From patchwork Wed Jan 23 11:03:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10777051 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 302DE91E for ; Wed, 23 Jan 2019 11:04:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1E10B2BD2E for ; Wed, 23 Jan 2019 11:04:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 11C282BD39; Wed, 23 Jan 2019 11:04:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CE9C82BD49 for ; Wed, 23 Jan 2019 11:04:22 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 704B88E0001; Wed, 23 Jan 2019 06:04:17 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 6893E8E001A; Wed, 23 Jan 2019 06:04:17 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 50D718E0001; Wed, 23 Jan 2019 06:04:17 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) by kanga.kvack.org (Postfix) with ESMTP id DB6908E001A for ; Wed, 23 Jan 2019 06:04:16 -0500 (EST) Received: by mail-pf1-f199.google.com with SMTP id f69so1483892pff.5 for ; Wed, 23 Jan 2019 03:04:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:in-reply-to:references; bh=WWbvkyDFrEwD8Gl8RHFeeU54ZHjYlP1PsRcb35sltHw=; b=aiLpW7ljQ2WjQbqdgoEJZOPcpsLaVOBwU/Zg/5lKi3cv5awwgOEdXoPgvyO8JG1Mpj CaIDFidWjdl7k2PMSN0WDerX/FurtV//mzGHZkYL5Agw54ABhXOs8Jq9NkVu0fYp4Bmw quhMmPgpe3Tb5SrKUsJrzEflLRe3HgheN4YUrYQOuhJf9nVWXuUIxc78nVZ08n1G3QHU ztAiNAY9wiAeiyuN4GzmX/pfY3CA3IEH96K/Yzf5gLAlJyWG884o/gbiLXSJ3K4oHeKS li7SnETVMXYDTf5Jem7B11YyP46TSbq2g+qzFHaUIiu+eYmYkTdqXsnKiLtUoPIgj3Yn Qd+Q== X-Gm-Message-State: AJcUukdWSWgEi9yOR35LSyDQT2rDXE+i2KOFtA/XAxef5Zjw3b9ZO3ev dSUAlNF8WT3JM93Sjrx6k65O2JrrRVcN5BX71YLcx4wORhhbpNc159a2tWBrloy715g+THtec+I 1Ny9zMC7kLBpRLycwz0H2zsf6Qy4AhrgtB3vevjxyYnYI9JPx7uk/fvt9nTL239knHXVVEVx4lX VGoZl9fPXJ8fddjsHqrrU0zDpOFuXigN+RKJ/91U6wmDvOZQGwcGPKrYcQmvC0r7x9w6OxZgTAv tjh7T44fekh+9ijdOkN44uq+mfD4PxH7GNhoQjQbyWHrqzHhLis21XxTmhkLkv8UfFrLNKlxDhT LgNmBSIc8D4Ivxkj7aWnZmv95NVTJny2o1z4lzG6ibsUa7L4q7o70H8braR1E7Eaui/wKsj+Qi0 7 X-Received: by 2002:a63:1c09:: with SMTP id c9mr1556460pgc.200.1548241456439; Wed, 23 Jan 2019 03:04:16 -0800 (PST) X-Received: by 2002:a63:1c09:: with SMTP id c9mr1556380pgc.200.1548241455048; Wed, 23 Jan 2019 03:04:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548241455; cv=none; d=google.com; s=arc-20160816; b=QrjxoEjs+xwAF5L70/mjNgZ7BisGfKO02pgmxLoHrxR01SdhPT/2qg/IQKQ7PYV7mP 8215nD7kE3jx+e45G+5lxNUbQMaWo52lvpCkcTcdHiRsXE9GYWSqE04QeQjnQyAn6RTI TfIhsm42cu5MPYny01xPzhfPq/7UL+YWtZ2w2O/QHlFCJ8NIU43i2a+wqD4rpcz1tWOq 9oFlnfkLuRfbiol2cv7/jmoBystgwFFnSp9EUNywdJshHbBsIxj4pNbGNhnhvQV95Eyi jP8hblXEpB0xg84pd/VaOZfBGlVsO41e+M9hD29Lz/rVBDBiVRuBtHj5VXdUXboMT2kX gq9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=WWbvkyDFrEwD8Gl8RHFeeU54ZHjYlP1PsRcb35sltHw=; b=x/2ubv5RRJ3j3lPQYPMg2o2wNjyc9aG7dIXqxMeDM9HFS0822UJmSXoeO2eSQ4Xax5 EZP15o0BrpLXi7nwNVrZRsSOeMUXlJ1wyIq/7/LhUUgMPmwhmWJ6Pavr5yXzhMlyhBTW IZHkgKZk5w24/g10NIMQRJIG/+JOy6+sW7o86VWfLlqb0XLX1RNgVLy+TFi9ee8kK4GA 6qex9CcxdE9fMnzf7jjRHrO9dqPa59gA6Uzxz4CEr3OqLbgty+kOUcjh7olCUOyVK8OL 2r4awCG2VrxLj3gpNN5RIT4NybcIfiyiPdFm0kU8t3bii0OfJzUcIhf+ZrAzHtUKT/dr iL+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DkyomhsD; spf=pass (google.com: domain of keescook@chromium.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id j6sor27582318pgq.46.2019.01.23.03.04.14 for (Google Transport Security); Wed, 23 Jan 2019 03:04:15 -0800 (PST) Received-SPF: pass (google.com: domain of keescook@chromium.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=DkyomhsD; spf=pass (google.com: domain of keescook@chromium.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WWbvkyDFrEwD8Gl8RHFeeU54ZHjYlP1PsRcb35sltHw=; b=DkyomhsDwUdIfnaDB/NeiZUczL0kVk8bi1CWvJwOo+O8Y3gwR8sdwlvtjgUZMWvt7A Q4e8Rnt7B3G04qrG0W5Z37/0zhU/H5BC3W/9B9kMPvBf0G47QvaIoCZgUn3sUBs6FFYX lBdX04C6nh3Qfmf12yYQiGNupJGr/usqexPmw= X-Google-Smtp-Source: ALg8bN6pJQ3eCmEXxAgRqj/tyajOwVnmQ4WNYNAOVXjqhOShRLFHBh9ESM5QcYvZHttlSHXjQfRQag== X-Received: by 2002:a65:50c1:: with SMTP id s1mr1531952pgp.350.1548241454431; Wed, 23 Jan 2019 03:04:14 -0800 (PST) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id a4sm20257473pgv.70.2019.01.23.03.04.12 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 23 Jan 2019 03:04:12 -0800 (PST) From: Kees Cook To: linux-kernel@vger.kernel.org Cc: Kees Cook , Ard Biesheuvel , Laura Abbott , Alexander Popov , xen-devel@lists.xenproject.org, dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org, linux-usb@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, dev@openvswitch.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: [PATCH 3/3] lib: Introduce test_stackinit module Date: Wed, 23 Jan 2019 03:03:49 -0800 Message-Id: <20190123110349.35882-4-keescook@chromium.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190123110349.35882-1-keescook@chromium.org> References: <20190123110349.35882-1-keescook@chromium.org> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Adds test for stack initialization coverage. We have several build options that control the level of stack variable initialization. This test lets us visualize which options cover which cases, and provide tests for options that are currently not available (padding initialization). All options pass the explicit initialization cases and the partial initializers (even with padding): test_stackinit: u8_zero ok test_stackinit: u16_zero ok test_stackinit: u32_zero ok test_stackinit: u64_zero ok test_stackinit: char_array_zero ok test_stackinit: small_hole_zero ok test_stackinit: big_hole_zero ok test_stackinit: packed_zero ok test_stackinit: small_hole_dynamic_partial ok test_stackinit: big_hole_dynamic_partial ok test_stackinit: packed_static_partial ok test_stackinit: small_hole_static_partial ok test_stackinit: big_hole_static_partial ok The results of the other tests (which contain no explicit initialization), change based on the build's configured compiler instrumentation. No options: test_stackinit: small_hole_static_all FAIL (uninit bytes: 3) test_stackinit: big_hole_static_all FAIL (uninit bytes: 61) test_stackinit: small_hole_dynamic_all FAIL (uninit bytes: 3) test_stackinit: big_hole_dynamic_all FAIL (uninit bytes: 61) test_stackinit: small_hole_runtime_partial FAIL (uninit bytes: 23) test_stackinit: big_hole_runtime_partial FAIL (uninit bytes: 127) test_stackinit: small_hole_runtime_all FAIL (uninit bytes: 3) test_stackinit: big_hole_runtime_all FAIL (uninit bytes: 61) test_stackinit: u8 FAIL (uninit bytes: 1) test_stackinit: u16 FAIL (uninit bytes: 2) test_stackinit: u32 FAIL (uninit bytes: 4) test_stackinit: u64 FAIL (uninit bytes: 8) test_stackinit: char_array FAIL (uninit bytes: 16) test_stackinit: small_hole FAIL (uninit bytes: 24) test_stackinit: big_hole FAIL (uninit bytes: 128) test_stackinit: user FAIL (uninit bytes: 32) test_stackinit: failures: 16 CONFIG_GCC_PLUGIN_STRUCTLEAK=y This only tries to initialize structs with __user markings: test_stackinit: small_hole_static_all FAIL (uninit bytes: 3) test_stackinit: big_hole_static_all FAIL (uninit bytes: 61) test_stackinit: small_hole_dynamic_all FAIL (uninit bytes: 3) test_stackinit: big_hole_dynamic_all FAIL (uninit bytes: 61) test_stackinit: small_hole_runtime_partial FAIL (uninit bytes: 23) test_stackinit: big_hole_runtime_partial FAIL (uninit bytes: 127) test_stackinit: small_hole_runtime_all FAIL (uninit bytes: 3) test_stackinit: big_hole_runtime_all FAIL (uninit bytes: 61) test_stackinit: u8 FAIL (uninit bytes: 1) test_stackinit: u16 FAIL (uninit bytes: 2) test_stackinit: u32 FAIL (uninit bytes: 4) test_stackinit: u64 FAIL (uninit bytes: 8) test_stackinit: char_array FAIL (uninit bytes: 16) test_stackinit: small_hole FAIL (uninit bytes: 24) test_stackinit: big_hole FAIL (uninit bytes: 128) test_stackinit: user ok test_stackinit: failures: 15 CONFIG_GCC_PLUGIN_STRUCTLEAK=y CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y This initializes all structures passed by reference (scalars and strings remain uninitialized, but padding is wiped): test_stackinit: small_hole_static_all ok test_stackinit: big_hole_static_all ok test_stackinit: small_hole_dynamic_all ok test_stackinit: big_hole_dynamic_all ok test_stackinit: small_hole_runtime_partial ok test_stackinit: big_hole_runtime_partial ok test_stackinit: small_hole_runtime_all ok test_stackinit: big_hole_runtime_all ok test_stackinit: u8 FAIL (uninit bytes: 1) test_stackinit: u16 FAIL (uninit bytes: 2) test_stackinit: u32 FAIL (uninit bytes: 4) test_stackinit: u64 FAIL (uninit bytes: 8) test_stackinit: char_array FAIL (uninit bytes: 16) test_stackinit: small_hole ok test_stackinit: big_hole ok test_stackinit: user ok test_stackinit: failures: 5 CONFIG_GCC_PLUGIN_STACKINIT=y This initializes all variables, but has no special padding handling: test_stackinit: small_hole_static_all FAIL (uninit bytes: 3) test_stackinit: big_hole_static_all FAIL (uninit bytes: 61) test_stackinit: small_hole_dynamic_all FAIL (uninit bytes: 3) test_stackinit: big_hole_dynamic_all FAIL (uninit bytes: 61) test_stackinit: small_hole_runtime_partial ok test_stackinit: big_hole_runtime_partial ok test_stackinit: small_hole_runtime_all ok test_stackinit: big_hole_runtime_all ok test_stackinit: u8 ok test_stackinit: u16 ok test_stackinit: u32 ok test_stackinit: u64 ok test_stackinit: char_array ok test_stackinit: small_hole ok test_stackinit: big_hole ok test_stackinit: user ok test_stackinit: failures: 4 Signed-off-by: Kees Cook --- lib/Kconfig.debug | 9 ++ lib/Makefile | 1 + lib/test_stackinit.c | 327 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 337 insertions(+) create mode 100644 lib/test_stackinit.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index d4df5b24d75e..09788afcccc9 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2001,6 +2001,15 @@ config TEST_OBJAGG If unsure, say N. +config TEST_STACKINIT + tristate "Test level of stack variable initialization" + help + Test if the kernel is zero-initializing stack variables + from CONFIG_GCC_PLUGIN_STACKINIT, CONFIG_GCC_PLUGIN_STRUCTLEAK, + and/or GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. + + If unsure, say N. + endif # RUNTIME_TESTING_MENU config MEMTEST diff --git a/lib/Makefile b/lib/Makefile index e1b59da71418..c81a66d4d00d 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -76,6 +76,7 @@ obj-$(CONFIG_TEST_KMOD) += test_kmod.o obj-$(CONFIG_TEST_DEBUG_VIRTUAL) += test_debug_virtual.o obj-$(CONFIG_TEST_MEMCAT_P) += test_memcat_p.o obj-$(CONFIG_TEST_OBJAGG) += test_objagg.o +obj-$(CONFIG_TEST_STACKINIT) += test_stackinit.o ifeq ($(CONFIG_DEBUG_KOBJECT),y) CFLAGS_kobject.o += -DDEBUG diff --git a/lib/test_stackinit.c b/lib/test_stackinit.c new file mode 100644 index 000000000000..e2ff56a1002a --- /dev/null +++ b/lib/test_stackinit.c @@ -0,0 +1,327 @@ +// SPDX-Licenses: GPLv2 +/* + * Test cases for -finit-local-vars and CONFIG_GCC_PLUGIN_STACKINIT. + */ +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include +#include +#include +#include + +/* Exfiltration buffer. */ +#define MAX_VAR_SIZE 128 +static char check_buf[MAX_VAR_SIZE]; + +/* Character array to trigger stack protector in all functions. */ +#define VAR_BUFFER 32 + +/* Volatile mask to convince compiler to copy memory with 0xff. */ +static volatile u8 forced_mask = 0xff; + +/* Location and size tracking to validate fill and test are colocated. */ +static void *fill_start, *target_start; +static size_t fill_size, target_size; + +static bool range_contains(char *haystack_start, size_t haystack_size, + char *needle_start, size_t needle_size) +{ + if (needle_start >= haystack_start && + needle_start + needle_size <= haystack_start + haystack_size) + return true; + return false; +} + +#define DO_NOTHING_TYPE_SCALAR(var_type) var_type +#define DO_NOTHING_TYPE_STRING(var_type) void +#define DO_NOTHING_TYPE_STRUCT(var_type) void + +#define DO_NOTHING_RETURN_SCALAR(ptr) *(ptr) +#define DO_NOTHING_RETURN_STRING(ptr) /**/ +#define DO_NOTHING_RETURN_STRUCT(ptr) /**/ + +#define DO_NOTHING_CALL_SCALAR(var, name) \ + (var) = do_nothing_ ## name(&(var)) +#define DO_NOTHING_CALL_STRING(var, name) \ + do_nothing_ ## name(var) +#define DO_NOTHING_CALL_STRUCT(var, name) \ + do_nothing_ ## name(&(var)) + +#define FETCH_ARG_SCALAR(var) &var +#define FETCH_ARG_STRING(var) var +#define FETCH_ARG_STRUCT(var) &var + +#define FILL_SIZE_SCALAR 1 +#define FILL_SIZE_STRING 16 +#define FILL_SIZE_STRUCT 1 + +#define INIT_CLONE_SCALAR /**/ +#define INIT_CLONE_STRING [FILL_SIZE_STRING] +#define INIT_CLONE_STRUCT /**/ + +#define INIT_SCALAR_NONE /**/ +#define INIT_SCALAR_ZERO = 0 + +#define INIT_STRING_NONE [FILL_SIZE_STRING] /**/ +#define INIT_STRING_ZERO [FILL_SIZE_STRING] = { } + +#define INIT_STRUCT_NONE /**/ +#define INIT_STRUCT_ZERO = { } +#define INIT_STRUCT_STATIC_PARTIAL = { .two = 0, } +#define INIT_STRUCT_STATIC_ALL = { .one = arg->one, \ + .two = arg->two, \ + .three = arg->three, \ + .four = arg->four, \ + } +#define INIT_STRUCT_DYNAMIC_PARTIAL = { .two = arg->two, } +#define INIT_STRUCT_DYNAMIC_ALL = { .one = arg->one, \ + .two = arg->two, \ + .three = arg->three, \ + .four = arg->four, \ + } +#define INIT_STRUCT_RUNTIME_PARTIAL ; \ + var.two = 0 +#define INIT_STRUCT_RUNTIME_ALL ; \ + var.one = 0; \ + var.two = 0; \ + var.three = 0; \ + memset(&var.four, 0, \ + sizeof(var.four)) + +/* + * @name: unique string name for the test + * @var_type: type to be tested for zeroing initialization + * @which: is this a SCALAR or a STRUCT type? + * @init_level: what kind of initialization is performed + */ +#define DEFINE_TEST(name, var_type, which, init_level) \ +static noinline int fill_ ## name(unsigned long sp) \ +{ \ + char buf[VAR_BUFFER + \ + sizeof(var_type) * FILL_SIZE_ ## which * 4]; \ + \ + fill_start = buf; \ + fill_size = sizeof(buf); \ + /* Fill variable with 0xFF. */ \ + memset(fill_start, (char)((sp && 0xff) | forced_mask), \ + fill_size); \ + \ + return (int)buf[0] | (int)buf[sizeof(buf)-1]; \ +} \ +/* no-op to force compiler into ignoring "uninitialized" vars */\ +static noinline DO_NOTHING_TYPE_ ## which(var_type) \ +do_nothing_ ## name(var_type *ptr) \ +{ \ + /* Will always be true, but compiler doesn't know. */ \ + if ((unsigned long)ptr > 0x2) \ + return DO_NOTHING_RETURN_ ## which(ptr); \ + else \ + return DO_NOTHING_RETURN_ ## which(ptr + 1); \ +} \ +static noinline int fetch_ ## name(unsigned long sp, \ + var_type *arg) \ +{ \ + char buf[VAR_BUFFER]; \ + var_type var INIT_ ## which ## _ ## init_level; \ + \ + target_start = &var; \ + target_size = sizeof(var); \ + /* \ + * Keep this buffer around to make sure we've got a \ + * stack frame of SOME kind... \ + */ \ + memset(buf, (char)(sp && 0xff), sizeof(buf)); \ + \ + /* Silence "never initialized" warnings. */ \ + DO_NOTHING_CALL_ ## which(var, name); \ + \ + /* Exfiltrate "var" or field of "var". */ \ + memcpy(check_buf, target_start, target_size); \ + \ + return (int)buf[0] | (int)buf[sizeof(buf) - 1]; \ +} \ +/* Returns 0 on success, 1 on failure. */ \ +static noinline int test_ ## name (void) \ +{ \ + var_type zero INIT_CLONE_ ## which; \ + int ignored; \ + u8 sum = 0, i; \ + \ + /* Notice when a new test is larger than expected. */ \ + BUILD_BUG_ON(sizeof(zero) > MAX_VAR_SIZE); \ + /* Clear entire check buffer for later bit tests. */ \ + memset(check_buf, 0x00, sizeof(check_buf)); \ + \ + /* Fill clone type with zero for per-field init. */ \ + memset(&zero, 0x00, sizeof(zero)); \ + /* Fill stack with 0xFF. */ \ + ignored = fill_ ##name((unsigned long)&ignored); \ + /* Extract stack-defined variable contents. */ \ + ignored = fetch_ ##name((unsigned long)&ignored, \ + FETCH_ARG_ ## which(zero)); \ + \ + /* Validate that compiler lined up fill and target. */ \ + if (!range_contains(fill_start, fill_size, \ + target_start, target_size)) { \ + pr_err(#name ": stack fill missed target!?\n"); \ + pr_err(#name ": fill %zu wide\n", fill_size); \ + pr_err(#name ": target offset by %ld\n", \ + (ssize_t)(uintptr_t)fill_start - \ + (ssize_t)(uintptr_t)target_start); \ + return 1; \ + } \ + \ + /* Look for any set bits in the check region. */ \ + for (i = 0; i < sizeof(check_buf); i++) \ + sum += (check_buf[i] != 0); \ + \ + if (sum == 0) \ + pr_info(#name " ok\n"); \ + else \ + pr_warn(#name " FAIL (uninit bytes: %d)\n", \ + sum); \ + \ + return (sum != 0); \ +} + +/* Structure with no padding. */ +struct test_packed { + unsigned long one; + unsigned long two; + unsigned long three; + unsigned long four; +}; + +/* Simple structure with padding likely to be covered by compiler. */ +struct test_small_hole { + size_t one; + char two; + /* 3 byte padding hole here. */ + int three; + unsigned long four; +}; + +/* Try to trigger unhandled padding in a structure. */ +struct test_aligned { + u32 internal1; + u64 internal2; +} __aligned(64); + +struct test_big_hole { + u8 one; + u8 two; + u8 three; + /* 61 byte padding hole here. */ + struct test_aligned four; +} __aligned(64); + +/* Test if STRUCTLEAK is clearing structs with __user fields. */ +struct test_user { + u8 one; + char __user *two; + unsigned long three; + unsigned long four; +}; + +/* These should be fully initialized all the time! */ +DEFINE_TEST(u8_zero, u8, SCALAR, ZERO); +DEFINE_TEST(u16_zero, u16, SCALAR, ZERO); +DEFINE_TEST(u32_zero, u32, SCALAR, ZERO); +DEFINE_TEST(u64_zero, u64, SCALAR, ZERO); +DEFINE_TEST(char_array_zero, unsigned char, STRING, ZERO); + +DEFINE_TEST(packed_zero, struct test_packed, STRUCT, ZERO); +DEFINE_TEST(small_hole_zero, struct test_small_hole, STRUCT, ZERO); +DEFINE_TEST(big_hole_zero, struct test_big_hole, STRUCT, ZERO); + +/* Static initialization: padding may be left uninitialized. */ +DEFINE_TEST(packed_static_partial, struct test_packed, STRUCT, STATIC_PARTIAL); +DEFINE_TEST(small_hole_static_partial, struct test_small_hole, STRUCT, STATIC_PARTIAL); +DEFINE_TEST(big_hole_static_partial, struct test_big_hole, STRUCT, STATIC_PARTIAL); + +DEFINE_TEST(small_hole_static_all, struct test_small_hole, STRUCT, STATIC_ALL); +DEFINE_TEST(big_hole_static_all, struct test_big_hole, STRUCT, STATIC_ALL); + +/* Dynamic initialization: padding may be left uninitialized. */ +DEFINE_TEST(small_hole_dynamic_partial, struct test_small_hole, STRUCT, DYNAMIC_PARTIAL); +DEFINE_TEST(big_hole_dynamic_partial, struct test_big_hole, STRUCT, DYNAMIC_PARTIAL); + +DEFINE_TEST(small_hole_dynamic_all, struct test_small_hole, STRUCT, DYNAMIC_ALL); +DEFINE_TEST(big_hole_dynamic_all, struct test_big_hole, STRUCT, DYNAMIC_ALL); + +/* Runtime initialization: padding may be left uninitialized. */ +DEFINE_TEST(small_hole_runtime_partial, struct test_small_hole, STRUCT, RUNTIME_PARTIAL); +DEFINE_TEST(big_hole_runtime_partial, struct test_big_hole, STRUCT, RUNTIME_PARTIAL); + +DEFINE_TEST(small_hole_runtime_all, struct test_small_hole, STRUCT, RUNTIME_ALL); +DEFINE_TEST(big_hole_runtime_all, struct test_big_hole, STRUCT, RUNTIME_ALL); + +/* No initialization without compiler instrumentation. */ +DEFINE_TEST(u8, u8, SCALAR, NONE); +DEFINE_TEST(u16, u16, SCALAR, NONE); +DEFINE_TEST(u32, u32, SCALAR, NONE); +DEFINE_TEST(u64, u64, SCALAR, NONE); +DEFINE_TEST(char_array, unsigned char, STRING, NONE); +DEFINE_TEST(small_hole, struct test_small_hole, STRUCT, NONE); +DEFINE_TEST(big_hole, struct test_big_hole, STRUCT, NONE); +DEFINE_TEST(user, struct test_user, STRUCT, NONE); + +static int __init test_stackinit_init(void) +{ + unsigned int failures = 0; + + /* These are explicitly initialized and should always pass. */ + failures += test_u8_zero(); + failures += test_u16_zero(); + failures += test_u32_zero(); + failures += test_u64_zero(); + failures += test_char_array_zero(); + failures += test_small_hole_zero(); + failures += test_big_hole_zero(); + failures += test_packed_zero(); + + /* Padding here appears to be accidentally always initialized. */ + failures += test_small_hole_dynamic_partial(); + failures += test_big_hole_dynamic_partial(); + failures += test_packed_static_partial(); + + /* Padding initialization depends on compiler behaviors. */ + failures += test_small_hole_static_partial(); + failures += test_big_hole_static_partial(); + failures += test_small_hole_static_all(); + failures += test_big_hole_static_all(); + failures += test_small_hole_dynamic_all(); + failures += test_big_hole_dynamic_all(); + failures += test_small_hole_runtime_partial(); + failures += test_big_hole_runtime_partial(); + failures += test_small_hole_runtime_all(); + failures += test_big_hole_runtime_all(); + + /* STACKINIT should cover everything from here down. */ + failures += test_u8(); + failures += test_u16(); + failures += test_u32(); + failures += test_u64(); + failures += test_char_array(); + + /* STRUCTLEAK_BYREF_ALL should cover from here down. */ + failures += test_small_hole(); + failures += test_big_hole(); + + /* STRUCTLEAK should cover this. */ + failures += test_user(); + + if (failures == 0) + pr_info("all tests passed!\n"); + else + pr_err("failures: %u\n", failures); + + return failures ? -EINVAL : 0; +} +module_init(test_stackinit_init); + +static void __exit test_stackinit_exit(void) +{ } +module_exit(test_stackinit_exit); + +MODULE_LICENSE("GPL");