From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=FDpK=EY=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_ADSP_ALL,
	DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 34214C63798
	for <linux-mm@archiver.kernel.org>; Wed, 18 Nov 2020 11:07:59 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 89D33238E6
	for <linux-mm@archiver.kernel.org>; Wed, 18 Nov 2020 11:07:58 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=privacyrequired.com header.i=@privacyrequired.com header.b="pJ+fCi0/"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 89D33238E6
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=privacyrequired.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 0F1356B0072; Wed, 18 Nov 2020 06:07:58 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F23C16B0074; Wed, 18 Nov 2020 06:07:57 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DBBE56B0075; Wed, 18 Nov 2020 06:07:57 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0136.hostedemail.com [216.40.44.136])
	by kanga.kvack.org (Postfix) with ESMTP id AE2296B0072
	for <linux-mm@kvack.org>; Wed, 18 Nov 2020 06:07:57 -0500 (EST)
Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 6910C8249980
	for <linux-mm@kvack.org>; Wed, 18 Nov 2020 11:07:57 +0000 (UTC)
X-FDA: 77497264194.28.uncle52_160d3fb27339
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin28.hostedemail.com (Postfix) with ESMTP id 4A7E26C05
	for <linux-mm@kvack.org>; Wed, 18 Nov 2020 11:07:57 +0000 (UTC)
X-HE-Tag: uncle52_160d3fb27339
X-Filterd-Recvd-Size: 6757
Received: from latitanza.investici.org (latitanza.investici.org [82.94.249.234])
	by imf40.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed, 18 Nov 2020 11:07:56 +0000 (UTC)
Received: from mx3.investici.org (unknown [127.0.0.1])
	by latitanza.investici.org (Postfix) with ESMTP id 4Cbg5R2kbLz8shF;
	Wed, 18 Nov 2020 11:07:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=privacyrequired.com;
	s=stigmate; t=1605697675;
	bh=+C0i2GkkWKQEX9khs8ZKUF2KVS5DhQb5yHyYo5u1mKs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=pJ+fCi0/B1Q7s1EqMEMHyuC5pLghwJn6x9h+wVFMkLkkkqJBubVQlbA6XDgAma4LB
	 C0xeqTxFCROrZMX5uftPlHDws0BSZRS58sTAlvxwQ16es7OzGzhmJf2st+WJSXWH5S
	 227/eyXZa4r4/M9cx6B4qh088mOiDj5wOmgCAZQA=
Received: from [82.94.249.234] (mx3.investici.org [82.94.249.234]) (Authenticated sender: laniel_francis@privacyrequired.com) by localhost (Postfix) with ESMTPSA id 4Cbg5Q4Tntz8sgF;
	Wed, 18 Nov 2020 11:07:54 +0000 (UTC)
From: laniel_francis@privacyrequired.com
To: akpm@linux-foundation.org
Cc: linux-hardening@vger.kernel.org,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	dja@axtens.net,
	keescook@chromium.org,
	Francis Laniel <laniel_francis@privacyrequired.com>
Subject: [PATCH v5 4/5] Add new file in LKDTM to test fortified strscpy.
Date: Wed, 18 Nov 2020 12:07:30 +0100
Message-Id: <20201118110731.15833-5-laniel_francis@privacyrequired.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20201118110731.15833-1-laniel_francis@privacyrequired.com>
References: <20201118110731.15833-1-laniel_francis@privacyrequired.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Francis Laniel <laniel_francis@privacyrequired.com>

This new test ensures that fortified strscpy has the same behavior than v=
anilla
strscpy (e.g. returning -E2BIG when src content is truncated).
Finally, it generates a crash at runtime because there is a write overflo=
w in
destination string.

Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
 drivers/misc/lkdtm/Makefile             |  1 +
 drivers/misc/lkdtm/core.c               |  1 +
 drivers/misc/lkdtm/fortify.c            | 82 +++++++++++++++++++++++++
 drivers/misc/lkdtm/lkdtm.h              |  3 +
 tools/testing/selftests/lkdtm/tests.txt |  1 +
 5 files changed, 88 insertions(+)
 create mode 100644 drivers/misc/lkdtm/fortify.c

diff --git a/drivers/misc/lkdtm/Makefile b/drivers/misc/lkdtm/Makefile
index c70b3822013f..d898f7b22045 100644
--- a/drivers/misc/lkdtm/Makefile
+++ b/drivers/misc/lkdtm/Makefile
@@ -10,6 +10,7 @@ lkdtm-$(CONFIG_LKDTM)		+=3D rodata_objcopy.o
 lkdtm-$(CONFIG_LKDTM)		+=3D usercopy.o
 lkdtm-$(CONFIG_LKDTM)		+=3D stackleak.o
 lkdtm-$(CONFIG_LKDTM)		+=3D cfi.o
+lkdtm-$(CONFIG_LKDTM)		+=3D fortify.o
=20
 KASAN_SANITIZE_stackleak.o	:=3D n
 KCOV_INSTRUMENT_rodata.o	:=3D n
diff --git a/drivers/misc/lkdtm/core.c b/drivers/misc/lkdtm/core.c
index b8c51a633fcc..3c0a67f072c0 100644
--- a/drivers/misc/lkdtm/core.c
+++ b/drivers/misc/lkdtm/core.c
@@ -175,6 +175,7 @@ static const struct crashtype crashtypes[] =3D {
 	CRASHTYPE(USERCOPY_KERNEL),
 	CRASHTYPE(STACKLEAK_ERASING),
 	CRASHTYPE(CFI_FORWARD_PROTO),
+	CRASHTYPE(FORTIFIED_STRSCPY),
 #ifdef CONFIG_X86_32
 	CRASHTYPE(DOUBLE_FAULT),
 #endif
diff --git a/drivers/misc/lkdtm/fortify.c b/drivers/misc/lkdtm/fortify.c
new file mode 100644
index 000000000000..790d46591bf5
--- /dev/null
+++ b/drivers/misc/lkdtm/fortify.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (c) 2020 Francis Laniel <laniel_francis@privacyrequired.com=
>
+ *
+ * Add tests related to fortified functions in this file.
+ */
+#include <linux/string.h>
+#include <linux/slab.h>
+#include "lkdtm.h"
+
+
+/*
+ * Calls fortified strscpy to test that it returns the same result as va=
nilla
+ * strscpy and generate a panic because there is a write overflow (i.e. =
src
+ * length is greater than dst length).
+ */
+void lkdtm_FORTIFIED_STRSCPY(void)
+{
+	char *src;
+	char dst[5];
+
+	struct {
+		union {
+			char big[10];
+			char src[5];
+		};
+	} weird =3D { .big =3D "hello!" };
+	char weird_dst[sizeof(weird.src) + 1];
+
+	src =3D kstrdup("foobar", GFP_KERNEL);
+
+	if (src =3D=3D NULL)
+		return;
+
+	/* Vanilla strscpy returns -E2BIG if size is 0. */
+	if (strscpy(dst, src, 0) !=3D -E2BIG)
+		pr_warn("FAIL: strscpy() of 0 length did not return -E2BIG\n");
+
+	/* Vanilla strscpy returns -E2BIG if src is truncated. */
+	if (strscpy(dst, src, sizeof(dst)) !=3D -E2BIG)
+		pr_warn("FAIL: strscpy() did not return -E2BIG while src is truncated\=
n");
+
+	/* After above call, dst must contain "foob" because src was truncated.=
 */
+	if (strncmp(dst, "foob", sizeof(dst)) !=3D 0)
+		pr_warn("FAIL: after strscpy() dst does not contain \"foob\" but \"%s\=
"\n",
+			dst);
+
+	/* Shrink src so the strscpy() below succeeds. */
+	src[3] =3D '\0';
+
+	/*
+	 * Vanilla strscpy returns number of character copied if everything goe=
s
+	 * well.
+	 */
+	if (strscpy(dst, src, sizeof(dst)) !=3D 3)
+		pr_warn("FAIL: strscpy() did not return 3 while src was copied entirel=
y truncated\n");
+
+	/* After above call, dst must contain "foo" because src was copied. */
+	if (strncmp(dst, "foo", sizeof(dst)) !=3D 0)
+		pr_warn("FAIL: after strscpy() dst does not contain \"foo\" but \"%s\"=
\n",
+			dst);
+
+	/* Test when src is embedded inside a union. */
+	strscpy(weird_dst, weird.src, sizeof(weird_dst));
+
+	if (strcmp(weird_dst, "hello") !=3D 0)
+		pr_warn("FAIL: after strscpy() weird_dst does not contain \"hello\" bu=
t \"%s\"\n",
+			weird_dst);
+
+	/* Restore src to its initial value. */
+	src[3] =3D 'b';
+
+	/*
+	 * Use strlen here so size cannot be known at compile time and there is
+	 * a runtime write overflow.
+	 */
+	strscpy(dst, src, strlen(src));
+
+	pr_warn("FAIL: No overflow in above strscpy()\n");
+
+	kfree(src);
+}
diff --git a/drivers/misc/lkdtm/lkdtm.h b/drivers/misc/lkdtm/lkdtm.h
index 49e6b945feb7..138f06254b61 100644
--- a/drivers/misc/lkdtm/lkdtm.h
+++ b/drivers/misc/lkdtm/lkdtm.h
@@ -104,4 +104,7 @@ void lkdtm_STACKLEAK_ERASING(void);
 /* cfi.c */
 void lkdtm_CFI_FORWARD_PROTO(void);
=20
+/* fortify.c */
+void lkdtm_FORTIFIED_STRSCPY(void);
+
 #endif
diff --git a/tools/testing/selftests/lkdtm/tests.txt b/tools/testing/self=
tests/lkdtm/tests.txt
index 74a8d329a72c..92ba4cc41314 100644
--- a/tools/testing/selftests/lkdtm/tests.txt
+++ b/tools/testing/selftests/lkdtm/tests.txt
@@ -68,3 +68,4 @@ USERCOPY_STACK_BEYOND
 USERCOPY_KERNEL
 STACKLEAK_ERASING OK: the rest of the thread stack is properly erased
 CFI_FORWARD_PROTO
+FORTIFIED_STRSCPY
--=20
2.20.1