Received: by 10.223.185.116 with SMTP id b49csp2778901wrg;
        Mon, 12 Feb 2018 15:44:53 -0800 (PST)
X-Google-Smtp-Source: AH8x224GyacVz/DqmXG1w0WMkLFhL81KucmNuqUccu8wnTo8QAqbLMCF0X+y4Bq77+SYplfH9OiB
X-Received: by 2002:a17:902:68ca:: with SMTP id x10-v6mr11812185plm.367.1518479093869;
        Mon, 12 Feb 2018 15:44:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518479093; cv=none;
        d=google.com; s=arc-20160816;
        b=VuBzLnhEsZIMIYUVupkFchLSxiCYaonpRbkllw9eL+SvF95vUrfQ0RyllQfBOt5ShH
         gruqD1me8GwSGgNKlDdE3IoEiK1HScqFotbMkjaEvkiaKGto2ScmW2KIHINT3TsX3OkM
         uQXWV1th6B6qXezm+I3HaIYW+SRDWeTg/MiCvLP5iqMyiTC0W9ZhuxeNirqKyzxSYq/R
         2fCiX449v/h7hpdM0SbxcAs+Rn4AZLgsrFHE98wxxKQZpx7qlpzIGU0hTvt8Mg0ybP8a
         0By8A5V9CBYrGCSf0TZl/Ua2RZechKI0g7g3b4ipcxyR8O34qLCX664BM/RhqyDqPjDm
         StxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=cZBEANm5weJu0+XrKLY/FxA0L5/3lyac/Tat/DpsBnQ=;
        b=ZHnYGs3WTt6XaiovS0LZQC96zwnQOZE3eCgZB3nEs4rHZKHuaw+khmvPFK+VXo96F6
         bvsRkt2epuTGkdVu60nnakgD6w5oqklEkh+GvhMhKpZJQ1RA+ph6WpWbPgagenhooaUp
         mn8lWoec48Jq15OshbkE5SO8QJkCbHFCa+wCIjvbkAPSqUQTJ7FG4856WmW7bDfoMkTB
         0qX8Xp/YQ0//WS/lzlb5z+o4UMMFuHosC2i/wd0IkzkbEcdyKn/Uo7bCSCMe8eujVcV/
         0LI3UIo2GDWZE9r2EGEmUA2L6N1Y36UPByxQuTHAG1GtYO8r13PLd3oVl7iu8qUwJb1e
         4Q1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=tqDWMzei;
       dkim=fail header.i=@chromium.org header.s=google header.b=SLME6Utq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y7-v6si590968pln.220.2018.02.12.15.44.39;
        Mon, 12 Feb 2018 15:44:53 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@google.com header.s=20161025 header.b=tqDWMzei;
       dkim=fail header.i=@chromium.org header.s=google header.b=SLME6Utq;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932800AbeBLXoA (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Mon, 12 Feb 2018 18:44:00 -0500
Received: from mail-ua0-f193.google.com ([209.85.217.193]:40078 "EHLO
        mail-ua0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932378AbeBLXn6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Feb 2018 18:43:58 -0500
Received: by mail-ua0-f193.google.com with SMTP id t6so10540784ual.7
        for <linux-kernel@vger.kernel.org>; Mon, 12 Feb 2018 15:43:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=cZBEANm5weJu0+XrKLY/FxA0L5/3lyac/Tat/DpsBnQ=;
        b=tqDWMzeiV2bDp+KyhvqwYmJGRc0q8CiNcazb6ioXLkgoNG2EwSC0Plq287LJl0et37
         dDW5DxeAELqKtfBkH/Xq2t/U1HiayxbDRA1vAYEpqLPkrh13WNln+5klpIszFqoHtZYv
         aCRzggHhyq4v+DzB3ZWslt/Q/XokSQRuxbg+CmfHyVYMRV9lrwtoBJ1OPVKtmsXfLpqw
         +znmEMV4TcmZZqxBXraopjmIV7UaayzZu2k7kxUt+t80/yWQUwVQud/VTmljRGiPf2XJ
         6iyRv7+4oyWFSCLgMMteuQCEoV/5hMTpSHZEWtvyZ8224xK5gSonHawmYKW+H2eUKSuw
         0PFA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=cZBEANm5weJu0+XrKLY/FxA0L5/3lyac/Tat/DpsBnQ=;
        b=SLME6Utq+RIWejczBffLCGsDSgE9hFFwpunvY8Yg7uWZs0QXWnYg1kuRfcil8uA3HT
         vrnpR1iqfVX8+3qKDgcH5+Wn0hF9/WYsMyMnTufP0sPHCPr7kzTXHhRgpXeX9ul+nlMj
         M7r304xyeLj2rEhoWolo4sxqhh0yR3mxMHa0g=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=cZBEANm5weJu0+XrKLY/FxA0L5/3lyac/Tat/DpsBnQ=;
        b=esKlkdZ/nGeDVFbrpExwj0MUFfyuTZxKKjHjRx6wifh+mXS9sllJ+sJ8JwkSqAv1Xb
         jUsm5SwD1pwJ5GrVzMn1qfVpOXVyQK/4Zx6BzoyptObqbhGhHv0XmjxsIlahKGVKxhfg
         XoYLZ/BKkQeJOYpzUt6n3aih7ifVV7pkqukzLVMkfvCxGUCHTKg6G/dfPNppjqpfzi+N
         KFiMXR0Gx6fQlVRGmvUtuKop002xWMsQc4HVNztokniv/29r4Qx6IKpiFcAhNS9rjcNj
         a//7M8Ye9fn0IRuH8oZ81/jUgIKkjWo28Q7DkoZCWUNotd29wiAPJEXrYi6YgPULLEhH
         JxRQ==
X-Gm-Message-State: APf1xPBBaBdDpuipa2+jETgrl6++PZ83SUjTKKeX5CMCfhYx5EVJPhef
        dw4cb85ekjsojoYm9PrRDQvQRNwccE+SURspKYxYkw==
X-Received: by 10.176.25.70 with SMTP id u6mr1649043uag.156.1518479037368;
 Mon, 12 Feb 2018 15:43:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.67.196 with HTTP; Mon, 12 Feb 2018 15:43:56 -0800 (PST)
In-Reply-To: <20180212165301.17933-6-igor.stoppa@huawei.com>
References: <20180212165301.17933-1-igor.stoppa@huawei.com> <20180212165301.17933-6-igor.stoppa@huawei.com>
From:   Kees Cook <keescook@chromium.org>
Date:   Mon, 12 Feb 2018 15:43:56 -0800
X-Google-Sender-Auth: 5YzkZF_D1edi3hh680iL5vrjnY0
Message-ID: <CAGXu5j+ZZkgLzsxcwAYgyu=A=11Fkeuj+F_8gCUAbXDmjWFdeg@mail.gmail.com>
Subject: Re: [PATCH 5/6] Pmalloc: self-test
To:     Igor Stoppa <igor.stoppa@huawei.com>
Cc:     Matthew Wilcox <willy@infradead.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        Jonathan Corbet <corbet@lwn.net>,
        Michal Hocko <mhocko@kernel.org>,
        Laura Abbott <labbott@redhat.com>,
        Jerome Glisse <jglisse@redhat.com>,
        Christoph Hellwig <hch@infradead.org>,
        Christoph Lameter <cl@linux.com>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Linux-MM <linux-mm@kvack.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Feb 12, 2018 at 8:53 AM, Igor Stoppa <igor.stoppa@huawei.com> wrote:
> Add basic self-test functionality for pmalloc.
>
> Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
> ---
>  mm/Kconfig            |  9 ++++++++
>  mm/Makefile           |  1 +
>  mm/pmalloc-selftest.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++
>  mm/pmalloc-selftest.h | 24 +++++++++++++++++++
>  mm/pmalloc.c          |  2 ++
>  5 files changed, 100 insertions(+)
>  create mode 100644 mm/pmalloc-selftest.c
>  create mode 100644 mm/pmalloc-selftest.h
>
> diff --git a/mm/Kconfig b/mm/Kconfig
> index be578fbdce6d..098aefef78b1 100644
> --- a/mm/Kconfig
> +++ b/mm/Kconfig
> @@ -766,3 +766,12 @@ config PROTECTABLE_MEMORY
>      depends on ARCH_HAS_SET_MEMORY
>      select GENERIC_ALLOCATOR
>      default y
> +
> +config PROTECTABLE_MEMORY_SELFTEST
> +       bool "Run self test for pmalloc memory allocator"
> +       depends on ARCH_HAS_SET_MEMORY
> +       select PROTECTABLE_MEMORY
> +       default n
> +       help
> +         Tries to verify that pmalloc works correctly and that the memory
> +         is effectively protected.
> diff --git a/mm/Makefile b/mm/Makefile
> index 959fdbdac118..f7bbbfde6967 100644
> --- a/mm/Makefile
> +++ b/mm/Makefile
> @@ -66,6 +66,7 @@ obj-$(CONFIG_SPARSEMEM_VMEMMAP) += sparse-vmemmap.o
>  obj-$(CONFIG_SLOB) += slob.o
>  obj-$(CONFIG_MMU_NOTIFIER) += mmu_notifier.o
>  obj-$(CONFIG_PROTECTABLE_MEMORY) += pmalloc.o
> +obj-$(CONFIG_PROTECTABLE_MEMORY_SELFTEST) += pmalloc-selftest.o

Nit: self-test modules are traditionally named "test_$thing.o"
(outside of the tools/ directory).

>  obj-$(CONFIG_KSM) += ksm.o
>  obj-$(CONFIG_PAGE_POISONING) += page_poison.o
>  obj-$(CONFIG_SLAB) += slab.o
> diff --git a/mm/pmalloc-selftest.c b/mm/pmalloc-selftest.c
> new file mode 100644
> index 000000000000..97ba52d17f69
> --- /dev/null
> +++ b/mm/pmalloc-selftest.c
> @@ -0,0 +1,64 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * pmalloc-selftest.c
> + *
> + * (C) Copyright 2018 Huawei Technologies Co. Ltd.
> + * Author: Igor Stoppa <igor.stoppa@huawei.com>
> + */
> +
> +#include <linux/pmalloc.h>
> +#include <linux/mm.h>
> +
> +#include "pmalloc-selftest.h"
> +
> +#define SIZE_1 (PAGE_SIZE * 3)
> +#define SIZE_2 1000
> +
> +#define validate_alloc(expected, variable, size)       \
> +       pr_notice("must be " expected ": %s",           \
> +                 is_pmalloc_object(variable, size) > 0 ? "ok" : "no")
> +
> +#define is_alloc_ok(variable, size)    \
> +       validate_alloc("ok", variable, size)
> +
> +#define is_alloc_no(variable, size)    \
> +       validate_alloc("no", variable, size)
> +
> +void pmalloc_selftest(void)
> +{
> +       struct gen_pool *pool_unprot;
> +       struct gen_pool *pool_prot;
> +       void *var_prot, *var_unprot, *var_vmall;
> +
> +       pr_notice("pmalloc self-test");
> +       pool_unprot = pmalloc_create_pool("unprotected", 0);
> +       pool_prot = pmalloc_create_pool("protected", 0);
> +       BUG_ON(!(pool_unprot && pool_prot));
> +
> +       var_unprot = pmalloc(pool_unprot,  SIZE_1 - 1, GFP_KERNEL);
> +       var_prot = pmalloc(pool_prot,  SIZE_1, GFP_KERNEL);
> +       *(int *)var_prot = 0;
> +       var_vmall = vmalloc(SIZE_2);
> +       is_alloc_ok(var_unprot, 10);
> +       is_alloc_ok(var_unprot, SIZE_1);
> +       is_alloc_ok(var_unprot, PAGE_SIZE);
> +       is_alloc_no(var_unprot, SIZE_1 + 1);
> +       is_alloc_no(var_vmall, 10);
> +
> +
> +       pfree(pool_unprot, var_unprot);
> +       vfree(var_vmall);
> +
> +       pmalloc_protect_pool(pool_prot);
> +
> +       /*
> +        * This will intentionally trigger a WARN because the pool being
> +        * destroyed is not protected, which is unusual and should happen
> +        * on error paths only, where probably other warnings are already
> +        * displayed.
> +        */
> +       pmalloc_destroy_pool(pool_unprot);
> +
> +       /* This must not cause WARNings */
> +       pmalloc_destroy_pool(pool_prot);
> +}

I wonder if lkdtm should grow a test too, to validate the RO-ness of
the allocations at the right time in API usage?

Otherwise, yay! Selftests!

-Kees

> diff --git a/mm/pmalloc-selftest.h b/mm/pmalloc-selftest.h
> new file mode 100644
> index 000000000000..58a5a0cbec14
> --- /dev/null
> +++ b/mm/pmalloc-selftest.h
> @@ -0,0 +1,24 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * pmalloc-selftest.h
> + *
> + * (C) Copyright 2018 Huawei Technologies Co. Ltd.
> + * Author: Igor Stoppa <igor.stoppa@huawei.com>
> + */
> +
> +
> +#ifndef __MM_PMALLOC_SELFTEST_H
> +#define __MM_PMALLOC_SELFTEST_H
> +
> +
> +#ifdef CONFIG_PROTECTABLE_MEMORY_SELFTEST
> +
> +void pmalloc_selftest(void);
> +
> +#else
> +
> +static inline void pmalloc_selftest(void){};
> +
> +#endif
> +
> +#endif
> diff --git a/mm/pmalloc.c b/mm/pmalloc.c
> index abddba90a9f6..eb445c574b19 100644
> --- a/mm/pmalloc.c
> +++ b/mm/pmalloc.c
> @@ -22,6 +22,7 @@
>  #include <asm/page.h>
>
>  #include <linux/pmalloc.h>
> +#include "pmalloc-selftest.h"
>  /*
>   * pmalloc_data contains the data specific to a pmalloc pool,
>   * in a format compatible with the design of gen_alloc.
> @@ -494,6 +495,7 @@ static int __init pmalloc_late_init(void)
>                 }
>         }
>         mutex_unlock(&pmalloc_mutex);
> +       pmalloc_selftest();
>         return 0;
>  }
>  late_initcall(pmalloc_late_init);
> --
> 2.14.1
>



-- 
Kees Cook
Pixel Security