mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2024-12-27 19:35:15 +07:00
18d0eae30e
Here is the big set of char/misc patches for 4.20-rc1. Loads of things here, we have new code in all of these driver subsystems: fpga stm extcon nvmem eeprom hyper-v gsmi coresight thunderbolt vmw_balloon goldfish soundwire along with lots of fixes and minor changes to other small drivers. All of these have been in linux-next for a while with no reported issues. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> -----BEGIN PGP SIGNATURE----- iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCW9Le5A8cZ3JlZ0Brcm9h aC5jb20ACgkQMUfUDdst+yn+BQCfZ6DtCIgqo0UW3dLV8Fd0wya9kw0AoNglzJJ6 YRZiaSdRiggARpNdh3ME =97BX -----END PGP SIGNATURE----- Merge tag 'char-misc-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver updates from Greg KH: "Here is the big set of char/misc patches for 4.20-rc1. Loads of things here, we have new code in all of these driver subsystems: - fpga - stm - extcon - nvmem - eeprom - hyper-v - gsmi - coresight - thunderbolt - vmw_balloon - goldfish - soundwire along with lots of fixes and minor changes to other small drivers. All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-4.20-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (245 commits) Documentation/security-bugs: Clarify treatment of embargoed information lib: Fix ia64 bootloader linkage MAINTAINERS: Clarify UIO vs UIOVEC maintainer docs/uio: fix a grammar nitpick docs: fpga: document programming fpgas using regions fpga: add devm_fpga_region_create fpga: bridge: add devm_fpga_bridge_create fpga: mgr: add devm_fpga_mgr_create hv_balloon: Replace spin_is_locked() with lockdep sgi-xp: Replace spin_is_locked() with lockdep eeprom: New ee1004 driver for DDR4 memory eeprom: at25: remove unneeded 'at25_remove' w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size). misc: mic: scif: remove set but not used variables 'src_dma_addr, dst_dma_addr' misc: mic: fix a DMA pool free failure platform: goldfish: pipe: Add a blank line to separate varibles and code platform: goldfish: pipe: Remove redundant casting platform: goldfish: pipe: Call misc_deregister if init fails platform: goldfish: pipe: Move the file-scope goldfish_pipe_dev variable into the driver state platform: goldfish: pipe: Move the file-scope goldfish_pipe_miscdev variable into the driver state ...
353 lines
9.0 KiB
C
353 lines
9.0 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* This is for all the tests related to copy_to_user() and copy_from_user()
|
|
* hardening.
|
|
*/
|
|
#include "lkdtm.h"
|
|
#include <linux/slab.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/sched/task_stack.h>
|
|
#include <linux/mman.h>
|
|
#include <linux/uaccess.h>
|
|
#include <asm/cacheflush.h>
|
|
|
|
/*
|
|
* Many of the tests here end up using const sizes, but those would
|
|
* normally be ignored by hardened usercopy, so force the compiler
|
|
* into choosing the non-const path to make sure we trigger the
|
|
* hardened usercopy checks by added "unconst" to all the const copies,
|
|
* and making sure "cache_size" isn't optimized into a const.
|
|
*/
|
|
static volatile size_t unconst;
|
|
static volatile size_t cache_size = 1024;
|
|
static struct kmem_cache *whitelist_cache;
|
|
|
|
static const unsigned char test_text[] = "This is a test.\n";
|
|
|
|
/*
|
|
* Instead of adding -Wno-return-local-addr, just pass the stack address
|
|
* through a function to obfuscate it from the compiler.
|
|
*/
|
|
static noinline unsigned char *trick_compiler(unsigned char *stack)
|
|
{
|
|
return stack + 0;
|
|
}
|
|
|
|
static noinline unsigned char *do_usercopy_stack_callee(int value)
|
|
{
|
|
unsigned char buf[32];
|
|
int i;
|
|
|
|
/* Exercise stack to avoid everything living in registers. */
|
|
for (i = 0; i < sizeof(buf); i++) {
|
|
buf[i] = value & 0xff;
|
|
}
|
|
|
|
return trick_compiler(buf);
|
|
}
|
|
|
|
static noinline void do_usercopy_stack(bool to_user, bool bad_frame)
|
|
{
|
|
unsigned long user_addr;
|
|
unsigned char good_stack[32];
|
|
unsigned char *bad_stack;
|
|
int i;
|
|
|
|
/* Exercise stack to avoid everything living in registers. */
|
|
for (i = 0; i < sizeof(good_stack); i++)
|
|
good_stack[i] = test_text[i % sizeof(test_text)];
|
|
|
|
/* This is a pointer to outside our current stack frame. */
|
|
if (bad_frame) {
|
|
bad_stack = do_usercopy_stack_callee((uintptr_t)&bad_stack);
|
|
} else {
|
|
/* Put start address just inside stack. */
|
|
bad_stack = task_stack_page(current) + THREAD_SIZE;
|
|
bad_stack -= sizeof(unsigned long);
|
|
}
|
|
|
|
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC,
|
|
MAP_ANONYMOUS | MAP_PRIVATE, 0);
|
|
if (user_addr >= TASK_SIZE) {
|
|
pr_warn("Failed to allocate user memory\n");
|
|
return;
|
|
}
|
|
|
|
if (to_user) {
|
|
pr_info("attempting good copy_to_user of local stack\n");
|
|
if (copy_to_user((void __user *)user_addr, good_stack,
|
|
unconst + sizeof(good_stack))) {
|
|
pr_warn("copy_to_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_to_user of distant stack\n");
|
|
if (copy_to_user((void __user *)user_addr, bad_stack,
|
|
unconst + sizeof(good_stack))) {
|
|
pr_warn("copy_to_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
} else {
|
|
/*
|
|
* There isn't a safe way to not be protected by usercopy
|
|
* if we're going to write to another thread's stack.
|
|
*/
|
|
if (!bad_frame)
|
|
goto free_user;
|
|
|
|
pr_info("attempting good copy_from_user of local stack\n");
|
|
if (copy_from_user(good_stack, (void __user *)user_addr,
|
|
unconst + sizeof(good_stack))) {
|
|
pr_warn("copy_from_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_from_user of distant stack\n");
|
|
if (copy_from_user(bad_stack, (void __user *)user_addr,
|
|
unconst + sizeof(good_stack))) {
|
|
pr_warn("copy_from_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
}
|
|
|
|
free_user:
|
|
vm_munmap(user_addr, PAGE_SIZE);
|
|
}
|
|
|
|
/*
|
|
* This checks for whole-object size validation with hardened usercopy,
|
|
* with or without usercopy whitelisting.
|
|
*/
|
|
static void do_usercopy_heap_size(bool to_user)
|
|
{
|
|
unsigned long user_addr;
|
|
unsigned char *one, *two;
|
|
void __user *test_user_addr;
|
|
void *test_kern_addr;
|
|
size_t size = unconst + 1024;
|
|
|
|
one = kmalloc(size, GFP_KERNEL);
|
|
two = kmalloc(size, GFP_KERNEL);
|
|
if (!one || !two) {
|
|
pr_warn("Failed to allocate kernel memory\n");
|
|
goto free_kernel;
|
|
}
|
|
|
|
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC,
|
|
MAP_ANONYMOUS | MAP_PRIVATE, 0);
|
|
if (user_addr >= TASK_SIZE) {
|
|
pr_warn("Failed to allocate user memory\n");
|
|
goto free_kernel;
|
|
}
|
|
|
|
memset(one, 'A', size);
|
|
memset(two, 'B', size);
|
|
|
|
test_user_addr = (void __user *)(user_addr + 16);
|
|
test_kern_addr = one + 16;
|
|
|
|
if (to_user) {
|
|
pr_info("attempting good copy_to_user of correct size\n");
|
|
if (copy_to_user(test_user_addr, test_kern_addr, size / 2)) {
|
|
pr_warn("copy_to_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_to_user of too large size\n");
|
|
if (copy_to_user(test_user_addr, test_kern_addr, size)) {
|
|
pr_warn("copy_to_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
} else {
|
|
pr_info("attempting good copy_from_user of correct size\n");
|
|
if (copy_from_user(test_kern_addr, test_user_addr, size / 2)) {
|
|
pr_warn("copy_from_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_from_user of too large size\n");
|
|
if (copy_from_user(test_kern_addr, test_user_addr, size)) {
|
|
pr_warn("copy_from_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
}
|
|
|
|
free_user:
|
|
vm_munmap(user_addr, PAGE_SIZE);
|
|
free_kernel:
|
|
kfree(one);
|
|
kfree(two);
|
|
}
|
|
|
|
/*
|
|
* This checks for the specific whitelist window within an object. If this
|
|
* test passes, then do_usercopy_heap_size() tests will pass too.
|
|
*/
|
|
static void do_usercopy_heap_whitelist(bool to_user)
|
|
{
|
|
unsigned long user_alloc;
|
|
unsigned char *buf = NULL;
|
|
unsigned char __user *user_addr;
|
|
size_t offset, size;
|
|
|
|
/* Make sure cache was prepared. */
|
|
if (!whitelist_cache) {
|
|
pr_warn("Failed to allocate kernel cache\n");
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Allocate a buffer with a whitelisted window in the buffer.
|
|
*/
|
|
buf = kmem_cache_alloc(whitelist_cache, GFP_KERNEL);
|
|
if (!buf) {
|
|
pr_warn("Failed to allocate buffer from whitelist cache\n");
|
|
goto free_alloc;
|
|
}
|
|
|
|
/* Allocate user memory we'll poke at. */
|
|
user_alloc = vm_mmap(NULL, 0, PAGE_SIZE,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC,
|
|
MAP_ANONYMOUS | MAP_PRIVATE, 0);
|
|
if (user_alloc >= TASK_SIZE) {
|
|
pr_warn("Failed to allocate user memory\n");
|
|
goto free_alloc;
|
|
}
|
|
user_addr = (void __user *)user_alloc;
|
|
|
|
memset(buf, 'B', cache_size);
|
|
|
|
/* Whitelisted window in buffer, from kmem_cache_create_usercopy. */
|
|
offset = (cache_size / 4) + unconst;
|
|
size = (cache_size / 16) + unconst;
|
|
|
|
if (to_user) {
|
|
pr_info("attempting good copy_to_user inside whitelist\n");
|
|
if (copy_to_user(user_addr, buf + offset, size)) {
|
|
pr_warn("copy_to_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_to_user outside whitelist\n");
|
|
if (copy_to_user(user_addr, buf + offset - 1, size)) {
|
|
pr_warn("copy_to_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
} else {
|
|
pr_info("attempting good copy_from_user inside whitelist\n");
|
|
if (copy_from_user(buf + offset, user_addr, size)) {
|
|
pr_warn("copy_from_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_from_user outside whitelist\n");
|
|
if (copy_from_user(buf + offset - 1, user_addr, size)) {
|
|
pr_warn("copy_from_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
}
|
|
|
|
free_user:
|
|
vm_munmap(user_alloc, PAGE_SIZE);
|
|
free_alloc:
|
|
if (buf)
|
|
kmem_cache_free(whitelist_cache, buf);
|
|
}
|
|
|
|
/* Callable tests. */
|
|
void lkdtm_USERCOPY_HEAP_SIZE_TO(void)
|
|
{
|
|
do_usercopy_heap_size(true);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_HEAP_SIZE_FROM(void)
|
|
{
|
|
do_usercopy_heap_size(false);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_HEAP_WHITELIST_TO(void)
|
|
{
|
|
do_usercopy_heap_whitelist(true);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_HEAP_WHITELIST_FROM(void)
|
|
{
|
|
do_usercopy_heap_whitelist(false);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_STACK_FRAME_TO(void)
|
|
{
|
|
do_usercopy_stack(true, true);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_STACK_FRAME_FROM(void)
|
|
{
|
|
do_usercopy_stack(false, true);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_STACK_BEYOND(void)
|
|
{
|
|
do_usercopy_stack(true, false);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_KERNEL(void)
|
|
{
|
|
unsigned long user_addr;
|
|
|
|
user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
|
|
PROT_READ | PROT_WRITE | PROT_EXEC,
|
|
MAP_ANONYMOUS | MAP_PRIVATE, 0);
|
|
if (user_addr >= TASK_SIZE) {
|
|
pr_warn("Failed to allocate user memory\n");
|
|
return;
|
|
}
|
|
|
|
pr_info("attempting good copy_to_user from kernel rodata\n");
|
|
if (copy_to_user((void __user *)user_addr, test_text,
|
|
unconst + sizeof(test_text))) {
|
|
pr_warn("copy_to_user failed unexpectedly?!\n");
|
|
goto free_user;
|
|
}
|
|
|
|
pr_info("attempting bad copy_to_user from kernel text\n");
|
|
if (copy_to_user((void __user *)user_addr, vm_mmap,
|
|
unconst + PAGE_SIZE)) {
|
|
pr_warn("copy_to_user failed, but lacked Oops\n");
|
|
goto free_user;
|
|
}
|
|
|
|
free_user:
|
|
vm_munmap(user_addr, PAGE_SIZE);
|
|
}
|
|
|
|
void lkdtm_USERCOPY_KERNEL_DS(void)
|
|
{
|
|
char __user *user_ptr = (char __user *)ERR_PTR(-EINVAL);
|
|
mm_segment_t old_fs = get_fs();
|
|
char buf[10] = {0};
|
|
|
|
pr_info("attempting copy_to_user on unmapped kernel address\n");
|
|
set_fs(KERNEL_DS);
|
|
if (copy_to_user(user_ptr, buf, sizeof(buf)))
|
|
pr_info("copy_to_user un unmapped kernel address failed\n");
|
|
set_fs(old_fs);
|
|
}
|
|
|
|
void __init lkdtm_usercopy_init(void)
|
|
{
|
|
/* Prepare cache that lacks SLAB_USERCOPY flag. */
|
|
whitelist_cache =
|
|
kmem_cache_create_usercopy("lkdtm-usercopy", cache_size,
|
|
0, 0,
|
|
cache_size / 4,
|
|
cache_size / 16,
|
|
NULL);
|
|
}
|
|
|
|
void __exit lkdtm_usercopy_exit(void)
|
|
{
|
|
kmem_cache_destroy(whitelist_cache);
|
|
}
|