1 /*
2  * Copyright (c) 2017 Intel Corporation
3  *
4  * SPDX-License-Identifier: Apache-2.0
5  */
6 
7 #include <zephyr/kernel.h>
8 #include <zephyr/internal/syscall_handler.h>
9 #include <zephyr/ztest.h>
10 #include <kernel_internal.h>
11 
12 #define SEM_ARRAY_SIZE	16
13 
14 /* Show that extern declarations don't interfere with detecting kernel
15  * objects, this was at one point a problem.
16  */
17 extern struct k_sem sem1;
18 
19 static struct k_sem semarray[SEM_ARRAY_SIZE];
20 static struct k_sem *dyn_sem[SEM_ARRAY_SIZE];
21 
22 static struct k_mutex *test_dyn_mutex;
23 
24 K_SEM_DEFINE(sem1, 0, 1);
25 static struct k_sem sem2;
26 static char bad_sem[sizeof(struct k_sem)];
27 static struct k_sem sem3;
28 
test_object(struct k_sem * sem,int retval)29 static int test_object(struct k_sem *sem, int retval)
30 {
31 	int ret;
32 
33 	if (retval) {
34 		/* Expected to fail; bypass k_object_validation_check() so we don't
35 		 * fill the logs with spam
36 		 */
37 		ret = k_object_validate(k_object_find(sem), K_OBJ_SEM, 0);
38 	} else {
39 		ret = k_object_validation_check(k_object_find(sem), sem,
40 					    K_OBJ_SEM, 0);
41 	}
42 
43 	if (ret != retval) {
44 		TC_PRINT("FAIL check of %p is not %d, got %d instead\n", sem,
45 			 retval, ret);
46 		return 1;
47 	}
48 	return 0;
49 }
50 
object_permission_checks(struct k_sem * sem,bool skip_init)51 void object_permission_checks(struct k_sem *sem, bool skip_init)
52 {
53 	/* Should fail because we don't have perms on this object */
54 	zassert_false(test_object(sem, -EPERM),
55 		      "object should not have had permission granted");
56 
57 	k_object_access_grant(sem, k_current_get());
58 
59 	if (!skip_init) {
60 		/* Should fail, not initialized and we have no permissions */
61 		zassert_false(test_object(sem, -EINVAL),
62 			      "object should not have been initialized");
63 		k_sem_init(sem, 0, 1);
64 	}
65 
66 	/* This should succeed now */
67 	zassert_false(test_object(sem, 0),
68 		      "object should have had sufficient permissions");
69 }
70 
71 /**
72  * @brief Test to verify object permission
73  *
74  * @details
75  * - The kernel must be able to associate kernel object memory addresses
76  *   with whether the calling thread has access to that object, the object is
77  *   of the expected type, and the object is of the expected init state.
78  * - Test support freeing kernel objects allocated at runtime manually.
79  *
80  * @ingroup kernel_memprotect_tests
81  *
82  * @see k_object_alloc(), k_object_access_grant()
83  */
ZTEST(object_validation,test_generic_object)84 ZTEST(object_validation, test_generic_object)
85 {
86 	struct k_sem stack_sem;
87 
88 	/* None of these should be even in the table */
89 	zassert_false(test_object(&stack_sem, -EBADF));
90 	zassert_false(test_object((struct k_sem *)&bad_sem, -EBADF));
91 	zassert_false(test_object((struct k_sem *)0xFFFFFFFF, -EBADF));
92 	object_permission_checks(&sem3, false);
93 	object_permission_checks(&sem1, true);
94 	object_permission_checks(&sem2, false);
95 
96 	for (int i = 0; i < SEM_ARRAY_SIZE; i++) {
97 		object_permission_checks(&semarray[i], false);
98 		dyn_sem[i] = k_object_alloc(K_OBJ_SEM);
99 		zassert_not_null(dyn_sem[i], "couldn't allocate semaphore");
100 		/* Give an extra reference to another thread so the object
101 		 * doesn't disappear if we revoke our own
102 		 */
103 		k_object_access_grant(dyn_sem[i], &z_main_thread);
104 	}
105 
106 	/* dynamic object table well-populated with semaphores at this point */
107 	for (int i = 0; i < SEM_ARRAY_SIZE; i++) {
108 		/* Should have permission granted but be uninitialized */
109 		zassert_false(test_object(dyn_sem[i], -EINVAL));
110 		k_object_access_revoke(dyn_sem[i], k_current_get());
111 		object_permission_checks(dyn_sem[i], false);
112 		k_object_free(dyn_sem[i]);
113 		zassert_false(test_object(dyn_sem[i], -EBADF));
114 	}
115 }
116 
117 /**
118  * @brief Test requestor thread will implicitly be assigned permission on the
119  * dynamically allocated object
120  *
121  * @details
122  * - Create kernel object semaphore, dynamically allocate it from the calling
123  *   thread's resource pool.
124  * - Check that object's address is in bounds of that memory pool.
125  * - Then check the requestor thread will implicitly be assigned permission on
126  *   the allocated object by using semaphore API k_sem_init()
127  *
128  * @ingroup kernel_memprotect_tests
129  *
130  * @see k_object_alloc()
131  */
ZTEST(object_validation,test_kobj_assign_perms_on_alloc_obj)132 ZTEST(object_validation, test_kobj_assign_perms_on_alloc_obj)
133 {
134 	static struct k_sem *test_dyn_sem;
135 	struct k_thread *thread = arch_current_thread();
136 
137 	uintptr_t start_addr, end_addr;
138 	size_t size_heap = K_HEAP_MEM_POOL_SIZE;
139 
140 	/* dynamically allocate kernel object semaphore */
141 	test_dyn_sem = k_object_alloc(K_OBJ_SEM);
142 	zassert_not_null(test_dyn_sem, "Cannot allocate sem k_object");
143 
144 	start_addr = *((uintptr_t *)(void *)thread->resource_pool);
145 	end_addr = start_addr + size_heap;
146 
147 	/* check semaphore initialized within thread's mem pool address space */
148 	zassert_true(((uintptr_t)test_dyn_sem > start_addr) &&
149 				 ((uintptr_t)test_dyn_sem < end_addr),
150 				 "semaphore object not in bound of thread's memory pool");
151 
152 	/* try to init that object, thread should have permissions implicitly */
153 	k_sem_init(test_dyn_sem, 1, 1);
154 }
155 
156 /**
157  * @brief Test dynamically allocated kernel object release memory
158  *
159  * @details Dynamically allocated kernel objects whose access is controlled by
160  * the permission system will use object permission as a reference count.
161  * If no threads have access to an object, the object's memory released.
162  *
163  * @ingroup kernel_memprotect_tests
164  *
165  * @see k_object_alloc()
166  */
ZTEST(object_validation,test_no_ref_dyn_kobj_release_mem)167 ZTEST(object_validation, test_no_ref_dyn_kobj_release_mem)
168 {
169 	int ret;
170 
171 	/* dynamically allocate kernel object mutex */
172 	test_dyn_mutex = k_object_alloc(K_OBJ_MUTEX);
173 	zassert_not_null(test_dyn_mutex,
174 					 "Can not allocate dynamic kernel object");
175 
176 	struct k_thread *thread = arch_current_thread();
177 
178 	/* revoke access from the current thread */
179 	k_object_access_revoke(test_dyn_mutex, thread);
180 
181 	/* check object was released, when no threads have access to it */
182 	ret = k_object_validate(k_object_find(test_dyn_mutex), K_OBJ_MUTEX, 0);
183 	zassert_true(ret == -EBADF, "Dynamic kernel object not released");
184 }
185 
object_validation_setup(void)186 void *object_validation_setup(void)
187 {
188 	k_thread_system_pool_assign(k_current_get());
189 
190 	return NULL;
191 }
192 
193 ZTEST_SUITE(object_validation, NULL, object_validation_setup, NULL, NULL, NULL);
194