From: James Hogan <james.hogan@imgtec.com>
To: <linux-kernel@vger.kernel.org>
Cc: <linux-arch@vger.kernel.org>,
James Hogan <james.hogan@imgtec.com>,
"Andrew Morton" <akpm@linux-foundation.org>
Subject: [PATCH v2 05/11] test_user_copy: Check legit kernel accesses
Date: Fri, 7 Aug 2015 16:21:58 +0100 [thread overview]
Message-ID: <1438960924-23628-6-git-send-email-james.hogan@imgtec.com> (raw)
In-Reply-To: <1438960924-23628-1-git-send-email-james.hogan@imgtec.com>
Check that the use of the user accessors for accessing kernel memory
succeed as expected after set_fs(get_ds()) is used to increases the
address limit, as used by the kernel to directly invoke system call code
with kernel pointers.
The tests are basically the same as the tests normally expected to be
treated as invalid, but without any user addresses (no reversed copies),
and with the result inverted such that they should succeed instead.
New tests:
- legitimate all-kernel copy_from_user
- legitimate all-kernel copy_to_user
- legitimate kernel get_user
- legitimate kernel put_user
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
---
lib/test_user_copy.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c
index 0ecef3e4690e..445ca92b0b80 100644
--- a/lib/test_user_copy.c
+++ b/lib/test_user_copy.c
@@ -41,6 +41,7 @@ static int __init test_user_copy_init(void)
char *bad_usermem;
unsigned long user_addr;
unsigned long value = 0x5A;
+ mm_segment_t fs = get_fs();
kmem = kmalloc(PAGE_SIZE * 2, GFP_KERNEL);
if (!kmem)
@@ -86,6 +87,28 @@ static int __init test_user_copy_init(void)
ret |= test(!put_user(value, (unsigned long __user *)kmem),
"illegal put_user passed");
+ /*
+ * Test access to kernel memory by adjusting address limit.
+ * This is used by the kernel to invoke system calls with kernel
+ * pointers.
+ */
+ set_fs(get_ds());
+
+ /* Legitimate usage: none of these should fail. */
+ ret |= test(copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE),
+ PAGE_SIZE),
+ "legitimate all-kernel copy_from_user failed");
+ ret |= test(copy_to_user((char __user *)kmem, kmem + PAGE_SIZE,
+ PAGE_SIZE),
+ "legitimate all-kernel copy_to_user failed");
+ ret |= test(get_user(value, (unsigned long __user *)kmem),
+ "legitimate kernel get_user failed");
+ ret |= test(put_user(value, (unsigned long __user *)kmem),
+ "legitimate kernel put_user failed");
+
+ /* Restore previous address limit. */
+ set_fs(fs);
+
vm_munmap(user_addr, PAGE_SIZE * 2);
kfree(kmem);
--
2.3.6
next prev parent reply other threads:[~2015-08-07 15:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-07 15:21 [PATCH v2 00/11] test_user_copy improvements James Hogan
2015-08-07 15:21 ` [PATCH v2 01/11] microblaze: Export __strnlen_user to modules James Hogan
2015-08-07 15:21 ` [PATCH v2 02/11] nios2: Export strncpy_from_user / strnlen_user " James Hogan
2015-08-10 8:10 ` Ley Foon Tan
2015-08-07 15:21 ` [PATCH v2 03/11] openrisc: Export __clear_user " James Hogan
2015-08-07 15:21 ` [PATCH v2 04/11] xtensa: Export __strnlen_user " James Hogan
2015-08-07 15:21 ` James Hogan [this message]
2015-08-07 15:21 ` [PATCH v2 06/11] test_user_copy: Check unchecked accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 07/11] test_user_copy: Check __copy_{to,from}_user_inatomic() James Hogan
2015-08-07 15:22 ` [PATCH v2 08/11] test_user_copy: Check __clear_user()/clear_user() James Hogan
2015-08-07 15:22 ` [PATCH v2 09/11] test_user_copy: Check user string accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 10/11] test_user_copy: Check user compatibility accessors James Hogan
2015-08-07 15:22 ` [PATCH v2 11/11] test_user_copy: Check user checksum functions James Hogan
2015-08-07 23:51 ` [PATCH v2 00/11] test_user_copy improvements Kees Cook
2015-08-10 22:29 ` David Miller
2015-08-11 4:08 ` David Miller
2015-08-11 11:20 ` Geert Uytterhoeven
2015-08-12 21:34 ` David Miller
2015-08-11 11:07 ` James Hogan
2015-08-11 17:32 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1438960924-23628-6-git-send-email-james.hogan@imgtec.com \
--to=james.hogan@imgtec.com \
--cc=akpm@linux-foundation.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).