Git Browser for ODROID
Code Review Sign In
git.odroid.com / linux / c90012ac85c24547e5c3468ef00aabf44aa7332d / . / lib / test_user_copy.c
blob: ad2372727b1bacecb2699faaaff1b087d2d3b8b6 [file] [log] [blame]
Thomas Gleixner9c92ab62019-05-29 07:17:56 -0700[diff] [blame]1// SPDX-License-Identifier: GPL-2.0-only
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]2/*
3 * Kernel module for testing copy_to/from_user infrastructure.
4 *
5 * Copyright 2013 Google Inc. All Rights Reserved
6 *
7 * Authors:
8 * Kees Cook <keescook@chromium.org>
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]9 */
10
11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
13#include <linux/mman.h>
14#include <linux/module.h>
15#include <linux/sched.h>
16#include <linux/slab.h>
17#include <linux/uaccess.h>
18#include <linux/vmalloc.h>
19
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]20/*
21 * Several 32-bit architectures support 64-bit {get,put}_user() calls.
22 * As there doesn't appear to be anything that can safely determine
23 * their capability at compile-time, we just have to opt-out certain archs.
24 */
Arnd Bergmann4deaa6f2017-02-22 11:21:22 -0800[diff] [blame]25#if BITS_PER_LONG == 64 || (!(defined(CONFIG_ARM) && !defined(MMU)) && \
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]26 !defined(CONFIG_M68K) && \
27 !defined(CONFIG_MICROBLAZE) && \
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]28 !defined(CONFIG_NIOS2) && \
29 !defined(CONFIG_PPC32) && \
30 !defined(CONFIG_SUPERH))
31# define TEST_U64
32#endif
33
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]34#define test(condition, msg, ...) \
35({ \
36 int cond = (condition); \
37 if (cond) \
38 pr_warn("[%d] " msg "\n", __LINE__, ##__VA_ARGS__); \
39 cond; \
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]40})
41
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]42static bool is_zeroed(void *from, size_t size)
43{
44 return memchr_inv(from, 0x0, size) == NULL;
45}
46
47static int test_check_nonzero_user(char *kmem, char __user *umem, size_t size)
48{
49 int ret = 0;
50 size_t start, end, i;
51 size_t zero_start = size / 4;
52 size_t zero_end = size - zero_start;
53
54 /*
Aleksa Saraic90012a2019-10-06 10:30:28 +1100[diff] [blame^]55 * We conduct a series of check_nonzero_user() tests on a block of
56 * memory with the following byte-pattern (trying every possible
57 * [start,end] pair):
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]58 *
59 * [ 00 ff 00 ff ... 00 00 00 00 ... ff 00 ff 00 ]
60 *
Aleksa Saraic90012a2019-10-06 10:30:28 +1100[diff] [blame^]61 * And we verify that check_nonzero_user() acts identically to
62 * memchr_inv().
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]63 */
64
65 memset(kmem, 0x0, size);
66 for (i = 1; i < zero_start; i += 2)
67 kmem[i] = 0xff;
68 for (i = zero_end; i < size; i += 2)
69 kmem[i] = 0xff;
70
71 ret |= test(copy_to_user(umem, kmem, size),
72 "legitimate copy_to_user failed");
73
74 for (start = 0; start <= size; start++) {
75 for (end = start; end <= size; end++) {
76 size_t len = end - start;
77 int retval = check_zeroed_user(umem + start, len);
78 int expected = is_zeroed(kmem + start, len);
79
80 ret |= test(retval != expected,
81 "check_nonzero_user(=%d) != memchr_inv(=%d) mismatch (start=%zu, end=%zu)",
82 retval, expected, start, end);
83 }
84 }
85
86 return ret;
87}
88
89static int test_copy_struct_from_user(char *kmem, char __user *umem,
90 size_t size)
91{
92 int ret = 0;
93 char *umem_src = NULL, *expected = NULL;
94 size_t ksize, usize;
95
96 umem_src = kmalloc(size, GFP_KERNEL);
Aleksa Saraic90012a2019-10-06 10:30:28 +1100[diff] [blame^]97 ret = test(umem_src == NULL, "kmalloc failed");
98 if (ret)
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]99 goto out_free;
100
101 expected = kmalloc(size, GFP_KERNEL);
Aleksa Saraic90012a2019-10-06 10:30:28 +1100[diff] [blame^]102 ret = test(expected == NULL, "kmalloc failed");
103 if (ret)
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]104 goto out_free;
105
106 /* Fill umem with a fixed byte pattern. */
107 memset(umem_src, 0x3e, size);
108 ret |= test(copy_to_user(umem, umem_src, size),
109 "legitimate copy_to_user failed");
110
111 /* Check basic case -- (usize == ksize). */
112 ksize = size;
113 usize = size;
114
115 memcpy(expected, umem_src, ksize);
116
117 memset(kmem, 0x0, size);
118 ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
119 "copy_struct_from_user(usize == ksize) failed");
120 ret |= test(memcmp(kmem, expected, ksize),
121 "copy_struct_from_user(usize == ksize) gives unexpected copy");
122
123 /* Old userspace case -- (usize < ksize). */
124 ksize = size;
125 usize = size / 2;
126
127 memcpy(expected, umem_src, usize);
128 memset(expected + usize, 0x0, ksize - usize);
129
130 memset(kmem, 0x0, size);
131 ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
132 "copy_struct_from_user(usize < ksize) failed");
133 ret |= test(memcmp(kmem, expected, ksize),
134 "copy_struct_from_user(usize < ksize) gives unexpected copy");
135
136 /* New userspace (-E2BIG) case -- (usize > ksize). */
137 ksize = size / 2;
138 usize = size;
139
140 memset(kmem, 0x0, size);
141 ret |= test(copy_struct_from_user(kmem, ksize, umem, usize) != -E2BIG,
142 "copy_struct_from_user(usize > ksize) didn't give E2BIG");
143
144 /* New userspace (success) case -- (usize > ksize). */
145 ksize = size / 2;
146 usize = size;
147
148 memcpy(expected, umem_src, ksize);
149 ret |= test(clear_user(umem + ksize, usize - ksize),
150 "legitimate clear_user failed");
151
152 memset(kmem, 0x0, size);
153 ret |= test(copy_struct_from_user(kmem, ksize, umem, usize),
154 "copy_struct_from_user(usize > ksize) failed");
155 ret |= test(memcmp(kmem, expected, ksize),
156 "copy_struct_from_user(usize > ksize) gives unexpected copy");
157
158out_free:
159 kfree(expected);
160 kfree(umem_src);
161 return ret;
162}
163
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]164static int __init test_user_copy_init(void)
165{
166 int ret = 0;
167 char *kmem;
168 char __user *usermem;
169 char *bad_usermem;
170 unsigned long user_addr;
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]171 u8 val_u8;
172 u16 val_u16;
173 u32 val_u32;
174#ifdef TEST_U64
175 u64 val_u64;
176#endif
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]177
178 kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
179 if (!kmem)
180 return -ENOMEM;
181
182 user_addr = vm_mmap(NULL, 0, PAGE_SIZE * 2,
183 PROT_READ | PROT_WRITE | PROT_EXEC,
184 MAP_ANONYMOUS | MAP_PRIVATE, 0);
185 if (user_addr >= (unsigned long)(TASK_SIZE)) {
186 pr_warn("Failed to allocate user memory\n");
187 kfree(kmem);
188 return -ENOMEM;
189 }
190
191 usermem = (char __user *)user_addr;
192 bad_usermem = (char *)user_addr;
193
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]194 /*
195 * Legitimate usage: none of these copies should fail.
196 */
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]197 memset(kmem, 0x3a, PAGE_SIZE * 2);
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]198 ret |= test(copy_to_user(usermem, kmem, PAGE_SIZE),
199 "legitimate copy_to_user failed");
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]200 memset(kmem, 0x0, PAGE_SIZE);
201 ret |= test(copy_from_user(kmem, usermem, PAGE_SIZE),
202 "legitimate copy_from_user failed");
203 ret |= test(memcmp(kmem, kmem + PAGE_SIZE, PAGE_SIZE),
204 "legitimate usercopy failed to copy data");
205
206#define test_legit(size, check) \
207 do { \
208 val_##size = check; \
209 ret |= test(put_user(val_##size, (size __user *)usermem), \
210 "legitimate put_user (" #size ") failed"); \
211 val_##size = 0; \
212 ret |= test(get_user(val_##size, (size __user *)usermem), \
213 "legitimate get_user (" #size ") failed"); \
214 ret |= test(val_##size != check, \
215 "legitimate get_user (" #size ") failed to do copy"); \
216 if (val_##size != check) { \
217 pr_info("0x%llx != 0x%llx\n", \
218 (unsigned long long)val_##size, \
219 (unsigned long long)check); \
220 } \
221 } while (0)
222
223 test_legit(u8, 0x5a);
224 test_legit(u16, 0x5a5b);
225 test_legit(u32, 0x5a5b5c5d);
226#ifdef TEST_U64
227 test_legit(u64, 0x5a5b5c5d6a6b6c6d);
228#endif
229#undef test_legit
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]230
Aleksa Saraif5a1a532019-10-01 11:10:52 +1000[diff] [blame]231 /* Test usage of check_nonzero_user(). */
232 ret |= test_check_nonzero_user(kmem, usermem, 2 * PAGE_SIZE);
233 /* Test usage of copy_struct_from_user(). */
234 ret |= test_copy_struct_from_user(kmem, usermem, 2 * PAGE_SIZE);
235
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]236 /*
237 * Invalid usage: none of these copies should succeed.
238 */
239
240 /* Prepare kernel memory with check values. */
Hoeun Ryu4fbfeb82017-02-12 15:13:33 +0900[diff] [blame]241 memset(kmem, 0x5a, PAGE_SIZE);
242 memset(kmem + PAGE_SIZE, 0, PAGE_SIZE);
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]243
244 /* Reject kernel-to-kernel copies through copy_from_user(). */
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]245 ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
246 PAGE_SIZE),
247 "illegal all-kernel copy_from_user passed");
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]248
249 /* Destination half of buffer should have been zeroed. */
Hoeun Ryu4fbfeb82017-02-12 15:13:33 +0900[diff] [blame]250 ret |= test(memcmp(kmem + PAGE_SIZE, kmem, PAGE_SIZE),
251 "zeroing failure for illegal all-kernel copy_from_user");
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]252
253#if 0
254 /*
255 * When running with SMAP/PAN/etc, this will Oops the kernel
256 * due to the zeroing of userspace memory on failure. This needs
257 * to be tested in LKDTM instead, since this test module does not
258 * expect to explode.
259 */
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]260 ret |= test(!copy_from_user(bad_usermem, (char __user *)kmem,
261 PAGE_SIZE),
262 "illegal reversed copy_from_user passed");
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]263#endif
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]264 ret |= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,
265 PAGE_SIZE),
266 "illegal all-kernel copy_to_user passed");
267 ret |= test(!copy_to_user((char __user *)kmem, bad_usermem,
268 PAGE_SIZE),
269 "illegal reversed copy_to_user passed");
Kees Cookf5f893c2017-02-13 11:25:26 -0800[diff] [blame]270
Kees Cook4c5d7bc2017-02-14 12:38:07 -0800[diff] [blame]271#define test_illegal(size, check) \
272 do { \
273 val_##size = (check); \
274 ret |= test(!get_user(val_##size, (size __user *)kmem), \
275 "illegal get_user (" #size ") passed"); \
276 ret |= test(val_##size != (size)0, \
277 "zeroing failure for illegal get_user (" #size ")"); \
278 if (val_##size != (size)0) { \
279 pr_info("0x%llx != 0\n", \
280 (unsigned long long)val_##size); \
281 } \
282 ret |= test(!put_user(val_##size, (size __user *)kmem), \
283 "illegal put_user (" #size ") passed"); \
284 } while (0)
285
286 test_illegal(u8, 0x5a);
287 test_illegal(u16, 0x5a5b);
288 test_illegal(u32, 0x5a5b5c5d);
289#ifdef TEST_U64
290 test_illegal(u64, 0x5a5b5c5d6a6b6c6d);
291#endif
292#undef test_illegal
Kees Cook3e2a4c12014-01-23 15:54:38 -0800[diff] [blame]293
294 vm_munmap(user_addr, PAGE_SIZE * 2);
295 kfree(kmem);
296
297 if (ret == 0) {
298 pr_info("tests passed.\n");
299 return 0;
300 }
301
302 return -EINVAL;
303}
304
305module_init(test_user_copy_init);
306
307static void __exit test_user_copy_exit(void)
308{
309 pr_info("unloaded.\n");
310}
311
312module_exit(test_user_copy_exit);
313
314MODULE_AUTHOR("Kees Cook <keescook@chromium.org>");
315MODULE_LICENSE("GPL");