perms.c 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * This is for all the tests related to validating kernel memory
  4. * permissions: non-executable regions, non-writable regions, and
  5. * even non-readable regions.
  6. */
  7. #include "lkdtm.h"
  8. #include <linux/slab.h>
  9. #include <linux/vmalloc.h>
  10. #include <linux/mman.h>
  11. #include <linux/uaccess.h>
  12. #include <linux/objtool.h>
  13. #include <asm/cacheflush.h>
  14. #include <asm/sections.h>
  15. /* Whether or not to fill the target memory area with do_nothing(). */
  16. #define CODE_WRITE true
  17. #define CODE_AS_IS false
  18. /* How many bytes to copy to be sure we've copied enough of do_nothing(). */
  19. #define EXEC_SIZE 64
  20. /* This is non-const, so it will end up in the .data section. */
  21. static u8 data_area[EXEC_SIZE];
  22. /* This is const, so it will end up in the .rodata section. */
  23. static const unsigned long rodata = 0xAA55AA55;
  24. /* This is marked __ro_after_init, so it should ultimately be .rodata. */
  25. static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
  26. /*
  27. * This is a pointer to do_nothing() which is initialized at runtime rather
  28. * than build time to avoid objtool IBT validation warnings caused by an
  29. * inlined unrolled memcpy() in execute_location().
  30. */
  31. static void __ro_after_init *do_nothing_ptr;
  32. /*
  33. * This just returns to the caller. It is designed to be copied into
  34. * non-executable memory regions.
  35. */
  36. static noinline void do_nothing(void)
  37. {
  38. return;
  39. }
  40. /* Must immediately follow do_nothing for size calculuations to work out. */
  41. static noinline void do_overwritten(void)
  42. {
  43. pr_info("do_overwritten wasn't overwritten!\n");
  44. return;
  45. }
  46. static noinline void do_almost_nothing(void)
  47. {
  48. pr_info("do_nothing was hijacked!\n");
  49. }
  50. static void *setup_function_descriptor(func_desc_t *fdesc, void *dst)
  51. {
  52. if (!have_function_descriptors())
  53. return dst;
  54. memcpy(fdesc, do_nothing, sizeof(*fdesc));
  55. fdesc->addr = (unsigned long)dst;
  56. barrier();
  57. return fdesc;
  58. }
  59. static noinline __nocfi void execute_location(void *dst, bool write)
  60. {
  61. void (*func)(void);
  62. func_desc_t fdesc;
  63. pr_info("attempting ok execution at %px\n", do_nothing_ptr);
  64. do_nothing();
  65. if (write == CODE_WRITE) {
  66. memcpy(dst, do_nothing_ptr, EXEC_SIZE);
  67. flush_icache_range((unsigned long)dst,
  68. (unsigned long)dst + EXEC_SIZE);
  69. }
  70. pr_info("attempting bad execution at %px\n", dst);
  71. func = setup_function_descriptor(&fdesc, dst);
  72. func();
  73. pr_err("FAIL: func returned\n");
  74. }
  75. /*
  76. * Explicitly doing the wrong thing for testing.
  77. */
  78. ANNOTATE_NOCFI_SYM(execute_location);
  79. static void execute_user_location(void *dst)
  80. {
  81. int copied;
  82. /* Intentionally crossing kernel/user memory boundary. */
  83. void (*func)(void);
  84. func_desc_t fdesc;
  85. void *do_nothing_text = dereference_function_descriptor(do_nothing);
  86. pr_info("attempting ok execution at %px\n", do_nothing_text);
  87. do_nothing();
  88. copied = access_process_vm(current, (unsigned long)dst, do_nothing_text,
  89. EXEC_SIZE, FOLL_WRITE);
  90. if (copied < EXEC_SIZE)
  91. return;
  92. pr_info("attempting bad execution at %px\n", dst);
  93. func = setup_function_descriptor(&fdesc, dst);
  94. func();
  95. pr_err("FAIL: func returned\n");
  96. }
  97. static void lkdtm_WRITE_RO(void)
  98. {
  99. /* Explicitly cast away "const" for the test and make volatile. */
  100. volatile unsigned long *ptr = (unsigned long *)&rodata;
  101. pr_info("attempting bad rodata write at %px\n", ptr);
  102. *ptr ^= 0xabcd1234;
  103. pr_err("FAIL: survived bad write\n");
  104. }
  105. static void lkdtm_WRITE_RO_AFTER_INIT(void)
  106. {
  107. volatile unsigned long *ptr = &ro_after_init;
  108. /*
  109. * Verify we were written to during init. Since an Oops
  110. * is considered a "success", a failure is to just skip the
  111. * real test.
  112. */
  113. if ((*ptr & 0xAA) != 0xAA) {
  114. pr_info("%p was NOT written during init!?\n", ptr);
  115. return;
  116. }
  117. pr_info("attempting bad ro_after_init write at %px\n", ptr);
  118. *ptr ^= 0xabcd1234;
  119. pr_err("FAIL: survived bad write\n");
  120. }
  121. static void lkdtm_WRITE_KERN(void)
  122. {
  123. size_t size;
  124. volatile unsigned char *ptr;
  125. size = (unsigned long)dereference_function_descriptor(do_overwritten) -
  126. (unsigned long)dereference_function_descriptor(do_nothing);
  127. ptr = dereference_function_descriptor(do_overwritten);
  128. pr_info("attempting bad %zu byte write at %px\n", size, ptr);
  129. memcpy((void *)ptr, (unsigned char *)do_nothing, size);
  130. flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
  131. pr_err("FAIL: survived bad write\n");
  132. do_overwritten();
  133. }
  134. static void lkdtm_WRITE_OPD(void)
  135. {
  136. size_t size = sizeof(func_desc_t);
  137. void (*func)(void) = do_nothing;
  138. if (!have_function_descriptors()) {
  139. pr_info("XFAIL: Platform doesn't use function descriptors.\n");
  140. return;
  141. }
  142. pr_info("attempting bad %zu bytes write at %px\n", size, do_nothing);
  143. memcpy(do_nothing, do_almost_nothing, size);
  144. pr_err("FAIL: survived bad write\n");
  145. asm("" : "=m"(func));
  146. func();
  147. }
  148. static void lkdtm_EXEC_DATA(void)
  149. {
  150. execute_location(data_area, CODE_WRITE);
  151. }
  152. static void lkdtm_EXEC_STACK(void)
  153. {
  154. u8 stack_area[EXEC_SIZE];
  155. execute_location(stack_area, CODE_WRITE);
  156. }
  157. static void lkdtm_EXEC_KMALLOC(void)
  158. {
  159. u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
  160. execute_location(kmalloc_area, CODE_WRITE);
  161. kfree(kmalloc_area);
  162. }
  163. static void lkdtm_EXEC_VMALLOC(void)
  164. {
  165. u32 *vmalloc_area = vmalloc(EXEC_SIZE);
  166. execute_location(vmalloc_area, CODE_WRITE);
  167. vfree(vmalloc_area);
  168. }
  169. static void lkdtm_EXEC_RODATA(void)
  170. {
  171. execute_location(dereference_function_descriptor(lkdtm_rodata_do_nothing),
  172. CODE_AS_IS);
  173. }
  174. static void lkdtm_EXEC_USERSPACE(void)
  175. {
  176. unsigned long user_addr;
  177. user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
  178. PROT_READ | PROT_WRITE | PROT_EXEC,
  179. MAP_ANONYMOUS | MAP_PRIVATE, 0);
  180. if (user_addr >= TASK_SIZE) {
  181. pr_warn("Failed to allocate user memory\n");
  182. return;
  183. }
  184. execute_user_location((void *)user_addr);
  185. vm_munmap(user_addr, PAGE_SIZE);
  186. }
  187. static void lkdtm_EXEC_NULL(void)
  188. {
  189. execute_location(NULL, CODE_AS_IS);
  190. }
  191. static void lkdtm_ACCESS_USERSPACE(void)
  192. {
  193. unsigned long user_addr, tmp = 0;
  194. unsigned long *ptr;
  195. user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
  196. PROT_READ | PROT_WRITE | PROT_EXEC,
  197. MAP_ANONYMOUS | MAP_PRIVATE, 0);
  198. if (user_addr >= TASK_SIZE) {
  199. pr_warn("Failed to allocate user memory\n");
  200. return;
  201. }
  202. if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) {
  203. pr_warn("copy_to_user failed\n");
  204. vm_munmap(user_addr, PAGE_SIZE);
  205. return;
  206. }
  207. ptr = (unsigned long *)user_addr;
  208. pr_info("attempting bad read at %px\n", ptr);
  209. tmp = *ptr;
  210. tmp += 0xc0dec0de;
  211. pr_err("FAIL: survived bad read\n");
  212. pr_info("attempting bad write at %px\n", ptr);
  213. *ptr = tmp;
  214. pr_err("FAIL: survived bad write\n");
  215. vm_munmap(user_addr, PAGE_SIZE);
  216. }
  217. static void lkdtm_ACCESS_NULL(void)
  218. {
  219. unsigned long tmp;
  220. volatile unsigned long *ptr = (unsigned long *)NULL;
  221. pr_info("attempting bad read at %px\n", ptr);
  222. tmp = *ptr;
  223. tmp += 0xc0dec0de;
  224. pr_err("FAIL: survived bad read\n");
  225. pr_info("attempting bad write at %px\n", ptr);
  226. *ptr = tmp;
  227. pr_err("FAIL: survived bad write\n");
  228. }
  229. void __init lkdtm_perms_init(void)
  230. {
  231. do_nothing_ptr = dereference_function_descriptor(do_nothing);
  232. /* Make sure we can write to __ro_after_init values during __init */
  233. ro_after_init |= 0xAA;
  234. }
  235. static struct crashtype crashtypes[] = {
  236. CRASHTYPE(WRITE_RO),
  237. CRASHTYPE(WRITE_RO_AFTER_INIT),
  238. CRASHTYPE(WRITE_KERN),
  239. CRASHTYPE(WRITE_OPD),
  240. CRASHTYPE(EXEC_DATA),
  241. CRASHTYPE(EXEC_STACK),
  242. CRASHTYPE(EXEC_KMALLOC),
  243. CRASHTYPE(EXEC_VMALLOC),
  244. CRASHTYPE(EXEC_RODATA),
  245. CRASHTYPE(EXEC_USERSPACE),
  246. CRASHTYPE(EXEC_NULL),
  247. CRASHTYPE(ACCESS_USERSPACE),
  248. CRASHTYPE(ACCESS_NULL),
  249. };
  250. struct crashtype_category perms_crashtypes = {
  251. .crashtypes = crashtypes,
  252. .len = ARRAY_SIZE(crashtypes),
  253. };