From patchwork Fri May 26 20:40:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arnd Bergmann X-Patchwork-Id: 100582 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp505181qge; Fri, 26 May 2017 18:11:57 -0700 (PDT) X-Received: by 10.98.194.132 with SMTP id w4mr5520690pfk.176.1495847517422; Fri, 26 May 2017 18:11:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1495847517; cv=none; d=google.com; s=arc-20160816; b=aSariI9sYvFXD3W9LXOFzVQTrK3sCU1SiSL5CHw/poa/RYjEg2xjDp6o3yyi6AGVCF 0mp6BVwI2u7IZ+ju2+ttxpsMx/wzv/OEH201t/DnEGciltNwe7nPxrtohRAKzkw1Mzyg Ld79h4+U8DBp/Di/l8eAriB1n+v0fFlegYpQnuAUquRUYWXQKcAQ+2WeB1hMNajoQhJo 6X7J434vXi7YiN49TDiwwcgSb9IqA8hi+YyW+MCIDUxy0jzYOT4oTBynI7a/y5moD1nC uQYvyHLPywhahIpwxQ/luj/RAmxr6PcjYpLGinvnBdeyUyPnRtiMItrjHPkqES1pBjJ8 pvPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=gLt/GA5l2WKqhQ2OA4wtI1DXp345I9Y3DeJatrwjnUY=; b=Dn7YsL3VB3Mt3ONdAaCaKBTlw5m2a5zCNcv9q9BTPaThKd8tvLqXAP60WTBE88lNwn IxvllFoZVMGOYV3eFCuMfAg3N50/05CgIkQUM0uMKxat4oY8vNAL/ga9Uu5RPuSv3yxQ QyIJD4R/N1hr4louEFTDFaO/o0fRZEj0Q0yVHb45LDvEHyW0JRB3uwvIkiFmJVi8EbaF TNAYd/j/yrrlkclR1nQ5Fxt4gSCdxXSC55EuZ3bJKhryISI/QzxRTfjAD4KdM6n9v+lJ eLTKDo5oehQVw8AUI6stbszUIz1n/woHUoojSTbYuZnyHNVaXZ2LRN+K2GlZqo7PL7Zs W0Hg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g26si2539412pfk.385.2017.05.26.18.11.57; Fri, 26 May 2017 18:11:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755851AbdE0BL3 (ORCPT + 6 others); Fri, 26 May 2017 21:11:29 -0400 Received: from mout.kundenserver.de ([212.227.126.131]:49830 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S944922AbdEZUlP (ORCPT ); Fri, 26 May 2017 16:41:15 -0400 Received: from wuerfel.lan ([78.42.17.5]) by mrelayeu.kundenserver.de (mreue001 [212.227.15.129]) with ESMTPA (Nemesis) id 0MbXng-1dX7sM0rMS-00ImUh; Fri, 26 May 2017 22:40:42 +0200 From: Arnd Bergmann To: stable@vger.kernel.org, Kees Cook , Arnd Bergmann Cc: linux-arm-kernel@lists.infradead.org, mark.rutland@arm.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org Subject: [stable backport PATCH] usercopy: Adjust tests to deal with SMAP/PAN Date: Fri, 26 May 2017 22:40:33 +0200 Message-Id: <20170526204040.1953914-1-arnd@arndb.de> X-Mailer: git-send-email 2.9.0 X-Provags-ID: V03:K0:WOaP42BBtnNbyqMtM+XQvC1R1Ga3DKl7fzY5OWAp4urvg+SLEDc CKF+7lUPvmKr+ZBZA165//W1NMQVLj5acXe1uS+3lztQtEkltN4bxvogGv7qrwmvzmxrW0h fQqdvFF3fTrOlFv/v4zQbW8vdaJtf5bvetXbzKDOPa7641SoPWPy9636HbYxpRNz7iqNqJX iKiPzjr5jt2P5nlbYRGCw== X-UI-Out-Filterresults: notjunk:1; V01:K0:2YEJSbtzBpQ=:W4ZuMeWBAgWIQRtWspT+Zw PJ6VRMcxjr4el0SoJR3e80tqo8ytl0oV2mhUQex/NMHhWZ95/YCWk32LFrGf6BmxGk2+NQtn+ M1mc/+AFXqH0oVCZObGoQ++VEBMIDZ8eHupyxvTM7oKt7l2e22G4gH5A8W9swiKJcGrkhzsPF sDtoVNLci4sGaDrv3Qv2O3yNx0uSR7JhyA+Y1IuY1noxM/DAHcN6MXggZJ5k3oAqOsV8oywyq bLSLDuljuxLtXl/VsyRyHSxyAWhho6Sw35uCtxA7UgY/U2mM7fHCAJc4EIQBZn6mkqUNv1Hf6 fr5Iz/fynSnOkkTg7PzfH6PPqHaglXbbygLxVmBIi08/ceih4CGM6Xegsg4szF7mBH+CkxRKe ggv2McZYfw1W5LEP67O4XePcJ1R5tLlO2hNOowTxW1VoW1MczOL9NT8oEnJ042VGZ/EvRPLY/ ETv/vjhihkC8x5ByXWeplL6QBF6f0FyxQbB6Mksy2mVJgX6O+TmGIZh9xeVYPJLjzZznOwX4K NAXYiJwXnWY2Fc7xxskDyE2ZYeLBhOW1VhkUB3kau5/DiEzcTY55/PNyVHIkXlXG0YZ/6sAY9 0Vbomkj58C6LlXJ446sOk24zQY2jhsJxL7D9+knkViG/1+Jh2UDRz8Ug9deQoWoTtSDAAfxwG 5eh5ppx34iFB2V/NiJfmSw3J/azhARSvlYnYrLuWr1FbpjiiMUJ1wzT6XHOLgd5Fkp8s= Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Kees Cook Commit f5f893c57e37ca730808cb2eee3820abd05e7507 upstream. Under SMAP/PAN/etc, we cannot write directly to userspace memory, so this rearranges the test bytes to get written through copy_to_user(). Additionally drops the bad copy_from_user() test that would trigger a memcpy() against userspace on failure. [arnd: the test module was added in 3.14, and this backported patch should apply cleanly on all version from 3.14 to 4.10. The original patch was in 4.11 on top of a context change. I saw the bug triggered with kselftest on a 4.4.y stable kernel] Signed-off-by: Kees Cook Signed-off-by: Arnd Bergmann --- lib/test_user_copy.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) -- 2.9.0 diff --git a/lib/test_user_copy.c b/lib/test_user_copy.c index 0ecef3e4690e..b16891d01112 100644 --- a/lib/test_user_copy.c +++ b/lib/test_user_copy.c @@ -58,7 +58,9 @@ static int __init test_user_copy_init(void) usermem = (char __user *)user_addr; bad_usermem = (char *)user_addr; - /* Legitimate usage: none of these should fail. */ + /* + * Legitimate usage: none of these copies should fail. + */ ret |= test(copy_from_user(kmem, usermem, PAGE_SIZE), "legitimate copy_from_user failed"); ret |= test(copy_to_user(usermem, kmem, PAGE_SIZE), @@ -68,19 +70,34 @@ static int __init test_user_copy_init(void) ret |= test(put_user(value, (unsigned long __user *)usermem), "legitimate put_user failed"); - /* Invalid usage: none of these should succeed. */ + /* + * Invalid usage: none of these copies should succeed. + */ + + /* Reject kernel-to-kernel copies through copy_from_user(). */ ret |= test(!copy_from_user(kmem, (char __user *)(kmem + PAGE_SIZE), PAGE_SIZE), "illegal all-kernel copy_from_user passed"); + +#if 0 + /* + * When running with SMAP/PAN/etc, this will Oops the kernel + * due to the zeroing of userspace memory on failure. This needs + * to be tested in LKDTM instead, since this test module does not + * expect to explode. + */ ret |= test(!copy_from_user(bad_usermem, (char __user *)kmem, PAGE_SIZE), "illegal reversed copy_from_user passed"); +#endif ret |= test(!copy_to_user((char __user *)kmem, kmem + PAGE_SIZE, PAGE_SIZE), "illegal all-kernel copy_to_user passed"); ret |= test(!copy_to_user((char __user *)kmem, bad_usermem, PAGE_SIZE), "illegal reversed copy_to_user passed"); + + value = 0x5a; ret |= test(!get_user(value, (unsigned long __user *)kmem), "illegal get_user passed"); ret |= test(!put_user(value, (unsigned long __user *)kmem),