[mirror_ubuntu-bionic-kernel.git] / drivers / misc / lkdtm_usercopy.c

// SPDX-License-Identifier: GPL-2.0
/*
 * This is for all the tests related to copy_to_user() and copy_from_user()
 * hardening.
 */
#include "lkdtm.h"
#include <linux/slab.h>
#include <linux/vmalloc.h>
#include <linux/sched/task_stack.h>
#include <linux/mman.h>
#include <linux/uaccess.h>
#include <asm/cacheflush.h>

/*
 * Many of the tests here end up using const sizes, but those would
 * normally be ignored by hardened usercopy, so force the compiler
 * into choosing the non-const path to make sure we trigger the
 * hardened usercopy checks by added "unconst" to all the const copies,
 * and making sure "cache_size" isn't optimized into a const.
 */
static volatile size_t unconst = 0;
static volatile size_t cache_size = 1024;
static struct kmem_cache *bad_cache;

static const unsigned char test_text[] = "This is a test.\n";

/*
 * Instead of adding -Wno-return-local-addr, just pass the stack address
 * through a function to obfuscate it from the compiler.
 */
static noinline unsigned char *trick_compiler(unsigned char *stack)
{
	return stack + 0;
}

static noinline unsigned char *do_usercopy_stack_callee(int value)
{
	unsigned char buf[32];
	int i;

	/* Exercise stack to avoid everything living in registers. */
	for (i = 0; i < sizeof(buf); i++) {
		buf[i] = value & 0xff;
	}

	return trick_compiler(buf);
}

static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
{
	unsigned long user_addr;
	unsigned char good_stack[32];
	unsigned char *bad_stack;
	int i;

	/* Exercise stack to avoid everything living in registers. */
	for (i = 0; i < sizeof(good_stack); i++)
		good_stack[i] = test_text[i % sizeof(test_text)];

	/* This is a pointer to outside our current stack frame. */
	if (bad_frame) {
		bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
	} else {
		/* Put start address just inside stack. */
		bad_stack = task_stack_page(current) + THREAD_SIZE;
		bad_stack -= sizeof(unsigned long);
	}

	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
			    PROT_READ | PROT_WRITE | PROT_EXEC,
			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
	if (user_addr >= TASK_SIZE) {
		pr_warn("Failed to allocate user memory\n");
		return;
	}

	if (to_user) {
		pr_info("attempting good copy_to_user of local stack\n");
		if (copy_to_user((void __user *)user_addr, good_stack,
				 unconst + sizeof(good_stack))) {
			pr_warn("copy_to_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_to_user of distant stack\n");
		if (copy_to_user((void __user *)user_addr, bad_stack,
				 unconst + sizeof(good_stack))) {
			pr_warn("copy_to_user failed, but lacked Oops\n");
			goto free_user;
		}
	} else {
		/*
		 * There isn't a safe way to not be protected by usercopy
		 * if we're going to write to another thread's stack.
		 */
		if (!bad_frame)
			goto free_user;

		pr_info("attempting good copy_from_user of local stack\n");
		if (copy_from_user(good_stack, (void __user *)user_addr,
				   unconst + sizeof(good_stack))) {
			pr_warn("copy_from_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_from_user of distant stack\n");
		if (copy_from_user(bad_stack, (void __user *)user_addr,
				   unconst + sizeof(good_stack))) {
			pr_warn("copy_from_user failed, but lacked Oops\n");
			goto free_user;
		}
	}

free_user:
	vm_munmap(user_addr, PAGE_SIZE);
}

static void do_usercopy_heap_size(bool to_user)
{
	unsigned long user_addr;
	unsigned char *one, *two;
	size_t size = unconst + 1024;

	one = kmalloc(size, GFP_KERNEL);
	two = kmalloc(size, GFP_KERNEL);
	if (!one || !two) {
		pr_warn("Failed to allocate kernel memory\n");
		goto free_kernel;
	}

	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
			    PROT_READ | PROT_WRITE | PROT_EXEC,
			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
	if (user_addr >= TASK_SIZE) {
		pr_warn("Failed to allocate user memory\n");
		goto free_kernel;
	}

	memset(one, 'A', size);
	memset(two, 'B', size);

	if (to_user) {
		pr_info("attempting good copy_to_user of correct size\n");
		if (copy_to_user((void __user *)user_addr, one, size)) {
			pr_warn("copy_to_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_to_user of too large size\n");
		if (copy_to_user((void __user *)user_addr, one, 2 * size)) {
			pr_warn("copy_to_user failed, but lacked Oops\n");
			goto free_user;
		}
	} else {
		pr_info("attempting good copy_from_user of correct size\n");
		if (copy_from_user(one, (void __user *)user_addr, size)) {
			pr_warn("copy_from_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_from_user of too large size\n");
		if (copy_from_user(one, (void __user *)user_addr, 2 * size)) {
			pr_warn("copy_from_user failed, but lacked Oops\n");
			goto free_user;
		}
	}

free_user:
	vm_munmap(user_addr, PAGE_SIZE);
free_kernel:
	kfree(one);
	kfree(two);
}

static void do_usercopy_heap_flag(bool to_user)
{
	unsigned long user_addr;
	unsigned char *good_buf = NULL;
	unsigned char *bad_buf = NULL;

	/* Make sure cache was prepared. */
	if (!bad_cache) {
		pr_warn("Failed to allocate kernel cache\n");
		return;
	}

	/*
	 * Allocate one buffer from each cache (kmalloc will have the
	 * SLAB_USERCOPY flag already, but "bad_cache" won't).
	 */
	good_buf = kmalloc(cache_size, GFP_KERNEL);
	bad_buf = kmem_cache_alloc(bad_cache, GFP_KERNEL);
	if (!good_buf || !bad_buf) {
		pr_warn("Failed to allocate buffers from caches\n");
		goto free_alloc;
	}

	/* Allocate user memory we'll poke at. */
	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
			    PROT_READ | PROT_WRITE | PROT_EXEC,
			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
	if (user_addr >= TASK_SIZE) {
		pr_warn("Failed to allocate user memory\n");
		goto free_alloc;
	}

	memset(good_buf, 'A', cache_size);
	memset(bad_buf, 'B', cache_size);

	if (to_user) {
		pr_info("attempting good copy_to_user with SLAB_USERCOPY\n");
		if (copy_to_user((void __user *)user_addr, good_buf,
				 cache_size)) {
			pr_warn("copy_to_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_to_user w/o SLAB_USERCOPY\n");
		if (copy_to_user((void __user *)user_addr, bad_buf,
				 cache_size)) {
			pr_warn("copy_to_user failed, but lacked Oops\n");
			goto free_user;
		}
	} else {
		pr_info("attempting good copy_from_user with SLAB_USERCOPY\n");
		if (copy_from_user(good_buf, (void __user *)user_addr,
				   cache_size)) {
			pr_warn("copy_from_user failed unexpectedly?!\n");
			goto free_user;
		}

		pr_info("attempting bad copy_from_user w/o SLAB_USERCOPY\n");
		if (copy_from_user(bad_buf, (void __user *)user_addr,
				   cache_size)) {
			pr_warn("copy_from_user failed, but lacked Oops\n");
			goto free_user;
		}
	}

free_user:
	vm_munmap(user_addr, PAGE_SIZE);
free_alloc:
	if (bad_buf)
		kmem_cache_free(bad_cache, bad_buf);
	kfree(good_buf);
}

/* Callable tests. */
void lkdtm_USERCOPY_HEAP_SIZE_TO(void)
{
	do_usercopy_heap_size(true);
}

void lkdtm_USERCOPY_HEAP_SIZE_FROM(void)
{
	do_usercopy_heap_size(false);
}

void lkdtm_USERCOPY_HEAP_FLAG_TO(void)
{
	do_usercopy_heap_flag(true);
}

void lkdtm_USERCOPY_HEAP_FLAG_FROM(void)
{
	do_usercopy_heap_flag(false);
}

void lkdtm_USERCOPY_STACK_FRAME_TO(void)
{
	do_usercopy_stack(true, true);
}

void lkdtm_USERCOPY_STACK_FRAME_FROM(void)
{
	do_usercopy_stack(false, true);
}

void lkdtm_USERCOPY_STACK_BEYOND(void)
{
	do_usercopy_stack(true, false);
}

void lkdtm_USERCOPY_KERNEL(void)
{
	unsigned long user_addr;

	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
			    PROT_READ | PROT_WRITE | PROT_EXEC,
			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
	if (user_addr >= TASK_SIZE) {
		pr_warn("Failed to allocate user memory\n");
		return;
	}

	pr_info("attempting good copy_to_user from kernel rodata\n");
	if (copy_to_user((void __user *)user_addr, test_text,
			 unconst + sizeof(test_text))) {
		pr_warn("copy_to_user failed unexpectedly?!\n");
		goto free_user;
	}

	pr_info("attempting bad copy_to_user from kernel text\n");
	if (copy_to_user((void __user *)user_addr, vm_mmap,
			 unconst + PAGE_SIZE)) {
		pr_warn("copy_to_user failed, but lacked Oops\n");
		goto free_user;
	}

free_user:
	vm_munmap(user_addr, PAGE_SIZE);
}

void __init lkdtm_usercopy_init(void)
{
	/* Prepare cache that lacks SLAB_USERCOPY flag. */
	bad_cache = kmem_cache_create("lkdtm-no-usercopy", cache_size, 0,
				      0, NULL);
}

void __exit lkdtm_usercopy_exit(void)
{
	kmem_cache_destroy(bad_cache);
}
Commit	Line	Data
b2441318	1	// SPDX-License-Identifier: GPL-2.0
a3dff71c KC	2	/*
	3	* This is for all the tests related to copy_to_user() and copy_from_user()
	4	* hardening.
	5	*/
6d2e91a6	6	#include "lkdtm.h"
a3dff71c KC	7	#include <linux/slab.h>
a3dff71c KC	8	#include <linux/vmalloc.h>
68db0cf1	9	#include <linux/sched/task_stack.h>
a3dff71c KC	10	#include <linux/mman.h>
	11	#include <linux/uaccess.h>
	12	#include <asm/cacheflush.h>
	13
3c17648c KC	14	/*
	15	* Many of the tests here end up using const sizes, but those would
	16	* normally be ignored by hardened usercopy, so force the compiler
	17	* into choosing the non-const path to make sure we trigger the
	18	* hardened usercopy checks by added "unconst" to all the const copies,
	19	* and making sure "cache_size" isn't optimized into a const.
	20	*/
	21	static volatile size_t unconst = 0;
	22	static volatile size_t cache_size = 1024;
a3dff71c KC	23	static struct kmem_cache *bad_cache;
	24
	25	static const unsigned char test_text[] = "This is a test.\n";
	26
	27	/*
	28	* Instead of adding -Wno-return-local-addr, just pass the stack address
	29	* through a function to obfuscate it from the compiler.
	30	*/
	31	static noinline unsigned char trick_compiler(unsigned char stack)
	32	{
	33	return stack + 0;
	34	}
	35
	36	static noinline unsigned char *do_usercopy_stack_callee(int value)
	37	{
	38	unsigned char buf[32];
	39	int i;
	40
	41	/* Exercise stack to avoid everything living in registers. */
	42	for (i = 0; i < sizeof(buf); i++) {
	43	buf[i] = value & 0xff;
	44	}
	45
	46	return trick_compiler(buf);
	47	}
	48
	49	static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
	50	{
	51	unsigned long user_addr;
	52	unsigned char good_stack[32];
	53	unsigned char *bad_stack;
	54	int i;
	55
	56	/* Exercise stack to avoid everything living in registers. */
	57	for (i = 0; i < sizeof(good_stack); i++)
	58	good_stack[i] = test_text[i % sizeof(test_text)];
	59
	60	/* This is a pointer to outside our current stack frame. */
	61	if (bad_frame) {
30010874	62	bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
a3dff71c KC	63	} else {
	64	/* Put start address just inside stack. */
	65	bad_stack = task_stack_page(current) + THREAD_SIZE;
	66	bad_stack -= sizeof(unsigned long);
	67	}
	68
	69	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
	70	PROT_READ \| PROT_WRITE \| PROT_EXEC,
	71	MAP_ANONYMOUS \| MAP_PRIVATE, 0);
	72	if (user_addr >= TASK_SIZE) {
	73	pr_warn("Failed to allocate user memory\n");
	74	return;
	75	}
	76
	77	if (to_user) {
	78	pr_info("attempting good copy_to_user of local stack\n");
	79	if (copy_to_user((void __user *)user_addr, good_stack,
3c17648c	80	unconst + sizeof(good_stack))) {
a3dff71c KC	81	pr_warn("copy_to_user failed unexpectedly?!\n");
	82	goto free_user;
	83	}
	84
	85	pr_info("attempting bad copy_to_user of distant stack\n");
	86	if (copy_to_user((void __user *)user_addr, bad_stack,
3c17648c	87	unconst + sizeof(good_stack))) {
a3dff71c KC	88	pr_warn("copy_to_user failed, but lacked Oops\n");
	89	goto free_user;
	90	}
	91	} else {
	92	/*
	93	* There isn't a safe way to not be protected by usercopy
	94	* if we're going to write to another thread's stack.
	95	*/
	96	if (!bad_frame)
	97	goto free_user;
	98
	99	pr_info("attempting good copy_from_user of local stack\n");
	100	if (copy_from_user(good_stack, (void __user *)user_addr,
3c17648c	101	unconst + sizeof(good_stack))) {
a3dff71c KC	102	pr_warn("copy_from_user failed unexpectedly?!\n");
	103	goto free_user;
	104	}
	105
	106	pr_info("attempting bad copy_from_user of distant stack\n");
	107	if (copy_from_user(bad_stack, (void __user *)user_addr,
3c17648c	108	unconst + sizeof(good_stack))) {
a3dff71c KC	109	pr_warn("copy_from_user failed, but lacked Oops\n");
	110	goto free_user;
	111	}
	112	}
	113
	114	free_user:
	115	vm_munmap(user_addr, PAGE_SIZE);
	116	}
	117
	118	static void do_usercopy_heap_size(bool to_user)
	119	{
	120	unsigned long user_addr;
	121	unsigned char one, two;
3c17648c	122	size_t size = unconst + 1024;
a3dff71c KC	123
	124	one = kmalloc(size, GFP_KERNEL);
	125	two = kmalloc(size, GFP_KERNEL);
	126	if (!one \|\| !two) {
	127	pr_warn("Failed to allocate kernel memory\n");
	128	goto free_kernel;
	129	}
	130
	131	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
	132	PROT_READ \| PROT_WRITE \| PROT_EXEC,
	133	MAP_ANONYMOUS \| MAP_PRIVATE, 0);
	134	if (user_addr >= TASK_SIZE) {
	135	pr_warn("Failed to allocate user memory\n");
	136	goto free_kernel;
	137	}
	138
	139	memset(one, 'A', size);
	140	memset(two, 'B', size);
	141
	142	if (to_user) {
	143	pr_info("attempting good copy_to_user of correct size\n");
	144	if (copy_to_user((void __user *)user_addr, one, size)) {
	145	pr_warn("copy_to_user failed unexpectedly?!\n");
	146	goto free_user;
	147	}
	148
	149	pr_info("attempting bad copy_to_user of too large size\n");
	150	if (copy_to_user((void __user )user_addr, one, 2 size)) {
	151	pr_warn("copy_to_user failed, but lacked Oops\n");
	152	goto free_user;
	153	}
	154	} else {
	155	pr_info("attempting good copy_from_user of correct size\n");
	156	if (copy_from_user(one, (void __user *)user_addr, size)) {
	157	pr_warn("copy_from_user failed unexpectedly?!\n");
	158	goto free_user;
	159	}
	160
	161	pr_info("attempting bad copy_from_user of too large size\n");
	162	if (copy_from_user(one, (void __user )user_addr, 2 size)) {
	163	pr_warn("copy_from_user failed, but lacked Oops\n");
	164	goto free_user;
	165	}
	166	}
	167
	168	free_user:
	169	vm_munmap(user_addr, PAGE_SIZE);
	170	free_kernel:
	171	kfree(one);
	172	kfree(two);
	173	}
	174
	175	static void do_usercopy_heap_flag(bool to_user)
	176	{
	177	unsigned long user_addr;
	178	unsigned char *good_buf = NULL;
	179	unsigned char *bad_buf = NULL;
	180
	181	/* Make sure cache was prepared. */
	182	if (!bad_cache) {
	183	pr_warn("Failed to allocate kernel cache\n");
	184	return;
	185	}
	186
187	/*
188	* Allocate one buffer from each cache (kmalloc will have the
189	* SLAB_USERCOPY flag already, but "bad_cache" won't).
190	*/
191	good_buf = kmalloc(cache_size, GFP_KERNEL);
192	bad_buf = kmem_cache_alloc(bad_cache, GFP_KERNEL);
193	if (!good_buf \|\| !bad_buf) {
194	pr_warn("Failed to allocate buffers from caches\n");
195	goto free_alloc;
196	}
197
198	/* Allocate user memory we'll poke at. */
199	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
200	PROT_READ \| PROT_WRITE \| PROT_EXEC,
201	MAP_ANONYMOUS \| MAP_PRIVATE, 0);
202	if (user_addr >= TASK_SIZE) {
203	pr_warn("Failed to allocate user memory\n");
204	goto free_alloc;
205	}
206
207	memset(good_buf, 'A', cache_size);
208	memset(bad_buf, 'B', cache_size);
209
210	if (to_user) {
211	pr_info("attempting good copy_to_user with SLAB_USERCOPY\n");
212	if (copy_to_user((void __user *)user_addr, good_buf,
213	cache_size)) {
214	pr_warn("copy_to_user failed unexpectedly?!\n");
215	goto free_user;
216	}
217
218	pr_info("attempting bad copy_to_user w/o SLAB_USERCOPY\n");
219	if (copy_to_user((void __user *)user_addr, bad_buf,
220	cache_size)) {
221	pr_warn("copy_to_user failed, but lacked Oops\n");
222	goto free_user;
223	}
224	} else {
225	pr_info("attempting good copy_from_user with SLAB_USERCOPY\n");
226	if (copy_from_user(good_buf, (void __user *)user_addr,
227	cache_size)) {
228	pr_warn("copy_from_user failed unexpectedly?!\n");
229	goto free_user;
230	}
231
232	pr_info("attempting bad copy_from_user w/o SLAB_USERCOPY\n");
233	if (copy_from_user(bad_buf, (void __user *)user_addr,
234	cache_size)) {
235	pr_warn("copy_from_user failed, but lacked Oops\n");
236	goto free_user;
237	}
238	}
239
240	free_user:
241	vm_munmap(user_addr, PAGE_SIZE);
242	free_alloc:
243	if (bad_buf)
244	kmem_cache_free(bad_cache, bad_buf);
245	kfree(good_buf);
246	}
247
248	/* Callable tests. */
249	void lkdtm_USERCOPY_HEAP_SIZE_TO(void)
250	{
251	do_usercopy_heap_size(true);
252	}
253
254	void lkdtm_USERCOPY_HEAP_SIZE_FROM(void)
255	{
256	do_usercopy_heap_size(false);
257	}
258
259	void lkdtm_USERCOPY_HEAP_FLAG_TO(void)
260	{
261	do_usercopy_heap_flag(true);
262	}
263
264	void lkdtm_USERCOPY_HEAP_FLAG_FROM(void)
265	{
266	do_usercopy_heap_flag(false);
267	}
268
269	void lkdtm_USERCOPY_STACK_FRAME_TO(void)
270	{
271	do_usercopy_stack(true, true);
272	}
273
274	void lkdtm_USERCOPY_STACK_FRAME_FROM(void)
275	{
276	do_usercopy_stack(false, true);
277	}
278
279	void lkdtm_USERCOPY_STACK_BEYOND(void)
280	{
281	do_usercopy_stack(true, false);
282	}
283
284	void lkdtm_USERCOPY_KERNEL(void)
285	{
286	unsigned long user_addr;
287
288	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
289	PROT_READ \| PROT_WRITE \| PROT_EXEC,
290	MAP_ANONYMOUS \| MAP_PRIVATE, 0);
291	if (user_addr >= TASK_SIZE) {
292	pr_warn("Failed to allocate user memory\n");
293	return;
294	}
295
296	pr_info("attempting good copy_to_user from kernel rodata\n");
297	if (copy_to_user((void __user *)user_addr, test_text,
3c17648c	298	unconst + sizeof(test_text))) {
a3dff71c KC	299	pr_warn("copy_to_user failed unexpectedly?!\n");
	300	goto free_user;
	301	}
	302
	303	pr_info("attempting bad copy_to_user from kernel text\n");
3c17648c KC	304	if (copy_to_user((void __user *)user_addr, vm_mmap,
3c17648c KC	305	unconst + PAGE_SIZE)) {
a3dff71c KC	306	pr_warn("copy_to_user failed, but lacked Oops\n");
	307	goto free_user;
	308	}
	309
	310	free_user:
	311	vm_munmap(user_addr, PAGE_SIZE);
	312	}
	313
	314	void __init lkdtm_usercopy_init(void)
	315	{
	316	/* Prepare cache that lacks SLAB_USERCOPY flag. */
	317	bad_cache = kmem_cache_create("lkdtm-no-usercopy", cache_size, 0,
	318	0, NULL);
	319	}
	320
	321	void __exit lkdtm_usercopy_exit(void)
	322	{
	323	kmem_cache_destroy(bad_cache);
	324	}