From patchwork Tue Feb 14 20:40:39 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 9572855 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 62193601E7 for ; Tue, 14 Feb 2017 20:40:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 532E327DCD for ; Tue, 14 Feb 2017 20:40:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 479592840B; Tue, 14 Feb 2017 20:40:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id 7C63A27DCD for ; Tue, 14 Feb 2017 20:40:57 +0000 (UTC) Received: (qmail 16262 invoked by uid 550); 14 Feb 2017 20:40:55 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 16230 invoked from network); 14 Feb 2017 20:40:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=XFmllq5nAU3YuqyiGowCGcJHBNCdE9w6+TPjXrdO7z8=; b=URVP99XbLE1DxNzUSs9CvWy8FqhUKneAWTibcjzk+GNB7eFT+6KI+RDY6NuJkKN85h vr2O2u0qX6iCuMIyAyFN3f1TfIGqQ9n6kbro0hXcD5aEQ01XQQB6ujaHrQKUB2TlcHur ruGK75I3GSq1H/QJlj6hPw0XlaFKXnV8hWKK0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=XFmllq5nAU3YuqyiGowCGcJHBNCdE9w6+TPjXrdO7z8=; b=FTXMggvkq0Z7hu7tKotoFvuKKir1So4liM4cPwNpJMBmEJwF67YYIQACDa1slf6pJF YLVfLXt+ib/BT/4Ek0T1sOKaVGH1RkaK25SyEzBEV7yCdRLqMw+9Truvhxhq1pvHbA4X l022R7VqJQcWkHLZHZyuNPADRfW62j1qdxt0Fj0/9bDRviBKWpyZ0WNKRry5iU/mKR2r UA0lV7EwUm9y5EUPMJ4zDsc6h64jIB5hiF7ipq+h5/vzPjQlJiC0oElQ97AxgUIFVif8 PNkOLeqB2k+amLyoM86nNVA29hK9RvHyvQ8KfJTLQzILaLH4350GmnHSQ87acRLd6rRV KD7g== X-Gm-Message-State: AMke39mQRiKOWZRj2M9Yqp0xT7qpKCF51EJM+CFMQKmarL08hhpuOyimdhXJLCORMVr+R8qp X-Received: by 10.84.138.165 with SMTP id 34mr38808029plp.37.1487104841710; Tue, 14 Feb 2017 12:40:41 -0800 (PST) Date: Tue, 14 Feb 2017 12:40:39 -0800 From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Hoeun Ryu , kernel-hardening@lists.openwall.com Message-ID: <20170214204039.GA125586@beast> MIME-Version: 1.0 Content-Disposition: inline Subject: [kernel-hardening] [PATCH] usercopy: Add tests for all get_user() sizes X-Virus-Scanned: ClamAV using ClamSMTP The existing test was only exercising native unsigned long size get_user(). For completeness, we should check all sizes. Signed-off-by: Kees Cook --- lib/test_user_copy.c | 45 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c index ac3a60ba9331..49569125b7c5 100644 --- a/lib/test_user_copy.c +++ b/lib/test_user_copy.c @@ -40,8 +40,11 @@ static int __init test_user_copy_init(void) char __user *usermem; char *bad_usermem; unsigned long user_addr; - unsigned long value = 0x5A; char *zerokmem; + u8 val_u8; + u16 val_u16; + u32 val_u32; + u64 val_u64; kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL); if (!kmem) @@ -72,10 +75,20 @@ static int __init test_user_copy_init(void) "legitimate copy_from_user failed"); ret |= test(copy_to_user(usermem, kmem, PAGE_SIZE), "legitimate copy_to_user failed"); - ret |= test(get_user(value, (unsigned long __user *)usermem), - "legitimate get_user failed"); - ret |= test(put_user(value, (unsigned long __user *)usermem), - "legitimate put_user failed"); + +#define test_legit(size) \ + do { \ + ret |= test(get_user(val_##size, (size __user *)usermem), \ + "legitimate get_user (" #size ") failed"); \ + ret |= test(put_user(val_##size, (size __user *)usermem), \ + "legitimate put_user (" #size ") failed"); \ + } while (0) + + test_legit(u8); + test_legit(u16); + test_legit(u32); + test_legit(u64); +#undef test_legit /* * Invalid usage: none of these copies should succeed. @@ -112,12 +125,22 @@ static int __init test_user_copy_init(void) PAGE_SIZE), "illegal reversed copy_to_user passed"); - value = 0x5A; - ret |= test(!get_user(value, (unsigned long __user *)kmem), - "illegal get_user passed"); - ret |= test(value != 0, "zeroing failure for illegal get_user"); - ret |= test(!put_user(value, (unsigned long __user *)kmem), - "illegal put_user passed"); +#define test_illegal(size, check) \ + do { \ + val_##size = (check); \ + ret |= test(!get_user(val_##size, (size __user *)kmem), \ + "illegal get_user (" #size ") passed"); \ + ret |= test(val_##size != (size)0, \ + "zeroing failure for illegal get_user (" #size ")"); \ + ret |= test(!put_user(val_##size, (size __user *)kmem), \ + "illegal put_user (" #size ") passed"); \ + } while (0) + + test_illegal(u8, 0x5a); + test_illegal(u16, 0x5a5b); + test_illegal(u32, 0x5a5b5c5d); + test_illegal(u64, 0x5a5b5c5d6a6b6c6d); +#undef test_illegal vm_munmap(user_addr, PAGE_SIZE * 2); out_zerokmem: