Bug 208461

Summary: FAULT_INJECTION: fail copy_to/from_user
Product: Memory Management Reporter: Dmitry Vyukov (dvyukov)
Component: SanitizersAssignee: MM/Sanitizers virtual assignee (mm_sanitizers)
Status: RESOLVED CODE_FIX    
Severity: normal CC: kasan-dev
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: ALL Subsystem:
Regression: No Bisected commit-id:

Description Dmitry Vyukov 2020-07-06 07:52:36 UTC 
See https://lkml.org/lkml/2020/4/13/870 for motivation.
copy_to/from_user is another very common set of infrastructure functions that can fail. It would be useful to support them in the fault injection facility for testing purposes. As opposed to most other failure sites, these are easily triggerable by user, so any bugs uncovered are higher-severity.

copy_to/from_user return not just an error, but also number of bytes that were not copied. While returning different number of values may result in new code paths/bugs, this does not seem to be widely used. I found one case where the returned number is really used -- kfifo_copy_from_user. But generally all callers just check for success/failure. So I don't think it's worth supporting in systematic mode. These subtler cases should be tested with unit-tests.

Need to be careful to handle all variations of copy_to/from_user: put/get, with underscores, etc.
Comment 1 Dmitry Vyukov 2020-07-06 07:53:49 UTC 
Adding this capability to FAULT_INJECTION will make syzkaller auto-magically systematically test all failure sites.
Comment 2 Dmitry Vyukov 2020-07-19 11:01:50 UTC 
Also see related:
FAULT_INJECTION: fail LSM hooks
https://bugzilla.kernel.org/show_bug.cgi?id=208607
Comment 3 Dmitry Vyukov 2020-12-01 08:04:28 UTC 
This is implemented by Albert van der Linde:
2c739ced5886 lib, include/linux: add usercopy failure capability