Skip to content
Navigation Menu
Toggle navigation
Sign in
In this repository
All GitHub Enterprise
↵
Jump to
↵
No suggested jump to results
In this repository
All GitHub Enterprise
↵
Jump to
↵
In this organization
All GitHub Enterprise
↵
Jump to
↵
In this repository
All GitHub Enterprise
↵
Jump to
↵
Sign in
Reseting focus
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.
You switched accounts on another tab or window.
Reload
to refresh your session.
Dismiss alert
{{ message }}
mariux64
/
linux
Public
Notifications
You must be signed in to change notification settings
Fork
0
Star
0
Code
Issues
2
Pull requests
0
Actions
Projects
0
Wiki
Security
Insights
Additional navigation options
Code
Issues
Pull requests
Actions
Projects
Wiki
Security
Insights
Files
3411158
Documentation
LICENSES
arch
block
certs
crypto
drivers
fs
include
init
ipc
kernel
lib
842
crypto
dim
fonts
livepatch
lz4
lzo
math
mpi
raid6
reed_solomon
vdso
xz
zlib_deflate
zlib_inflate
zstd
.gitignore
Kconfig
Kconfig.debug
Kconfig.kasan
Kconfig.kgdb
Kconfig.ubsan
Makefile
argv_split.c
ashldi3.c
ashrdi3.c
asn1_decoder.c
assoc_array.c
atomic64.c
atomic64_test.c
audit.c
bcd.c
bch.c
bitmap.c
bitrev.c
bsearch.c
btree.c
bucket_locks.c
bug.c
build_OID_registry
bust_spinlocks.c
chacha.c
check_signature.c
checksum.c
clz_ctz.c
clz_tab.c
cmdline.c
cmpdi2.c
compat_audit.c
cpu_rmap.c
cpumask.c
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
crc16.c
crc32.c
crc32defs.h
crc32test.c
crc4.c
crc64.c
crc7.c
crc8.c
ctype.c
debug_info.c
debug_locks.c
debugobjects.c
dec_and_lock.c
decompress.c
decompress_bunzip2.c
decompress_inflate.c
decompress_unlz4.c
decompress_unlzma.c
decompress_unlzo.c
decompress_unxz.c
devres.c
digsig.c
dump_stack.c
dynamic_debug.c
dynamic_queue_limits.c
earlycpio.c
error-inject.c
errseq.c
extable.c
fault-inject.c
fdt.c
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
find_bit.c
find_bit_benchmark.c
flex_proportions.c
gen_crc32table.c
gen_crc64table.c
genalloc.c
generic-radix-tree.c
glob.c
globtest.c
hexdump.c
hweight.c
idr.c
inflate.c
interval_tree.c
interval_tree_test.c
iomap.c
iomap_copy.c
iommu-helper.c
ioremap.c
iov_iter.c
irq_poll.c
irq_regs.c
is_single_threaded.c
kasprintf.c
kfifo.c
klist.c
kobject.c
kobject_uevent.c
kstrtox.c
kstrtox.h
libcrc32c.c
list_debug.c
list_sort.c
llist.c
locking-selftest-hardirq.h
locking-selftest-mutex.h
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h
locking-selftest-rsem.h
locking-selftest-rtmutex.h
locking-selftest-softirq.h
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h
locking-selftest-wsem.h
locking-selftest.c
lockref.c
logic_pio.c
lru_cache.c
lshrdi3.c
memcat_p.c
memory-notifier-error-inject.c
memweight.c
muldi3.c
net_utils.c
netdev-notifier-error-inject.c
nlattr.c
nmi_backtrace.c
nodemask.c
notifier-error-inject.c
notifier-error-inject.h
objagg.c
of-reconfig-notifier-error-inject.c
oid_registry.c
once.c
packing.c
parman.c
parser.c
pci_iomap.c
percpu-refcount.c
percpu_counter.c
percpu_test.c
plist.c
pm-notifier-error-inject.c
radix-tree.c
random32.c
ratelimit.c
rbtree.c
rbtree_test.c
refcount.c
rhashtable.c
sbitmap.c
scatterlist.c
seq_buf.c
sg_pool.c
sg_split.c
sha1.c
show_mem.c
siphash.c
smp_processor_id.c
sort.c
stackdepot.c
stmp_device.c
string.c
string_helpers.c
strncpy_from_user.c
strnlen_user.c
syscall.c
test-kstrtox.c
test-string_helpers.c
test_bitfield.c
test_bitmap.c
test_blackhole_dev.c
test_bpf.c
test_debug_virtual.c
test_firmware.c
test_hash.c
test_hexdump.c
test_ida.c
test_kasan.c
test_kmod.c
test_list_sort.c
test_memcat_p.c
test_meminit.c
test_module.c
test_objagg.c
test_overflow.c
test_parman.c
test_printf.c
test_rhashtable.c
test_siphash.c
test_sort.c
test_stackinit.c
test_static_key_base.c
test_static_keys.c
test_string.c
test_strscpy.c
test_sysctl.c
test_ubsan.c
test_user_copy.c
test_uuid.c
test_vmalloc.c
test_xarray.c
textsearch.c
timerqueue.c
ts_bm.c
ts_fsm.c
ts_kmp.c
ubsan.c
ubsan.h
ucmpdi2.c
ucs2_string.c
usercopy.c
uuid.c
vsprintf.c
win_minmax.c
xarray.c
xxhash.c
mm
net
samples
scripts
security
sound
tools
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
Breadcrumbs
linux
/
lib
/
test_user_copy.c
Blame
Blame
Latest commit
History
History
312 lines (262 loc) · 8.65 KB
Breadcrumbs
linux
/
lib
/
test_user_copy.c
Top
File metadata and controls
Code
Blame
312 lines (262 loc) · 8.65 KB
Raw
// SPDX-License-Identifier: GPL-2.0-only /* * Kernel module for testing copy_to/from_user infrastructure. * * Copyright 2013 Google Inc. All Rights Reserved * * Authors: * Kees Cook <keescook@chromium.org> */ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include <linux/mman.h> #include <linux/module.h> #include <linux/sched.h> #include <linux/slab.h> #include <linux/uaccess.h> #include <linux/vmalloc.h> /* * Several 32-bit architectures support 64-bit {get,put}_user() calls. * As there doesn't appear to be anything that can safely determine * their capability at compile-time, we just have to opt-out certain archs. */ #if BITS_PER_LONG == 64 || (!(defined(CONFIG_ARM) && !defined(MMU)) && \ !defined(CONFIG_M68K) && \ !defined(CONFIG_MICROBLAZE) && \ !defined(CONFIG_NIOS2) && \ !defined(CONFIG_PPC32) && \ !defined(CONFIG_SUPERH)) # define TEST_U64 #endif #define test(condition, msg, ...) \ ({ \ int cond = (condition); \ if (cond) \ pr_warn("[%d] " msg "\n", __LINE__, ##__VA_ARGS__); \ cond; \ }) static bool is_zeroed(void *from, size_t size) { return memchr_inv(from, 0x0, size) == NULL; } static int test_check_nonzero_user(char *kmem, char __user *umem, size_t size) { int ret = 0; size_t start, end, i; size_t zero_start = size / 4; size_t zero_end = size - zero_start; /* * We conduct a series of check_nonzero_user() tests on a block of memory * with the following byte-pattern (trying every possible [start,end] * pair): * * [ 00 ff 00 ff ... 00 00 00 00 ... ff 00 ff 00 ] * * And we verify that check_nonzero_user() acts identically to memchr_inv(). */ memset(kmem, 0x0, size); for (i = 1; i < zero_start; i += 2) kmem[i] = 0xff; for (i = zero_end; i < size; i += 2) kmem[i] = 0xff; ret |= test(copy_to_user(umem, kmem, size), "legitimate copy_to_user failed"); for (start = 0; start <= size; start++) { for (end = start; end <= size; end++) { size_t len = end - start; int retval = check_zeroed_user(umem + start, len); int expected = is_zeroed(kmem + start, len); ret |= test(retval != expected, "check_nonzero_user(=%d) != memchr_inv(=%d) mismatch (start=%zu, end=%zu)", retval, expected, start, end); } } return ret; } static int test_copy_struct_from_user(char *kmem, char __user *umem, size_t size) { int ret = 0; char *umem_src = NULL, *expected = NULL; size_t ksize, usize; umem_src = kmalloc(size, GFP_KERNEL); if ((ret |= test(umem_src == NULL, "kmalloc failed"))) goto out_free; expected = kmalloc(size, GFP_KERNEL); if ((ret |= test(expected == NULL, "kmalloc failed"))) goto out_free; /* Fill umem with a fixed byte pattern. */ memset(umem_src, 0x3e, size); ret |= test(copy_to_user(umem, umem_src, size), "legitimate copy_to_user failed"); /* Check basic case -- (usize == ksize). */ ksize = size; usize = size; memcpy(expected, umem_src, ksize); memset(kmem, 0x0, size); ret |= test(copy_struct_from_user(kmem, ksize, umem, usize), "copy_struct_from_user(usize == ksize) failed"); ret |= test(memcmp(kmem, expected, ksize), "copy_struct_from_user(usize == ksize) gives unexpected copy"); /* Old userspace case -- (usize < ksize). */ ksize = size; usize = size / 2; memcpy(expected, umem_src, usize); memset(expected + usize, 0x0, ksize - usize); memset(kmem, 0x0, size); ret |= test(copy_struct_from_user(kmem, ksize, umem, usize), "copy_struct_from_user(usize < ksize) failed"); ret |= test(memcmp(kmem, expected, ksize), "copy_struct_from_user(usize < ksize) gives unexpected copy"); /* New userspace (-E2BIG) case -- (usize > ksize). */ ksize = size / 2; usize = size; memset(kmem, 0x0, size); ret |= test(copy_struct_from_user(kmem, ksize, umem, usize) != -E2BIG, "copy_struct_from_user(usize > ksize) didn't give E2BIG"); /* New userspace (success) case -- (usize > ksize). */ ksize = size / 2; usize = size; memcpy(expected, umem_src, ksize); ret |= test(clear_user(umem + ksize, usize - ksize), "legitimate clear_user failed"); memset(kmem, 0x0, size); ret |= test(copy_struct_from_user(kmem, ksize, umem, usize), "copy_struct_from_user(usize > ksize) failed"); ret |= test(memcmp(kmem, expected, ksize), "copy_struct_from_user(usize > ksize) gives unexpected copy"); out_free: kfree(expected); kfree(umem_src); return ret; } static int __init test_user_copy_init(void) { int ret = 0; char *kmem; char __user *usermem; char *bad_usermem; unsigned long user_addr; u8 val_u8; u16 val_u16; u32 val_u32; #ifdef TEST_U64 u64 val_u64; #endif kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL); if (!kmem) return -ENOMEM; user_addr = vm_mmap(NULL, 0, PAGE_SIZE * 2, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0); if (user_addr >= (unsigned long)(TASK_SIZE)) { pr_warn("Failed to allocate user memory\n"); kfree(kmem); return -ENOMEM; } usermem = (char __user *)user_addr; bad_usermem = (char *)user_addr; /* * Legitimate usage: none of these copies should fail. */ memset(kmem, 0x3a, PAGE_SIZE * 2); ret |= test(copy_to_user(usermem, kmem, PAGE_SIZE), "legitimate copy_to_user failed"); memset(kmem, 0x0, PAGE_SIZE); ret |= test(copy_from_user(kmem, usermem, PAGE_SIZE), "legitimate copy_from_user failed"); ret |= test(memcmp(kmem, kmem + PAGE_SIZE, PAGE_SIZE), "legitimate usercopy failed to copy data"); #define test_legit(size, check) \ do { \ val_##size = check; \ ret |= test(put_user(val_##size, (size __user *)usermem), \ "legitimate put_user (" #size ") failed"); \ val_##size = 0; \ ret |= test(get_user(val_##size, (size __user *)usermem), \ "legitimate get_user (" #size ") failed"); \ ret |= test(val_##size != check, \ "legitimate get_user (" #size ") failed to do copy"); \ if (val_##size != check) { \ pr_info("0x%llx != 0x%llx\n", \ (unsigned long long)val_##size, \ (unsigned long long)check); \ } \ } while (0) test_legit(u8, 0x5a); test_legit(u16, 0x5a5b); test_legit(u32, 0x5a5b5c5d); #ifdef TEST_U64 test_legit(u64, 0x5a5b5c5d6a6b6c6d); #endif #undef test_legit /* Test usage of check_nonzero_user(). */ ret |= test_check_nonzero_user(kmem, usermem, 2 * PAGE_SIZE); /* Test usage of copy_struct_from_user(). */ ret |= test_copy_struct_from_user(kmem, usermem, 2 * PAGE_SIZE); /* * Invalid usage: none of these copies should succeed. */ /* Prepare kernel memory with check values. */ memset(kmem, 0x5a, PAGE_SIZE); memset(kmem + PAGE_SIZE, 0, PAGE_SIZE); /* Reject kernel-to-kernel copies through copy_from_user(). */ ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE), PAGE_SIZE), "illegal all-kernel copy_from_user passed"); /* Destination half of buffer should have been zeroed. */ ret |= test(memcmp(kmem + PAGE_SIZE, kmem, PAGE_SIZE), "zeroing failure for illegal all-kernel copy_from_user"); #if 0 /* * When running with SMAP/PAN/etc, this will Oops the kernel * due to the zeroing of userspace memory on failure. This needs * to be tested in LKDTM instead, since this test module does not * expect to explode. */ ret |= test(!copy_from_user(bad_usermem, (char __user *)kmem, PAGE_SIZE), "illegal reversed copy_from_user passed"); #endif ret |= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE, PAGE_SIZE), "illegal all-kernel copy_to_user passed"); ret |= test(!copy_to_user((char __user *)kmem, bad_usermem, PAGE_SIZE), "illegal reversed copy_to_user passed"); #define test_illegal(size, check) \ do { \ val_##size = (check); \ ret |= test(!get_user(val_##size, (size __user *)kmem), \ "illegal get_user (" #size ") passed"); \ ret |= test(val_##size != (size)0, \ "zeroing failure for illegal get_user (" #size ")"); \ if (val_##size != (size)0) { \ pr_info("0x%llx != 0\n", \ (unsigned long long)val_##size); \ } \ ret |= test(!put_user(val_##size, (size __user *)kmem), \ "illegal put_user (" #size ") passed"); \ } while (0) test_illegal(u8, 0x5a); test_illegal(u16, 0x5a5b); test_illegal(u32, 0x5a5b5c5d); #ifdef TEST_U64 test_illegal(u64, 0x5a5b5c5d6a6b6c6d); #endif #undef test_illegal vm_munmap(user_addr, PAGE_SIZE * 2); kfree(kmem); if (ret == 0) { pr_info("tests passed.\n"); return 0; } return -EINVAL; } module_init(test_user_copy_init); static void __exit test_user_copy_exit(void) { pr_info("unloaded.\n"); } module_exit(test_user_copy_exit); MODULE_AUTHOR("Kees Cook <keescook@chromium.org>"); MODULE_LICENSE("GPL");
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
You can’t perform that action at this time.