xref: /openbmc/linux/drivers/misc/lkdtm/usercopy.c (revision 4eb5928d)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * This is for all the tests related to copy_to_user() and copy_from_user()
4  * hardening.
5  */
6 #include "lkdtm.h"
7 #include <linux/slab.h>
8 #include <linux/vmalloc.h>
9 #include <linux/sched/task_stack.h>
10 #include <linux/mman.h>
11 #include <linux/uaccess.h>
12 #include <asm/cacheflush.h>
13 
14 /*
15  * Many of the tests here end up using const sizes, but those would
16  * normally be ignored by hardened usercopy, so force the compiler
17  * into choosing the non-const path to make sure we trigger the
18  * hardened usercopy checks by added "unconst" to all the const copies,
19  * and making sure "cache_size" isn't optimized into a const.
20  */
21 static volatile size_t unconst;
22 static volatile size_t cache_size = 1024;
23 static struct kmem_cache *whitelist_cache;
24 
25 static const unsigned char test_text[] = "This is a test.\n";
26 
27 /*
28  * Instead of adding -Wno-return-local-addr, just pass the stack address
29  * through a function to obfuscate it from the compiler.
30  */
31 static noinline unsigned char *trick_compiler(unsigned char *stack)
32 {
33 	return stack + 0;
34 }
35 
36 static noinline unsigned char *do_usercopy_stack_callee(int value)
37 {
38 	unsigned char buf[32];
39 	int i;
40 
41 	/* Exercise stack to avoid everything living in registers. */
42 	for (i = 0; i < sizeof(buf); i++) {
43 		buf[i] = value & 0xff;
44 	}
45 
46 	return trick_compiler(buf);
47 }
48 
49 static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
50 {
51 	unsigned long user_addr;
52 	unsigned char good_stack[32];
53 	unsigned char *bad_stack;
54 	int i;
55 
56 	/* Exercise stack to avoid everything living in registers. */
57 	for (i = 0; i < sizeof(good_stack); i++)
58 		good_stack[i] = test_text[i % sizeof(test_text)];
59 
60 	/* This is a pointer to outside our current stack frame. */
61 	if (bad_frame) {
62 		bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
63 	} else {
64 		/* Put start address just inside stack. */
65 		bad_stack = task_stack_page(current) + THREAD_SIZE;
66 		bad_stack -= sizeof(unsigned long);
67 	}
68 
69 	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
70 			    PROT_READ | PROT_WRITE | PROT_EXEC,
71 			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
72 	if (user_addr >= TASK_SIZE) {
73 		pr_warn("Failed to allocate user memory\n");
74 		return;
75 	}
76 
77 	if (to_user) {
78 		pr_info("attempting good copy_to_user of local stack\n");
79 		if (copy_to_user((void __user *)user_addr, good_stack,
80 				 unconst + sizeof(good_stack))) {
81 			pr_warn("copy_to_user failed unexpectedly?!\n");
82 			goto free_user;
83 		}
84 
85 		pr_info("attempting bad copy_to_user of distant stack\n");
86 		if (copy_to_user((void __user *)user_addr, bad_stack,
87 				 unconst + sizeof(good_stack))) {
88 			pr_warn("copy_to_user failed, but lacked Oops\n");
89 			goto free_user;
90 		}
91 	} else {
92 		/*
93 		 * There isn't a safe way to not be protected by usercopy
94 		 * if we're going to write to another thread's stack.
95 		 */
96 		if (!bad_frame)
97 			goto free_user;
98 
99 		pr_info("attempting good copy_from_user of local stack\n");
100 		if (copy_from_user(good_stack, (void __user *)user_addr,
101 				   unconst + sizeof(good_stack))) {
102 			pr_warn("copy_from_user failed unexpectedly?!\n");
103 			goto free_user;
104 		}
105 
106 		pr_info("attempting bad copy_from_user of distant stack\n");
107 		if (copy_from_user(bad_stack, (void __user *)user_addr,
108 				   unconst + sizeof(good_stack))) {
109 			pr_warn("copy_from_user failed, but lacked Oops\n");
110 			goto free_user;
111 		}
112 	}
113 
114 free_user:
115 	vm_munmap(user_addr, PAGE_SIZE);
116 }
117 
118 /*
119  * This checks for whole-object size validation with hardened usercopy,
120  * with or without usercopy whitelisting.
121  */
122 static void do_usercopy_heap_size(bool to_user)
123 {
124 	unsigned long user_addr;
125 	unsigned char *one, *two;
126 	void __user *test_user_addr;
127 	void *test_kern_addr;
128 	size_t size = unconst + 1024;
129 
130 	one = kmalloc(size, GFP_KERNEL);
131 	two = kmalloc(size, GFP_KERNEL);
132 	if (!one || !two) {
133 		pr_warn("Failed to allocate kernel memory\n");
134 		goto free_kernel;
135 	}
136 
137 	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
138 			    PROT_READ | PROT_WRITE | PROT_EXEC,
139 			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
140 	if (user_addr >= TASK_SIZE) {
141 		pr_warn("Failed to allocate user memory\n");
142 		goto free_kernel;
143 	}
144 
145 	memset(one, 'A', size);
146 	memset(two, 'B', size);
147 
148 	test_user_addr = (void __user *)(user_addr + 16);
149 	test_kern_addr = one + 16;
150 
151 	if (to_user) {
152 		pr_info("attempting good copy_to_user of correct size\n");
153 		if (copy_to_user(test_user_addr, test_kern_addr, size / 2)) {
154 			pr_warn("copy_to_user failed unexpectedly?!\n");
155 			goto free_user;
156 		}
157 
158 		pr_info("attempting bad copy_to_user of too large size\n");
159 		if (copy_to_user(test_user_addr, test_kern_addr, size)) {
160 			pr_warn("copy_to_user failed, but lacked Oops\n");
161 			goto free_user;
162 		}
163 	} else {
164 		pr_info("attempting good copy_from_user of correct size\n");
165 		if (copy_from_user(test_kern_addr, test_user_addr, size / 2)) {
166 			pr_warn("copy_from_user failed unexpectedly?!\n");
167 			goto free_user;
168 		}
169 
170 		pr_info("attempting bad copy_from_user of too large size\n");
171 		if (copy_from_user(test_kern_addr, test_user_addr, size)) {
172 			pr_warn("copy_from_user failed, but lacked Oops\n");
173 			goto free_user;
174 		}
175 	}
176 
177 free_user:
178 	vm_munmap(user_addr, PAGE_SIZE);
179 free_kernel:
180 	kfree(one);
181 	kfree(two);
182 }
183 
184 /*
185  * This checks for the specific whitelist window within an object. If this
186  * test passes, then do_usercopy_heap_size() tests will pass too.
187  */
188 static void do_usercopy_heap_whitelist(bool to_user)
189 {
190 	unsigned long user_alloc;
191 	unsigned char *buf = NULL;
192 	unsigned char __user *user_addr;
193 	size_t offset, size;
194 
195 	/* Make sure cache was prepared. */
196 	if (!whitelist_cache) {
197 		pr_warn("Failed to allocate kernel cache\n");
198 		return;
199 	}
200 
201 	/*
202 	 * Allocate a buffer with a whitelisted window in the buffer.
203 	 */
204 	buf = kmem_cache_alloc(whitelist_cache, GFP_KERNEL);
205 	if (!buf) {
206 		pr_warn("Failed to allocate buffer from whitelist cache\n");
207 		goto free_alloc;
208 	}
209 
210 	/* Allocate user memory we'll poke at. */
211 	user_alloc = vm_mmap(NULL, 0, PAGE_SIZE,
212 			    PROT_READ | PROT_WRITE | PROT_EXEC,
213 			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
214 	if (user_alloc >= TASK_SIZE) {
215 		pr_warn("Failed to allocate user memory\n");
216 		goto free_alloc;
217 	}
218 	user_addr = (void __user *)user_alloc;
219 
220 	memset(buf, 'B', cache_size);
221 
222 	/* Whitelisted window in buffer, from kmem_cache_create_usercopy. */
223 	offset = (cache_size / 4) + unconst;
224 	size = (cache_size / 16) + unconst;
225 
226 	if (to_user) {
227 		pr_info("attempting good copy_to_user inside whitelist\n");
228 		if (copy_to_user(user_addr, buf + offset, size)) {
229 			pr_warn("copy_to_user failed unexpectedly?!\n");
230 			goto free_user;
231 		}
232 
233 		pr_info("attempting bad copy_to_user outside whitelist\n");
234 		if (copy_to_user(user_addr, buf + offset - 1, size)) {
235 			pr_warn("copy_to_user failed, but lacked Oops\n");
236 			goto free_user;
237 		}
238 	} else {
239 		pr_info("attempting good copy_from_user inside whitelist\n");
240 		if (copy_from_user(buf + offset, user_addr, size)) {
241 			pr_warn("copy_from_user failed unexpectedly?!\n");
242 			goto free_user;
243 		}
244 
245 		pr_info("attempting bad copy_from_user outside whitelist\n");
246 		if (copy_from_user(buf + offset - 1, user_addr, size)) {
247 			pr_warn("copy_from_user failed, but lacked Oops\n");
248 			goto free_user;
249 		}
250 	}
251 
252 free_user:
253 	vm_munmap(user_alloc, PAGE_SIZE);
254 free_alloc:
255 	if (buf)
256 		kmem_cache_free(whitelist_cache, buf);
257 }
258 
259 /* Callable tests. */
260 void lkdtm_USERCOPY_HEAP_SIZE_TO(void)
261 {
262 	do_usercopy_heap_size(true);
263 }
264 
265 void lkdtm_USERCOPY_HEAP_SIZE_FROM(void)
266 {
267 	do_usercopy_heap_size(false);
268 }
269 
270 void lkdtm_USERCOPY_HEAP_WHITELIST_TO(void)
271 {
272 	do_usercopy_heap_whitelist(true);
273 }
274 
275 void lkdtm_USERCOPY_HEAP_WHITELIST_FROM(void)
276 {
277 	do_usercopy_heap_whitelist(false);
278 }
279 
280 void lkdtm_USERCOPY_STACK_FRAME_TO(void)
281 {
282 	do_usercopy_stack(true, true);
283 }
284 
285 void lkdtm_USERCOPY_STACK_FRAME_FROM(void)
286 {
287 	do_usercopy_stack(false, true);
288 }
289 
290 void lkdtm_USERCOPY_STACK_BEYOND(void)
291 {
292 	do_usercopy_stack(true, false);
293 }
294 
295 void lkdtm_USERCOPY_KERNEL(void)
296 {
297 	unsigned long user_addr;
298 
299 	user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
300 			    PROT_READ | PROT_WRITE | PROT_EXEC,
301 			    MAP_ANONYMOUS | MAP_PRIVATE, 0);
302 	if (user_addr >= TASK_SIZE) {
303 		pr_warn("Failed to allocate user memory\n");
304 		return;
305 	}
306 
307 	pr_info("attempting good copy_to_user from kernel rodata: %px\n",
308 		test_text);
309 	if (copy_to_user((void __user *)user_addr, test_text,
310 			 unconst + sizeof(test_text))) {
311 		pr_warn("copy_to_user failed unexpectedly?!\n");
312 		goto free_user;
313 	}
314 
315 	pr_info("attempting bad copy_to_user from kernel text: %px\n",
316 		vm_mmap);
317 	if (copy_to_user((void __user *)user_addr, vm_mmap,
318 			 unconst + PAGE_SIZE)) {
319 		pr_warn("copy_to_user failed, but lacked Oops\n");
320 		goto free_user;
321 	}
322 	pr_err("FAIL: survived bad copy_to_user()\n");
323 
324 free_user:
325 	vm_munmap(user_addr, PAGE_SIZE);
326 }
327 
328 void lkdtm_USERCOPY_KERNEL_DS(void)
329 {
330 	char __user *user_ptr =
331 		(char __user *)(0xFUL << (sizeof(unsigned long) * 8 - 4));
332 	mm_segment_t old_fs = get_fs();
333 	char buf[10] = {0};
334 
335 	pr_info("attempting copy_to_user() to noncanonical address: %px\n",
336 		user_ptr);
337 	set_fs(KERNEL_DS);
338 	if (copy_to_user(user_ptr, buf, sizeof(buf)) == 0)
339 		pr_err("copy_to_user() to noncanonical address succeeded!?\n");
340 	set_fs(old_fs);
341 }
342 
343 void __init lkdtm_usercopy_init(void)
344 {
345 	/* Prepare cache that lacks SLAB_USERCOPY flag. */
346 	whitelist_cache =
347 		kmem_cache_create_usercopy("lkdtm-usercopy", cache_size,
348 					   0, 0,
349 					   cache_size / 4,
350 					   cache_size / 16,
351 					   NULL);
352 }
353 
354 void __exit lkdtm_usercopy_exit(void)
355 {
356 	kmem_cache_destroy(whitelist_cache);
357 }
358