Message ID | 20180212165301.17933-6-igor.stoppa@huawei.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Mon, Feb 12, 2018 at 8:53 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote: > Add basic self-test functionality for pmalloc. > > Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> > --- > mm/Kconfig | 9 ++++++++ > mm/Makefile | 1 + > mm/pmalloc-selftest.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ > mm/pmalloc-selftest.h | 24 +++++++++++++++++++ > mm/pmalloc.c | 2 ++ > 5 files changed, 100 insertions(+) > create mode 100644 mm/pmalloc-selftest.c > create mode 100644 mm/pmalloc-selftest.h > > diff --git a/mm/Kconfig b/mm/Kconfig > index be578fbdce6d..098aefef78b1 100644 > --- a/mm/Kconfig > +++ b/mm/Kconfig > @@ -766,3 +766,12 @@ config PROTECTABLE_MEMORY > depends on ARCH_HAS_SET_MEMORY > select GENERIC_ALLOCATOR > default y > + > +config PROTECTABLE_MEMORY_SELFTEST > + bool "Run self test for pmalloc memory allocator" > + depends on ARCH_HAS_SET_MEMORY > + select PROTECTABLE_MEMORY > + default n > + help > + Tries to verify that pmalloc works correctly and that the memory > + is effectively protected. > diff --git a/mm/Makefile b/mm/Makefile > index 959fdbdac118..f7bbbfde6967 100644 > --- a/mm/Makefile > +++ b/mm/Makefile > @@ -66,6 +66,7 @@ obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o > obj-$(CONFIG_SLOB) += slob.o > obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o > obj-$(CONFIG_PROTECTABLE_MEMORY) += pmalloc.o > +obj-$(CONFIG_PROTECTABLE_MEMORY_SELFTEST) += pmalloc-selftest.o Nit: self-test modules are traditionally named "test_$thing.o" (outside of the tools/ directory). > obj-$(CONFIG_KSM) += ksm.o > obj-$(CONFIG_PAGE_POISONING) += page_poison.o > obj-$(CONFIG_SLAB) += slab.o > diff --git a/mm/pmalloc-selftest.c b/mm/pmalloc-selftest.c > new file mode 100644 > index 000000000000..97ba52d17f69 > --- /dev/null > +++ b/mm/pmalloc-selftest.c > @@ -0,0 +1,64 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * pmalloc-selftest.c > + * > + * (C) Copyright 2018 Huawei Technologies Co. Ltd. > + * Author: Igor Stoppa <igor.stoppa@huawei.com> > + */ > + > +#include <linux/pmalloc.h> > +#include <linux/mm.h> > + > +#include "pmalloc-selftest.h" > + > +#define SIZE_1 (PAGE_SIZE * 3) > +#define SIZE_2 1000 > + > +#define validate_alloc(expected, variable, size) \ > + pr_notice("must be " expected ": %s", \ > + is_pmalloc_object(variable, size) > 0 ? "ok" : "no") > + > +#define is_alloc_ok(variable, size) \ > + validate_alloc("ok", variable, size) > + > +#define is_alloc_no(variable, size) \ > + validate_alloc("no", variable, size) > + > +void pmalloc_selftest(void) > +{ > + struct gen_pool *pool_unprot; > + struct gen_pool *pool_prot; > + void *var_prot, *var_unprot, *var_vmall; > + > + pr_notice("pmalloc self-test"); > + pool_unprot = pmalloc_create_pool("unprotected", 0); > + pool_prot = pmalloc_create_pool("protected", 0); > + BUG_ON(!(pool_unprot && pool_prot)); > + > + var_unprot = pmalloc(pool_unprot, SIZE_1 - 1, GFP_KERNEL); > + var_prot = pmalloc(pool_prot, SIZE_1, GFP_KERNEL); > + *(int *)var_prot = 0; > + var_vmall = vmalloc(SIZE_2); > + is_alloc_ok(var_unprot, 10); > + is_alloc_ok(var_unprot, SIZE_1); > + is_alloc_ok(var_unprot, PAGE_SIZE); > + is_alloc_no(var_unprot, SIZE_1 + 1); > + is_alloc_no(var_vmall, 10); > + > + > + pfree(pool_unprot, var_unprot); > + vfree(var_vmall); > + > + pmalloc_protect_pool(pool_prot); > + > + /* > + * This will intentionally trigger a WARN because the pool being > + * destroyed is not protected, which is unusual and should happen > + * on error paths only, where probably other warnings are already > + * displayed. > + */ > + pmalloc_destroy_pool(pool_unprot); > + > + /* This must not cause WARNings */ > + pmalloc_destroy_pool(pool_prot); > +} I wonder if lkdtm should grow a test too, to validate the RO-ness of the allocations at the right time in API usage? Otherwise, yay! Selftests! -Kees > diff --git a/mm/pmalloc-selftest.h b/mm/pmalloc-selftest.h > new file mode 100644 > index 000000000000..58a5a0cbec14 > --- /dev/null > +++ b/mm/pmalloc-selftest.h > @@ -0,0 +1,24 @@ > +/* SPDX-License-Identifier: GPL-2.0 */ > +/* > + * pmalloc-selftest.h > + * > + * (C) Copyright 2018 Huawei Technologies Co. Ltd. > + * Author: Igor Stoppa <igor.stoppa@huawei.com> > + */ > + > + > +#ifndef __MM_PMALLOC_SELFTEST_H > +#define __MM_PMALLOC_SELFTEST_H > + > + > +#ifdef CONFIG_PROTECTABLE_MEMORY_SELFTEST > + > +void pmalloc_selftest(void); > + > +#else > + > +static inline void pmalloc_selftest(void){}; > + > +#endif > + > +#endif > diff --git a/mm/pmalloc.c b/mm/pmalloc.c > index abddba90a9f6..eb445c574b19 100644 > --- a/mm/pmalloc.c > +++ b/mm/pmalloc.c > @@ -22,6 +22,7 @@ > #include <asm/page.h> > > #include <linux/pmalloc.h> > +#include "pmalloc-selftest.h" > /* > * pmalloc_data contains the data specific to a pmalloc pool, > * in a format compatible with the design of gen_alloc. > @@ -494,6 +495,7 @@ static int __init pmalloc_late_init(void) > } > } > mutex_unlock(&pmalloc_mutex); > + pmalloc_selftest(); > return 0; > } > late_initcall(pmalloc_late_init); > -- > 2.14.1 >
On 13/02/18 01:43, Kees Cook wrote: > On Mon, Feb 12, 2018 at 8:53 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote: [...] >> +obj-$(CONFIG_PROTECTABLE_MEMORY_SELFTEST) += pmalloc-selftest.o > > Nit: self-test modules are traditionally named "test_$thing.o" > (outside of the tools/ directory). ok [...] > I wonder if lkdtm should grow a test too, to validate the RO-ness of > the allocations at the right time in API usage? sorry for being dense ... are you proposing that I do something to lkdtm_rodata.c ? An example would probably help me understand. -- igor -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Feb 20, 2018 at 8:40 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote: > > On 13/02/18 01:43, Kees Cook wrote: >> On Mon, Feb 12, 2018 at 8:53 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote: > > [...] > >>> +obj-$(CONFIG_PROTECTABLE_MEMORY_SELFTEST) += pmalloc-selftest.o >> >> Nit: self-test modules are traditionally named "test_$thing.o" >> (outside of the tools/ directory). > > ok > > [...] > >> I wonder if lkdtm should grow a test too, to validate the RO-ness of >> the allocations at the right time in API usage? > > sorry for being dense ... are you proposing that I do something to > lkdtm_rodata.c ? An example would probably help me understand. It would likely live in lkdtm_perms.c (or maybe lkdtm_heap.c). Namely, use the pmalloc API and then attempt to write to a read-only variable in the pmalloc region (to prove that the permission adjustment actually happened). Likely a good example is lkdtm_WRITE_RO_AFTER_INIT(). -Kees
On 22/02/18 00:24, Kees Cook wrote: > On Tue, Feb 20, 2018 at 8:40 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote: [...] >> sorry for being dense ... are you proposing that I do something to >> lkdtm_rodata.c ? An example would probably help me understand. > > It would likely live in lkdtm_perms.c (or maybe lkdtm_heap.c). Namely, > use the pmalloc API and then attempt to write to a read-only variable > in the pmalloc region (to prove that the permission adjustment > actually happened). Likely a good example is > lkdtm_WRITE_RO_AFTER_INIT(). ok, thanks for the explanation, I will do it -- igor -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/mm/Kconfig b/mm/Kconfig index be578fbdce6d..098aefef78b1 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -766,3 +766,12 @@ config PROTECTABLE_MEMORY depends on ARCH_HAS_SET_MEMORY select GENERIC_ALLOCATOR default y + +config PROTECTABLE_MEMORY_SELFTEST + bool "Run self test for pmalloc memory allocator" + depends on ARCH_HAS_SET_MEMORY + select PROTECTABLE_MEMORY + default n + help + Tries to verify that pmalloc works correctly and that the memory + is effectively protected. diff --git a/mm/Makefile b/mm/Makefile index 959fdbdac118..f7bbbfde6967 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -66,6 +66,7 @@ obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o obj-$(CONFIG_SLOB) += slob.o obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o obj-$(CONFIG_PROTECTABLE_MEMORY) += pmalloc.o +obj-$(CONFIG_PROTECTABLE_MEMORY_SELFTEST) += pmalloc-selftest.o obj-$(CONFIG_KSM) += ksm.o obj-$(CONFIG_PAGE_POISONING) += page_poison.o obj-$(CONFIG_SLAB) += slab.o diff --git a/mm/pmalloc-selftest.c b/mm/pmalloc-selftest.c new file mode 100644 index 000000000000..97ba52d17f69 --- /dev/null +++ b/mm/pmalloc-selftest.c @@ -0,0 +1,64 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * pmalloc-selftest.c + * + * (C) Copyright 2018 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa <igor.stoppa@huawei.com> + */ + +#include <linux/pmalloc.h> +#include <linux/mm.h> + +#include "pmalloc-selftest.h" + +#define SIZE_1 (PAGE_SIZE * 3) +#define SIZE_2 1000 + +#define validate_alloc(expected, variable, size) \ + pr_notice("must be " expected ": %s", \ + is_pmalloc_object(variable, size) > 0 ? "ok" : "no") + +#define is_alloc_ok(variable, size) \ + validate_alloc("ok", variable, size) + +#define is_alloc_no(variable, size) \ + validate_alloc("no", variable, size) + +void pmalloc_selftest(void) +{ + struct gen_pool *pool_unprot; + struct gen_pool *pool_prot; + void *var_prot, *var_unprot, *var_vmall; + + pr_notice("pmalloc self-test"); + pool_unprot = pmalloc_create_pool("unprotected", 0); + pool_prot = pmalloc_create_pool("protected", 0); + BUG_ON(!(pool_unprot && pool_prot)); + + var_unprot = pmalloc(pool_unprot, SIZE_1 - 1, GFP_KERNEL); + var_prot = pmalloc(pool_prot, SIZE_1, GFP_KERNEL); + *(int *)var_prot = 0; + var_vmall = vmalloc(SIZE_2); + is_alloc_ok(var_unprot, 10); + is_alloc_ok(var_unprot, SIZE_1); + is_alloc_ok(var_unprot, PAGE_SIZE); + is_alloc_no(var_unprot, SIZE_1 + 1); + is_alloc_no(var_vmall, 10); + + + pfree(pool_unprot, var_unprot); + vfree(var_vmall); + + pmalloc_protect_pool(pool_prot); + + /* + * This will intentionally trigger a WARN because the pool being + * destroyed is not protected, which is unusual and should happen + * on error paths only, where probably other warnings are already + * displayed. + */ + pmalloc_destroy_pool(pool_unprot); + + /* This must not cause WARNings */ + pmalloc_destroy_pool(pool_prot); +} diff --git a/mm/pmalloc-selftest.h b/mm/pmalloc-selftest.h new file mode 100644 index 000000000000..58a5a0cbec14 --- /dev/null +++ b/mm/pmalloc-selftest.h @@ -0,0 +1,24 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * pmalloc-selftest.h + * + * (C) Copyright 2018 Huawei Technologies Co. Ltd. + * Author: Igor Stoppa <igor.stoppa@huawei.com> + */ + + +#ifndef __MM_PMALLOC_SELFTEST_H +#define __MM_PMALLOC_SELFTEST_H + + +#ifdef CONFIG_PROTECTABLE_MEMORY_SELFTEST + +void pmalloc_selftest(void); + +#else + +static inline void pmalloc_selftest(void){}; + +#endif + +#endif diff --git a/mm/pmalloc.c b/mm/pmalloc.c index abddba90a9f6..eb445c574b19 100644 --- a/mm/pmalloc.c +++ b/mm/pmalloc.c @@ -22,6 +22,7 @@ #include <asm/page.h> #include <linux/pmalloc.h> +#include "pmalloc-selftest.h" /* * pmalloc_data contains the data specific to a pmalloc pool, * in a format compatible with the design of gen_alloc. @@ -494,6 +495,7 @@ static int __init pmalloc_late_init(void) } } mutex_unlock(&pmalloc_mutex); + pmalloc_selftest(); return 0; } late_initcall(pmalloc_late_init);
Add basic self-test functionality for pmalloc. Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com> --- mm/Kconfig | 9 ++++++++ mm/Makefile | 1 + mm/pmalloc-selftest.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ mm/pmalloc-selftest.h | 24 +++++++++++++++++++ mm/pmalloc.c | 2 ++ 5 files changed, 100 insertions(+) create mode 100644 mm/pmalloc-selftest.c create mode 100644 mm/pmalloc-selftest.h