2 * This is for all the tests related to copy_to_user() and copy_from_user()
6 #include <linux/slab.h>
7 #include <linux/vmalloc.h>
8 #include <linux/mman.h>
9 #include <linux/uaccess.h>
10 #include <asm/cacheflush.h>
13 * Many of the tests here end up using const sizes, but those would
14 * normally be ignored by hardened usercopy, so force the compiler
15 * into choosing the non-const path to make sure we trigger the
16 * hardened usercopy checks by added "unconst" to all the const copies,
17 * and making sure "cache_size" isn't optimized into a const.
19 static volatile size_t unconst = 0;
20 static volatile size_t cache_size = 1024;
21 static struct kmem_cache *bad_cache;
23 static const unsigned char test_text[] = "This is a test.\n";
26 * Instead of adding -Wno-return-local-addr, just pass the stack address
27 * through a function to obfuscate it from the compiler.
29 static noinline unsigned char *trick_compiler(unsigned char *stack)
31 return stack + unconst;
34 static noinline unsigned char *do_usercopy_stack_callee(int value)
36 unsigned char buf[128];
39 /* Exercise stack to avoid everything living in registers. */
40 for (i = 0; i < sizeof(buf); i++) {
41 buf[i] = value & 0xff;
45 * Put the target buffer in the middle of stack allocation
46 * so that we don't step on future stack users regardless
47 * of stack growth direction.
49 return trick_compiler(&buf[(128/2)-32]);
52 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
54 unsigned long user_addr;
55 unsigned char good_stack[32];
56 unsigned char *bad_stack;
59 /* Exercise stack to avoid everything living in registers. */
60 for (i = 0; i < sizeof(good_stack); i++)
61 good_stack[i] = test_text[i % sizeof(test_text)];
63 /* This is a pointer to outside our current stack frame. */
65 bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
67 /* Put start address just inside stack. */
68 bad_stack = task_stack_page(current) + THREAD_SIZE;
69 bad_stack -= sizeof(unsigned long);
72 #ifdef ARCH_HAS_CURRENT_STACK_POINTER
73 pr_info("stack : %px\n", (void *)current_stack_pointer);
75 pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack));
76 pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack));
78 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
79 PROT_READ | PROT_WRITE | PROT_EXEC,
80 MAP_ANONYMOUS | MAP_PRIVATE, 0);
81 if (user_addr >= TASK_SIZE) {
82 pr_warn("Failed to allocate user memory\n");
87 pr_info("attempting good copy_to_user of local stack\n");
88 if (copy_to_user((void __user *)user_addr, good_stack,
89 unconst + sizeof(good_stack))) {
90 pr_warn("copy_to_user failed unexpectedly?!\n");
94 pr_info("attempting bad copy_to_user of distant stack\n");
95 if (copy_to_user((void __user *)user_addr, bad_stack,
96 unconst + sizeof(good_stack))) {
97 pr_warn("copy_to_user failed, but lacked Oops\n");
102 * There isn't a safe way to not be protected by usercopy
103 * if we're going to write to another thread's stack.
108 pr_info("attempting good copy_from_user of local stack\n");
109 if (copy_from_user(good_stack, (void __user *)user_addr,
110 unconst + sizeof(good_stack))) {
111 pr_warn("copy_from_user failed unexpectedly?!\n");
115 pr_info("attempting bad copy_from_user of distant stack\n");
116 if (copy_from_user(bad_stack, (void __user *)user_addr,
117 unconst + sizeof(good_stack))) {
118 pr_warn("copy_from_user failed, but lacked Oops\n");
124 vm_munmap(user_addr, PAGE_SIZE);
127 static void do_usercopy_heap_size(bool to_user)
129 unsigned long user_addr;
130 unsigned char *one, *two;
131 size_t size = unconst + 1024;
133 one = kmalloc(size, GFP_KERNEL);
134 two = kmalloc(size, GFP_KERNEL);
136 pr_warn("Failed to allocate kernel memory\n");
140 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
141 PROT_READ | PROT_WRITE | PROT_EXEC,
142 MAP_ANONYMOUS | MAP_PRIVATE, 0);
143 if (user_addr >= TASK_SIZE) {
144 pr_warn("Failed to allocate user memory\n");
148 memset(one, 'A', size);
149 memset(two, 'B', size);
152 pr_info("attempting good copy_to_user of correct size\n");
153 if (copy_to_user((void __user *)user_addr, one, size)) {
154 pr_warn("copy_to_user failed unexpectedly?!\n");
158 pr_info("attempting bad copy_to_user of too large size\n");
159 if (copy_to_user((void __user *)user_addr, one, 2 * size)) {
160 pr_warn("copy_to_user failed, but lacked Oops\n");
164 pr_info("attempting good copy_from_user of correct size\n");
165 if (copy_from_user(one, (void __user *)user_addr, size)) {
166 pr_warn("copy_from_user failed unexpectedly?!\n");
170 pr_info("attempting bad copy_from_user of too large size\n");
171 if (copy_from_user(one, (void __user *)user_addr, 2 * size)) {
172 pr_warn("copy_from_user failed, but lacked Oops\n");
178 vm_munmap(user_addr, PAGE_SIZE);
184 static void do_usercopy_heap_flag(bool to_user)
186 unsigned long user_addr;
187 unsigned char *good_buf = NULL;
188 unsigned char *bad_buf = NULL;
190 /* Make sure cache was prepared. */
192 pr_warn("Failed to allocate kernel cache\n");
197 * Allocate one buffer from each cache (kmalloc will have the
198 * SLAB_USERCOPY flag already, but "bad_cache" won't).
200 good_buf = kmalloc(cache_size, GFP_KERNEL);
201 bad_buf = kmem_cache_alloc(bad_cache, GFP_KERNEL);
202 if (!good_buf || !bad_buf) {
203 pr_warn("Failed to allocate buffers from caches\n");
207 /* Allocate user memory we'll poke at. */
208 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
209 PROT_READ | PROT_WRITE | PROT_EXEC,
210 MAP_ANONYMOUS | MAP_PRIVATE, 0);
211 if (user_addr >= TASK_SIZE) {
212 pr_warn("Failed to allocate user memory\n");
216 memset(good_buf, 'A', cache_size);
217 memset(bad_buf, 'B', cache_size);
220 pr_info("attempting good copy_to_user with SLAB_USERCOPY\n");
221 if (copy_to_user((void __user *)user_addr, good_buf,
223 pr_warn("copy_to_user failed unexpectedly?!\n");
227 pr_info("attempting bad copy_to_user w/o SLAB_USERCOPY\n");
228 if (copy_to_user((void __user *)user_addr, bad_buf,
230 pr_warn("copy_to_user failed, but lacked Oops\n");
234 pr_info("attempting good copy_from_user with SLAB_USERCOPY\n");
235 if (copy_from_user(good_buf, (void __user *)user_addr,
237 pr_warn("copy_from_user failed unexpectedly?!\n");
241 pr_info("attempting bad copy_from_user w/o SLAB_USERCOPY\n");
242 if (copy_from_user(bad_buf, (void __user *)user_addr,
244 pr_warn("copy_from_user failed, but lacked Oops\n");
250 vm_munmap(user_addr, PAGE_SIZE);
253 kmem_cache_free(bad_cache, bad_buf);
257 /* Callable tests. */
258 void lkdtm_USERCOPY_HEAP_SIZE_TO(void)
260 do_usercopy_heap_size(true);
263 void lkdtm_USERCOPY_HEAP_SIZE_FROM(void)
265 do_usercopy_heap_size(false);
268 void lkdtm_USERCOPY_HEAP_FLAG_TO(void)
270 do_usercopy_heap_flag(true);
273 void lkdtm_USERCOPY_HEAP_FLAG_FROM(void)
275 do_usercopy_heap_flag(false);
278 void lkdtm_USERCOPY_STACK_FRAME_TO(void)
280 do_usercopy_stack(true, true);
283 void lkdtm_USERCOPY_STACK_FRAME_FROM(void)
285 do_usercopy_stack(false, true);
288 void lkdtm_USERCOPY_STACK_BEYOND(void)
290 do_usercopy_stack(true, false);
293 void lkdtm_USERCOPY_KERNEL(void)
295 unsigned long user_addr;
297 user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
298 PROT_READ | PROT_WRITE | PROT_EXEC,
299 MAP_ANONYMOUS | MAP_PRIVATE, 0);
300 if (user_addr >= TASK_SIZE) {
301 pr_warn("Failed to allocate user memory\n");
305 pr_info("attempting good copy_to_user from kernel rodata\n");
306 if (copy_to_user((void __user *)user_addr, test_text,
307 unconst + sizeof(test_text))) {
308 pr_warn("copy_to_user failed unexpectedly?!\n");
312 pr_info("attempting bad copy_to_user from kernel text\n");
313 if (copy_to_user((void __user *)user_addr, vm_mmap,
314 unconst + PAGE_SIZE)) {
315 pr_warn("copy_to_user failed, but lacked Oops\n");
320 vm_munmap(user_addr, PAGE_SIZE);
323 void __init lkdtm_usercopy_init(void)
325 /* Prepare cache that lacks SLAB_USERCOPY flag. */
326 bad_cache = kmem_cache_create("lkdtm-no-usercopy", cache_size, 0,
330 void __exit lkdtm_usercopy_exit(void)
332 kmem_cache_destroy(bad_cache);
projects / releases.git / blob