The existing test was only exercising native unsigned long size
get_user(). For completeness, we should check all sizes. But we
must skip some 32-bit architectures that don't implement a 64-bit
get_user().
These new tests actually uncovered a bug in ARM's 64-bit get_user()
zeroing.
Signed-off-by: Kees Cook <keescook@chromium.org>
Under SMAP/PAN/etc, we cannot write directly to userspace memory, so
this rearranges the test bytes to get written through copy_to_user().
Additionally drops the bad copy_from_user() test that would trigger a
memcpy() against userspace on failure.
Signed-off-by: Kees Cook <keescook@chromium.org>
During usercopy the destination buffer will be zeroed if copy_from_user()
or get_user() fails. This patch adds testcases for it. The destination
buffer is set with non-zero value before illegal copy_from_user() or
get_user() is executed and the buffer is compared to zero after usercopy
is done.
Signed-off-by: Hoeun Ryu <hoeun.ryu@gmail.com>
[kees: clarified commit log, dropped second kmalloc]
Signed-off-by: Kees Cook <keescook@chromium.org>
To help avoid an architecture failing to correctly check kernel/user
boundaries when handling copy_to_user, copy_from_user, put_user, or
get_user, perform some simple tests and fail to load if any of them
behave unexpectedly.
Specifically, this is to make sure there is a way to notice if things
like what was fixed in commit 8404663f81 ("ARM: 7527/1: uaccess:
explicitly check __user pointer when !CPU_USE_DOMAINS") ever regresses
again, for any architecture.
Additionally, adds new "user" selftest target, which loads this module.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kees Cook