1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2024 Red Hat, Inc.
4 */
5
6 /*\
7 * [Description]
8 *
9 * Utilize kernel's symbol table for unauthorized address access.
10 *
11 * Access the system symbols with root permission to test whether it's
12 * possible to read and write the memory addresses of kernel-space
13 * from user-space. This helps in identifying potential vulnerabilities
14 * where user-space processes can inappropriately access kernel memory.
15 *
16 * Steps:
17 *
18 * 1. Start a process that reads all symbols and their addresses from
19 * /proc/kallsyms and stores them in a linked list.
20 *
21 * 2. Attempt to write to each kernel address found in the linked list.
22 * The expectation is that each attempt will fail with a SIGSEGV
23 * (segmentation fault), indicating that the user-space process
24 * cannot write to kernel memory.
25 *
26 * 3. Handle each SIGSEGV using a signal handler that sets a flag and
27 * long jumps out of the faulting context.
28 *
29 * 4. If any write operation does not result in a SIGSEGV, log this as
30 * a potential security vulnerability.
31 *
32 * 5. Observe and log the behavior and any system responses to these
33 * unauthorized access attempts.
34 */
35
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <assert.h>
39 #include <unistd.h>
40 #include <string.h>
41 #include <setjmp.h>
42 #include <signal.h>
43
44 #include "tst_test.h"
45 #include "tst_safe_stdio.h"
46
47 struct kallsym {
48 unsigned long addr;
49 char type;
50 char name[128];
51 };
52
53 struct range_struct {
54 unsigned long start, end;
55
56 };
57
58 static struct kallsym *sym_table;
59 static unsigned int nr_symbols;
60 static sigjmp_buf jmpbuf;
61 volatile sig_atomic_t segv_caught;
62 static struct range_struct *ranges;
63 static int ranges_size, ranges_len;
64
segv_handler(int sig)65 static void segv_handler(int sig)
66 {
67 if (sig == SIGSEGV)
68 segv_caught++;
69 else
70 tst_res(TFAIL, "Unexpected signal %s", strsignal(sig));
71
72 siglongjmp(jmpbuf, 1);
73 }
74
read_kallsyms(struct kallsym * table,unsigned int table_size)75 static unsigned int read_kallsyms(struct kallsym *table, unsigned int table_size)
76 {
77 char *line = NULL;
78 size_t len = 0;
79 unsigned int nr_syms = 0;
80 FILE *stream = SAFE_FOPEN("/proc/kallsyms", "r");
81
82 while (getline(&line, &len, stream) != -1) {
83
84 if (table && nr_syms < table_size) {
85 sscanf(line, "%lx %c %s",
86 &table[nr_syms].addr,
87 &table[nr_syms].type,
88 table[nr_syms].name);
89 }
90
91 nr_syms++;
92 }
93
94 SAFE_FCLOSE(stream);
95
96 return nr_syms;
97 }
98
read_proc_self_maps(void)99 static void read_proc_self_maps(void)
100 {
101 FILE *fp;
102
103 ranges_len = 0;
104 fp = fopen("/proc/self/maps", "r");
105 if (fp == NULL)
106 tst_brk(TBROK | TERRNO, "Failed to open /proc/self/maps.");
107
108 while (!feof(fp)) {
109 unsigned long start, end;
110 int ret;
111
112 ret = fscanf(fp, "%lx-%lx %*[^\n]\n", &start, &end);
113 if (ret != 2) {
114 fclose(fp);
115 tst_brk(TBROK | TERRNO, "Couldn't parse /proc/self/maps line.");
116 }
117
118 if (ranges_size < ranges_len + 1) {
119 ranges_size += 128;
120 ranges = SAFE_REALLOC(ranges,
121 ranges_size*sizeof(struct range_struct));
122 }
123 ranges[ranges_len].start = start;
124 ranges[ranges_len].end = end;
125 ranges_len++;
126 }
127
128 fclose(fp);
129 }
130
is_address_mapped(unsigned long addr)131 static int is_address_mapped(unsigned long addr)
132 {
133 int i;
134
135 for (i = 0; i < ranges_len; i++) {
136 if (ranges[i].start <= addr && addr < ranges[i].end)
137 return 1;
138 }
139 return 0;
140 }
141
setup(void)142 static void setup(void)
143 {
144 struct sigaction sa;
145 memset(&sa, 0, sizeof(sa));
146 sa.sa_handler = segv_handler;
147 sigaction(SIGSEGV, &sa, NULL);
148
149 nr_symbols = read_kallsyms(NULL, 0);
150 sym_table = SAFE_CALLOC(nr_symbols, sizeof(*sym_table));
151 unsigned int read_symbols = read_kallsyms(sym_table, nr_symbols);
152
153 if (nr_symbols != read_symbols)
154 tst_res(TWARN, "/proc/kallsyms changed size!?");
155 }
156
access_ksymbols_address(struct kallsym * table)157 static void access_ksymbols_address(struct kallsym *table)
158 {
159 tst_res(TDEBUG, "Access kernel addr: 0x%lx (%c) (%s)",
160 table->addr, table->type, table->name);
161
162 if (sigsetjmp(jmpbuf, 1) == 0) {
163 *(volatile unsigned long *)table->addr = 0;
164
165 tst_res(TFAIL, "Successfully accessed kernel addr 0x%lx (%c) (%s)",
166 table->addr, table->type, table->name);
167 }
168 }
169
170
test_access_kernel_address(void)171 static void test_access_kernel_address(void)
172 {
173 int skipped = 0;
174
175 segv_caught = 0;
176 read_proc_self_maps();
177
178 for (unsigned int i = 0; i < nr_symbols; i++) {
179 if (is_address_mapped(sym_table[i].addr)) {
180 tst_res(TDEBUG, "Skipping userspace mapped address 0x%lx",
181 sym_table[i].addr);
182 skipped++;
183 continue;
184 }
185 access_ksymbols_address(&sym_table[i]);
186 }
187
188 if (segv_caught == (sig_atomic_t)nr_symbols - skipped)
189 tst_res(TPASS, "Caught %d SIGSEGV in access ksymbols addr, skipped %d",
190 segv_caught, skipped);
191 else
192 tst_res(TFAIL, "Caught %d SIGSEGV but expected %d, skipped %d",
193 segv_caught, nr_symbols-skipped, skipped);
194 }
195
cleanup(void)196 static void cleanup(void)
197 {
198 if (sym_table)
199 free(sym_table);
200 }
201
202 static struct tst_test test = {
203 .needs_root = 1,
204 .setup = setup,
205 .cleanup = cleanup,
206 .timeout = 60,
207 .needs_kconfigs = (const char *const[]){
208 "CONFIG_KALLSYMS=y",
209 NULL
210 },
211 .test_all = test_access_kernel_address,
212 };
213