From: albert.linde@gmail.com
To: akpm@linux-foundation.org, bp@alien8.de, mingo@redhat.com,
corbet@lwn.net, tglx@linutronix.de, arnd@arndb.de
Cc: akinobu.mita@gmail.com, hpa@zytor.com, viro@zeniv.linux.org.uk,
glider@google.com, andreyknvl@google.com, dvyukov@google.com,
elver@google.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org,
x86@kernel.org, Albert van der Linde <alinde@google.com>
Subject: [PATCH 3/3] x86: add failure injection to get/put/clear_user
Date: Fri, 21 Aug 2020 10:49:25 +0000 [thread overview]
Message-ID: <20200821104926.828511-4-alinde@google.com> (raw)
In-Reply-To: <20200821104926.828511-1-alinde@google.com>
From: Albert van der Linde <alinde@google.com>
To test fault-tolerance of usercopy accesses in x86, add support for
fault injection.
Make both put_user() and get_user() fail with -EFAULT, and clear_user()
fail by partially clearing fewer bytes.
Signed-off-by: Albert van der Linde <alinde@google.com>
---
arch/x86/include/asm/uaccess.h | 70 +++++++++++++++++++---------------
arch/x86/lib/usercopy_64.c | 9 ++++-
2 files changed, 48 insertions(+), 31 deletions(-)
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index ecefaffd15d4..dacb6105831e 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -5,6 +5,7 @@
* User space memory access functions
*/
#include <linux/compiler.h>
+#include <linux/fault-inject-usercopy.h>
#include <linux/kasan-checks.h>
#include <linux/string.h>
#include <asm/asm.h>
@@ -174,12 +175,17 @@ extern int __get_user_bad(void);
int __ret_gu; \
register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
__chk_user_ptr(ptr); \
- might_fault(); \
- asm volatile("call __get_user_%P4" \
- : "=a" (__ret_gu), "=r" (__val_gu), \
+ if (should_fail_usercopy(sizeof(*(ptr)))) { \
+ (x) = 0; \
+ __ret_gu = -EFAULT; \
+ } else { \
+ might_fault(); \
+ asm volatile("call __get_user_%P4" \
+ : "=a" (__ret_gu), "=r" (__val_gu), \
ASM_CALL_CONSTRAINT \
- : "0" (ptr), "i" (sizeof(*(ptr)))); \
- (x) = (__force __typeof__(*(ptr))) __val_gu; \
+ : "0" (ptr), "i" (sizeof(*(ptr)))); \
+ (x) = (__force __typeof__(*(ptr))) __val_gu; \
+ } \
__builtin_expect(__ret_gu, 0); \
})
@@ -236,31 +242,35 @@ extern void __put_user_8(void);
*
* Return: zero on success, or -EFAULT on error.
*/
-#define put_user(x, ptr) \
-({ \
- int __ret_pu; \
- __typeof__(*(ptr)) __pu_val; \
- __chk_user_ptr(ptr); \
- might_fault(); \
- __pu_val = x; \
- switch (sizeof(*(ptr))) { \
- case 1: \
- __put_user_x(1, __pu_val, ptr, __ret_pu); \
- break; \
- case 2: \
- __put_user_x(2, __pu_val, ptr, __ret_pu); \
- break; \
- case 4: \
- __put_user_x(4, __pu_val, ptr, __ret_pu); \
- break; \
- case 8: \
- __put_user_x8(__pu_val, ptr, __ret_pu); \
- break; \
- default: \
- __put_user_x(X, __pu_val, ptr, __ret_pu); \
- break; \
- } \
- __builtin_expect(__ret_pu, 0); \
+#define put_user(x, ptr) \
+({ \
+ int __ret_pu; \
+ __typeof__(*(ptr)) __pu_val; \
+ __chk_user_ptr(ptr); \
+ might_fault(); \
+ __pu_val = x; \
+ if (should_fail_usercopy(sizeof(*(ptr)))) { \
+ __ret_pu = -EFAULT; \
+ } else { \
+ switch (sizeof(*(ptr))) { \
+ case 1: \
+ __put_user_x(1, __pu_val, ptr, __ret_pu); \
+ break; \
+ case 2: \
+ __put_user_x(2, __pu_val, ptr, __ret_pu); \
+ break; \
+ case 4: \
+ __put_user_x(4, __pu_val, ptr, __ret_pu); \
+ break; \
+ case 8: \
+ __put_user_x8(__pu_val, ptr, __ret_pu); \
+ break; \
+ default: \
+ __put_user_x(X, __pu_val, ptr, __ret_pu); \
+ break; \
+ } \
+ } \
+ __builtin_expect(__ret_pu, 0); \
})
#define __put_user_size(x, ptr, size, label) \
diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
index b0dfac3d3df7..b749590d753e 100644
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -7,6 +7,7 @@
* Copyright 2002 Andi Kleen <ak@suse.de>
*/
#include <linux/export.h>
+#include <linux/fault-inject-usercopy.h>
#include <linux/uaccess.h>
#include <linux/highmem.h>
@@ -50,8 +51,14 @@ EXPORT_SYMBOL(__clear_user);
unsigned long clear_user(void __user *to, unsigned long n)
{
+ long not_copied = should_fail_usercopy(n);
+
+ if (not_copied < 0)
+ not_copied = n;
+
if (access_ok(to, n))
- return __clear_user(to, n);
+ return not_copied + __clear_user(to, n - not_copied);
+
return n;
}
EXPORT_SYMBOL(clear_user);
--
2.28.0.297.g1956fa8f8d-goog
prev parent reply other threads:[~2020-08-21 10:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 10:49 [PATCH 0/3] add fault injection to user memory access functions albert.linde
2020-08-21 10:49 ` [PATCH 1/3] lib, include/linux: add usercopy failure capability albert.linde
2020-08-21 11:51 ` Dmitry Vyukov
2020-08-21 13:31 ` Marco Elver
2020-08-21 10:49 ` [PATCH 2/3] lib, uaccess: add failure injection to usercopy functions albert.linde
2020-08-21 11:46 ` Dmitry Vyukov
2020-08-21 10:49 ` albert.linde [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200821104926.828511-4-alinde@google.com \
--to=albert.linde@gmail.com \
--cc=akinobu.mita@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alinde@google.com \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.