usercopy_kunit.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Kernel module for testing copy_to/from_user infrastructure.
  4. *
  5. * Copyright 2013 Google Inc. All Rights Reserved
  6. *
  7. * Authors:
  8. * Kees Cook <keescook@chromium.org>
  9. */
  10. #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  11. #include <linux/mman.h>
  12. #include <linux/module.h>
  13. #include <linux/sched.h>
  14. #include <linux/slab.h>
  15. #include <linux/uaccess.h>
  16. #include <kunit/test.h>
  17. /*
  18. * Several 32-bit architectures support 64-bit {get,put}_user() calls.
  19. * As there doesn't appear to be anything that can safely determine
  20. * their capability at compile-time, we just have to opt-out certain archs.
  21. */
  22. #if BITS_PER_LONG == 64 || (!(defined(CONFIG_ARM) && !defined(MMU)) && \
  23. !defined(CONFIG_M68K) && \
  24. !defined(CONFIG_MICROBLAZE) && \
  25. !defined(CONFIG_NIOS2) && \
  26. !defined(CONFIG_PPC32) && \
  27. !defined(CONFIG_SPARC32) && \
  28. !defined(CONFIG_SUPERH))
  29. # define TEST_U64
  30. #endif
  31. struct usercopy_test_priv {
  32. char *kmem;
  33. char __user *umem;
  34. size_t size;
  35. };
  36. static bool is_zeroed(void *from, size_t size)
  37. {
  38. return memchr_inv(from, 0x0, size) == NULL;
  39. }
  40. /* Test usage of check_nonzero_user(). */
  41. static void usercopy_test_check_nonzero_user(struct kunit *test)
  42. {
  43. size_t start, end, i, zero_start, zero_end;
  44. struct usercopy_test_priv *priv = test->priv;
  45. char __user *umem = priv->umem;
  46. char *kmem = priv->kmem;
  47. size_t size = priv->size;
  48. KUNIT_ASSERT_GE_MSG(test, size, 2 * PAGE_SIZE, "buffer too small");
  49. /*
  50. * We want to cross a page boundary to exercise the code more
  51. * effectively. We also don't want to make the size we scan too large,
  52. * otherwise the test can take a long time and cause soft lockups. So
  53. * scan a 1024 byte region across the page boundary.
  54. */
  55. size = 1024;
  56. start = PAGE_SIZE - (size / 2);
  57. kmem += start;
  58. umem += start;
  59. zero_start = size / 4;
  60. zero_end = size - zero_start;
  61. /*
  62. * We conduct a series of check_nonzero_user() tests on a block of
  63. * memory with the following byte-pattern (trying every possible
  64. * [start,end] pair):
  65. *
  66. * [ 00 ff 00 ff ... 00 00 00 00 ... ff 00 ff 00 ]
  67. *
  68. * And we verify that check_nonzero_user() acts identically to
  69. * memchr_inv().
  70. */
  71. memset(kmem, 0x0, size);
  72. for (i = 1; i < zero_start; i += 2)
  73. kmem[i] = 0xff;
  74. for (i = zero_end; i < size; i += 2)
  75. kmem[i] = 0xff;
  76. KUNIT_EXPECT_EQ_MSG(test, copy_to_user(umem, kmem, size), 0,
  77. "legitimate copy_to_user failed");
  78. for (start = 0; start <= size; start++) {
  79. for (end = start; end <= size; end++) {
  80. size_t len = end - start;
  81. int retval = check_zeroed_user(umem + start, len);
  82. int expected = is_zeroed(kmem + start, len);
  83. KUNIT_ASSERT_EQ_MSG(test, retval, expected,
  84. "check_nonzero_user(=%d) != memchr_inv(=%d) mismatch (start=%zu, end=%zu)",
  85. retval, expected, start, end);
  86. }
  87. }
  88. }
  89. /* Test usage of copy_struct_from_user(). */
  90. static void usercopy_test_copy_struct_from_user(struct kunit *test)
  91. {
  92. char *umem_src = NULL, *expected = NULL;
  93. struct usercopy_test_priv *priv = test->priv;
  94. char __user *umem = priv->umem;
  95. char *kmem = priv->kmem;
  96. size_t size = priv->size;
  97. size_t ksize, usize;
  98. umem_src = kunit_kmalloc(test, size, GFP_KERNEL);
  99. KUNIT_ASSERT_NOT_ERR_OR_NULL(test, umem_src);
  100. expected = kunit_kmalloc(test, size, GFP_KERNEL);
  101. KUNIT_ASSERT_NOT_ERR_OR_NULL(test, expected);
  102. /* Fill umem with a fixed byte pattern. */
  103. memset(umem_src, 0x3e, size);
  104. KUNIT_ASSERT_EQ_MSG(test, copy_to_user(umem, umem_src, size), 0,
  105. "legitimate copy_to_user failed");
  106. /* Check basic case -- (usize == ksize). */
  107. ksize = size;
  108. usize = size;
  109. memcpy(expected, umem_src, ksize);
  110. memset(kmem, 0x0, size);
  111. KUNIT_EXPECT_EQ_MSG(test, copy_struct_from_user(kmem, ksize, umem, usize), 0,
  112. "copy_struct_from_user(usize == ksize) failed");
  113. KUNIT_EXPECT_MEMEQ_MSG(test, kmem, expected, ksize,
  114. "copy_struct_from_user(usize == ksize) gives unexpected copy");
  115. /* Old userspace case -- (usize < ksize). */
  116. ksize = size;
  117. usize = size / 2;
  118. memcpy(expected, umem_src, usize);
  119. memset(expected + usize, 0x0, ksize - usize);
  120. memset(kmem, 0x0, size);
  121. KUNIT_EXPECT_EQ_MSG(test, copy_struct_from_user(kmem, ksize, umem, usize), 0,
  122. "copy_struct_from_user(usize < ksize) failed");
  123. KUNIT_EXPECT_MEMEQ_MSG(test, kmem, expected, ksize,
  124. "copy_struct_from_user(usize < ksize) gives unexpected copy");
  125. /* New userspace (-E2BIG) case -- (usize > ksize). */
  126. ksize = size / 2;
  127. usize = size;
  128. memset(kmem, 0x0, size);
  129. KUNIT_EXPECT_EQ_MSG(test, copy_struct_from_user(kmem, ksize, umem, usize), -E2BIG,
  130. "copy_struct_from_user(usize > ksize) didn't give E2BIG");
  131. /* New userspace (success) case -- (usize > ksize). */
  132. ksize = size / 2;
  133. usize = size;
  134. memcpy(expected, umem_src, ksize);
  135. KUNIT_EXPECT_EQ_MSG(test, clear_user(umem + ksize, usize - ksize), 0,
  136. "legitimate clear_user failed");
  137. memset(kmem, 0x0, size);
  138. KUNIT_EXPECT_EQ_MSG(test, copy_struct_from_user(kmem, ksize, umem, usize), 0,
  139. "copy_struct_from_user(usize > ksize) failed");
  140. KUNIT_EXPECT_MEMEQ_MSG(test, kmem, expected, ksize,
  141. "copy_struct_from_user(usize > ksize) gives unexpected copy");
  142. }
  143. /*
  144. * Legitimate usage: none of these copies should fail.
  145. */
  146. static void usercopy_test_valid(struct kunit *test)
  147. {
  148. struct usercopy_test_priv *priv = test->priv;
  149. char __user *usermem = priv->umem;
  150. char *kmem = priv->kmem;
  151. memset(kmem, 0x3a, PAGE_SIZE * 2);
  152. KUNIT_EXPECT_EQ_MSG(test, 0, copy_to_user(usermem, kmem, PAGE_SIZE),
  153. "legitimate copy_to_user failed");
  154. memset(kmem, 0x0, PAGE_SIZE);
  155. KUNIT_EXPECT_EQ_MSG(test, 0, copy_from_user(kmem, usermem, PAGE_SIZE),
  156. "legitimate copy_from_user failed");
  157. KUNIT_EXPECT_MEMEQ_MSG(test, kmem, kmem + PAGE_SIZE, PAGE_SIZE,
  158. "legitimate usercopy failed to copy data");
  159. #define test_legit(size, check) \
  160. do { \
  161. size val_##size = (check); \
  162. KUNIT_EXPECT_EQ_MSG(test, 0, \
  163. put_user(val_##size, (size __user *)usermem), \
  164. "legitimate put_user (" #size ") failed"); \
  165. val_##size = 0; \
  166. KUNIT_EXPECT_EQ_MSG(test, 0, \
  167. get_user(val_##size, (size __user *)usermem), \
  168. "legitimate get_user (" #size ") failed"); \
  169. KUNIT_EXPECT_EQ_MSG(test, val_##size, check, \
  170. "legitimate get_user (" #size ") failed to do copy"); \
  171. } while (0)
  172. test_legit(u8, 0x5a);
  173. test_legit(u16, 0x5a5b);
  174. test_legit(u32, 0x5a5b5c5d);
  175. #ifdef TEST_U64
  176. test_legit(u64, 0x5a5b5c5d6a6b6c6d);
  177. #endif
  178. #undef test_legit
  179. }
  180. /*
  181. * Invalid usage: none of these copies should succeed.
  182. */
  183. static void usercopy_test_invalid(struct kunit *test)
  184. {
  185. struct usercopy_test_priv *priv = test->priv;
  186. char __user *usermem = priv->umem;
  187. char *bad_usermem = (char *)usermem;
  188. char *kmem = priv->kmem;
  189. u64 *kmem_u64 = (u64 *)kmem;
  190. if (IS_ENABLED(CONFIG_ALTERNATE_USER_ADDRESS_SPACE) ||
  191. !IS_ENABLED(CONFIG_MMU)) {
  192. kunit_skip(test, "Testing for kernel/userspace address confusion is only sensible on architectures with a shared address space");
  193. return;
  194. }
  195. /* Prepare kernel memory with check values. */
  196. memset(kmem, 0x5a, PAGE_SIZE);
  197. memset(kmem + PAGE_SIZE, 0, PAGE_SIZE);
  198. /* Reject kernel-to-kernel copies through copy_from_user(). */
  199. KUNIT_EXPECT_NE_MSG(test, copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
  200. PAGE_SIZE), 0,
  201. "illegal all-kernel copy_from_user passed");
  202. /* Destination half of buffer should have been zeroed. */
  203. KUNIT_EXPECT_MEMEQ_MSG(test, kmem + PAGE_SIZE, kmem, PAGE_SIZE,
  204. "zeroing failure for illegal all-kernel copy_from_user");
  205. #if 0
  206. /*
  207. * When running with SMAP/PAN/etc, this will Oops the kernel
  208. * due to the zeroing of userspace memory on failure. This needs
  209. * to be tested in LKDTM instead, since this test module does not
  210. * expect to explode.
  211. */
  212. KUNIT_EXPECT_NE_MSG(test, copy_from_user(bad_usermem, (char __user *)kmem,
  213. PAGE_SIZE), 0,
  214. "illegal reversed copy_from_user passed");
  215. #endif
  216. KUNIT_EXPECT_NE_MSG(test, copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,
  217. PAGE_SIZE), 0,
  218. "illegal all-kernel copy_to_user passed");
  219. KUNIT_EXPECT_NE_MSG(test, copy_to_user((char __user *)kmem, bad_usermem,
  220. PAGE_SIZE), 0,
  221. "illegal reversed copy_to_user passed");
  222. #define test_illegal(size, check) \
  223. do { \
  224. size val_##size = (check); \
  225. /* get_user() */ \
  226. KUNIT_EXPECT_NE_MSG(test, get_user(val_##size, (size __user *)kmem), 0, \
  227. "illegal get_user (" #size ") passed"); \
  228. KUNIT_EXPECT_EQ_MSG(test, val_##size, 0, \
  229. "zeroing failure for illegal get_user (" #size ")"); \
  230. /* put_user() */ \
  231. *kmem_u64 = 0xF09FA4AFF09FA4AF; \
  232. KUNIT_EXPECT_NE_MSG(test, put_user(val_##size, (size __user *)kmem), 0, \
  233. "illegal put_user (" #size ") passed"); \
  234. KUNIT_EXPECT_EQ_MSG(test, *kmem_u64, 0xF09FA4AFF09FA4AF, \
  235. "illegal put_user (" #size ") wrote to kernel memory!"); \
  236. } while (0)
  237. test_illegal(u8, 0x5a);
  238. test_illegal(u16, 0x5a5b);
  239. test_illegal(u32, 0x5a5b5c5d);
  240. #ifdef TEST_U64
  241. test_illegal(u64, 0x5a5b5c5d6a6b6c6d);
  242. #endif
  243. #undef test_illegal
  244. }
  245. static int usercopy_test_init(struct kunit *test)
  246. {
  247. struct usercopy_test_priv *priv;
  248. unsigned long user_addr;
  249. if (!IS_ENABLED(CONFIG_MMU)) {
  250. kunit_skip(test, "Userspace allocation testing not available on non-MMU systems");
  251. return 0;
  252. }
  253. priv = kunit_kzalloc(test, sizeof(*priv), GFP_KERNEL);
  254. KUNIT_ASSERT_NOT_ERR_OR_NULL(test, priv);
  255. test->priv = priv;
  256. priv->size = PAGE_SIZE * 2;
  257. priv->kmem = kunit_kmalloc(test, priv->size, GFP_KERNEL);
  258. KUNIT_ASSERT_NOT_ERR_OR_NULL(test, priv->kmem);
  259. user_addr = kunit_vm_mmap(test, NULL, 0, priv->size,
  260. PROT_READ | PROT_WRITE | PROT_EXEC,
  261. MAP_ANONYMOUS | MAP_PRIVATE, 0);
  262. KUNIT_ASSERT_NE_MSG(test, user_addr, 0,
  263. "Could not create userspace mm");
  264. KUNIT_ASSERT_LT_MSG(test, user_addr, (unsigned long)TASK_SIZE,
  265. "Failed to allocate user memory");
  266. priv->umem = (char __user *)user_addr;
  267. return 0;
  268. }
  269. static struct kunit_case usercopy_test_cases[] = {
  270. KUNIT_CASE(usercopy_test_valid),
  271. KUNIT_CASE(usercopy_test_invalid),
  272. KUNIT_CASE(usercopy_test_check_nonzero_user),
  273. KUNIT_CASE(usercopy_test_copy_struct_from_user),
  274. {}
  275. };
  276. static struct kunit_suite usercopy_test_suite = {
  277. .name = "usercopy",
  278. .init = usercopy_test_init,
  279. .test_cases = usercopy_test_cases,
  280. };
  281. kunit_test_suites(&usercopy_test_suite);
  282. MODULE_AUTHOR("Kees Cook <kees@kernel.org>");
  283. MODULE_DESCRIPTION("Kernel module for testing copy_to/from_user infrastructure");
  284. MODULE_LICENSE("GPL");