architectures support 64-bit {get,put}_user() calls.
		30	* As there doesn't appear to be anything that can safely determine
		31	* their capability at compile-time, we just have to opt-out certain archs.
		32	*/
		33	#if BITS_PER_LONG == 64 \|\| (!defined(CONFIG_AVR32) && \
		34	!defined(CONFIG_BLACKFIN) && \
		35	!defined(CONFIG_M32R) && \
		36	!defined(CONFIG_M68K) && \
		37	!defined(CONFIG_MICROBLAZE) && \
		38	!defined(CONFIG_MN10300) && \
		39	!defined(CONFIG_NIOS2) && \
		40	!defined(CONFIG_PPC32) && \
		41	!defined(CONFIG_SUPERH))
		42	# define TEST_U64
		43	#endif
		44
28	#define test(condition, msg) \	45	#define test(condition, msg) \
29	({ \	46	({ \
30	int cond = (condition); \	47	int cond = (condition); \
@@ -40,7 +57,12 @@ static int __init test_user_copy_init(void)
40	char __user *usermem;	57	char __user *usermem;
41	char *bad_usermem;	58	char *bad_usermem;
42	unsigned long user_addr;	59	unsigned long user_addr;
43	unsigned long value = 0x5A;	60	u8 val_u8;
		61	u16 val_u16;
		62	u32 val_u32;
		63	#ifdef TEST_U64
		64	u64 val_u64;
		65	#endif
44		66
45	kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);	67	kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
46	if (!kmem)	68	if (!kmem)
@@ -58,33 +80,100 @@ static int __init test_user_copy_init(void)
58	usermem = (char __user *)user_addr;	80	usermem = (char __user *)user_addr;
59	bad_usermem = (char *)user_addr;	81	bad_usermem = (char *)user_addr;
60		82
61	/* Legitimate usage: none of these should fail. */	83	/*
62	ret \|= test(copy_from_user(kmem, usermem, PAGE_SIZE),	84	* Legitimate usage: none of these copies should fail.
63	"legitimate copy_from_user failed");	85	*/
		86	memset(kmem, 0x3a, PAGE_SIZE * 2);
64	ret \|= test(copy_to_user(usermem, kmem, PAGE_SIZE),	87	ret \|= test(copy_to_user(usermem, kmem, PAGE_SIZE),
65	"legitimate copy_to_user failed");	88	"legitimate copy_to_user failed");
66	ret \|= test(get_user(value, (unsigned long __user *)usermem),	89	memset(kmem, 0x0, PAGE_SIZE);
67	"legitimate get_user failed");	90	ret \|= test(copy_from_user(kmem, usermem, PAGE_SIZE),
68	ret \|= test(put_user(value, (unsigned long __user *)usermem),	91	"legitimate copy_from_user failed");
69	"legitimate put_user failed");	92	ret \|= test(memcmp(kmem, kmem + PAGE_SIZE, PAGE_SIZE),
70		93	"legitimate usercopy failed to copy data");
71	/* Invalid usage: none of these should succeed. */	94
		95	#define test_legit(size, check) \
		96	do { \
		97	val_##size = check; \
		98	ret \|= test(put_user(val_##size, (size __user *)usermem), \
		99	"legitimate put_user (" #size ") failed"); \
		100	val_##size = 0; \
		101	ret \|= test(get_user(val_##size, (size __user *)usermem), \
		102	"legitimate get_user (" #size ") failed"); \
		103	ret \|= test(val_##size != check, \
		104	"legitimate get_user (" #size ") failed to do copy"); \
		105	if (val_##size != check) { \
		106	pr_info("0x%llx != 0x%llx\n", \
		107	(unsigned long long)val_##size, \
		108	(unsigned long long)check); \
		109	} \
		110	} while (0)
		111
		112	test_legit(u8, 0x5a);
		113	test_legit(u16, 0x5a5b);
		114	test_legit(u32, 0x5a5b5c5d);
		115	#ifdef TEST_U64
		116	test_legit(u64, 0x5a5b5c5d6a6b6c6d);
		117	#endif
		118	#undef test_legit
		119
		120	/*
		121	* Invalid usage: none of these copies should succeed.
		122	*/
		123
		124	/* Prepare kernel memory with check values. */
		125	memset(kmem, 0x5a, PAGE_SIZE);
		126	memset(kmem + PAGE_SIZE, 0, PAGE_SIZE);
		127
		128	/* Reject kernel-to-kernel copies through copy_from_user(). */
72	ret \|= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),	129	ret \|= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
73	PAGE_SIZE),	130	PAGE_SIZE),
74	"illegal all-kernel copy_from_user passed");	131	"illegal all-kernel copy_from_user passed");
		132
		133	/* Destination half of buffer should have been zeroed. */
		134	ret \|= test(memcmp(kmem + PAGE_SIZE, kmem, PAGE_SIZE),
		135	"zeroing failure for illegal all-kernel copy_from_user");
		136
		137	#if 0
		138	/*
		139	* When running with SMAP/PAN/etc, this will Oops the kernel
		140	* due to the zeroing of userspace memory on failure. This needs
		141	* to be tested in LKDTM instead, since this test module does not
		142	* expect to explode.
		143	*/
75	ret \|= test(!copy_from_user(bad_usermem, (char __user *)kmem,	144	ret \|= test(!copy_from_user(bad_usermem, (char __user *)kmem,
76	PAGE_SIZE),	145	PAGE_SIZE),
77	"illegal reversed copy_from_user passed");	146	"illegal reversed copy_from_user passed");
		147	#endif
78	ret \|= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,	148	ret \|= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,
79	PAGE_SIZE),	149	PAGE_SIZE),
80	"illegal all-kernel copy_to_user passed");	150	"illegal all-kernel copy_to_user passed");
81	ret \|= test(!copy_to_user((char __user *)kmem, bad_usermem,	151	ret \|= test(!copy_to_user((char __user *)kmem, bad_usermem,
82	PAGE_SIZE),	152	PAGE_SIZE),
83	"illegal reversed copy_to_user passed");	153	"illegal reversed copy_to_user passed");
84	ret \|= test(!get_user(value, (unsigned long __user *)kmem),	154
85	"illegal get_user passed");	155	#define test_illegal(size, check) \
86	ret \|= test(!put_user(value, (unsigned long __user *)kmem),	156	do { \
87	"illegal put_user passed");	157	val_##size = (check); \
		158	ret \|= test(!get_user(val_##size, (size __user *)kmem), \
		159	"illegal get_user (" #size ") passed"); \
		160	ret \|= test(val_##size != (size)0, \
		161	"zeroing failure for illegal get_user (" #size ")"); \
		162	if (val_##size != (size)0) { \
		163	pr_info("0x%llx != 0\n", \
		164	(unsigned long long)val_##size); \
		165	} \
		166	ret \|= test(!put_user(val_##size, (size __user *)kmem), \
		167	"illegal put_user (" #size ") passed"); \
		168	} while (0)
		169
		170	test_illegal(u8, 0x5a);
		171	test_illegal(u16, 0x5a5b);
		172	test_illegal(u32, 0x5a5b5c5d);
		173	#ifdef TEST_U64
		174	test_illegal(u64, 0x5a5b5c5d6a6b6c6d);
		175	#endif
		176	#undef test_illegal
88		177
89	vm_munmap(user_addr, PAGE_SIZE * 2);	178	vm_munmap(user_addr, PAGE_SIZE * 2);
90	kfree(kmem);	179	kfree(kmem);