2019-06-04 10:11:33 +02:00
// SPDX-License-Identifier: GPL-2.0-only
2015-02-13 14:39:53 -08:00
/*
*
* Copyright ( c ) 2014 Samsung Electronics Co . , Ltd .
* Author : Andrey Ryabinin < a . ryabinin @ samsung . com >
*/
2023-10-06 17:18:43 +02:00
# define pr_fmt(fmt) "kasan: test: " fmt
2022-09-27 19:09:09 +02:00
# include <kunit/test.h>
2019-07-11 20:53:52 -07:00
# include <linux/bitops.h>
2017-02-24 15:00:08 -08:00
# include <linux/delay.h>
2022-09-27 19:09:09 +02:00
# include <linux/io.h>
2019-07-11 20:53:52 -07:00
# include <linux/kasan.h>
2015-02-13 14:39:53 -08:00
# include <linux/kernel.h>
2023-12-19 23:29:00 +01:00
# include <linux/mempool.h>
2016-05-20 16:59:34 -07:00
# include <linux/mm.h>
2019-07-11 20:53:52 -07:00
# include <linux/mman.h>
# include <linux/module.h>
2015-02-13 14:39:53 -08:00
# include <linux/printk.h>
2021-02-24 12:05:21 -08:00
# include <linux/random.h>
2022-09-27 19:09:09 +02:00
# include <linux/set_memory.h>
2015-02-13 14:39:53 -08:00
# include <linux/slab.h>
# include <linux/string.h>
2022-09-27 19:09:09 +02:00
# include <linux/tracepoint.h>
2016-05-20 16:59:34 -07:00
# include <linux/uaccess.h>
2019-11-30 17:54:53 -08:00
# include <linux/vmalloc.h>
2022-09-27 19:09:09 +02:00
# include <trace/events/printk.h>
2019-09-23 15:34:16 -07:00
# include <asm/page.h>
2015-02-13 14:39:53 -08:00
2022-09-06 00:18:36 +02:00
# include "kasan.h"
2020-08-06 23:24:54 -07:00
2020-12-22 12:00:24 -08:00
# define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
2020-08-06 23:24:54 -07:00
2022-09-27 19:09:09 +02:00
static bool multishot ;
/* Fields set based on lines observed in the console. */
static struct {
bool report_found ;
bool async_fault ;
} test_status ;
kasan: stop tests being eliminated as dead code with FORTIFY_SOURCE
Patch series "Fix some incompatibilites between KASAN and FORTIFY_SOURCE", v4.
3 KASAN self-tests fail on a kernel with both KASAN and FORTIFY_SOURCE:
memchr, memcmp and strlen.
When FORTIFY_SOURCE is on, a number of functions are replaced with
fortified versions, which attempt to check the sizes of the operands.
However, these functions often directly invoke __builtin_foo() once they
have performed the fortify check. The compiler can detect that the
results of these functions are not used, and knows that they have no other
side effects, and so can eliminate them as dead code.
Why are only memchr, memcmp and strlen affected?
================================================
Of string and string-like functions, kasan_test tests:
* strchr -> not affected, no fortified version
* strrchr -> likewise
* strcmp -> likewise
* strncmp -> likewise
* strnlen -> not affected, the fortify source implementation calls the
underlying strnlen implementation which is instrumented, not
a builtin
* strlen -> affected, the fortify souce implementation calls a __builtin
version which the compiler can determine is dead.
* memchr -> likewise
* memcmp -> likewise
* memset -> not affected, the compiler knows that memset writes to its
first argument and therefore is not dead.
Why does this not affect the functions normally?
================================================
In string.h, these functions are not marked as __pure, so the compiler
cannot know that they do not have side effects. If relevant functions are
marked as __pure in string.h, we see the following warnings and the
functions are elided:
lib/test_kasan.c: In function `kasan_memchr':
lib/test_kasan.c:606:2: warning: statement with no effect [-Wunused-value]
memchr(ptr, '1', size + 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~
lib/test_kasan.c: In function `kasan_memcmp':
lib/test_kasan.c:622:2: warning: statement with no effect [-Wunused-value]
memcmp(ptr, arr, size+1);
^~~~~~~~~~~~~~~~~~~~~~~~
lib/test_kasan.c: In function `kasan_strings':
lib/test_kasan.c:645:2: warning: statement with no effect [-Wunused-value]
strchr(ptr, '1');
^~~~~~~~~~~~~~~~
...
This annotation would make sense to add and could be added at any point,
so the behaviour of test_kasan.c should change.
The fix
=======
Make all the functions that are pure write their results to a global,
which makes them live. The strlen and memchr tests now pass.
The memcmp test still fails to trigger, which is addressed in the next
patch.
[dja@axtens.net: drop patch 3]
Link: http://lkml.kernel.org/r/20200424145521.8203-2-dja@axtens.net
Fixes: 0c96350a2d2f ("lib/test_kasan.c: add tests for several string/memory API functions")
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: David Gow <davidgow@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Link: http://lkml.kernel.org/r/20200423154503.5103-1-dja@axtens.net
Link: http://lkml.kernel.org/r/20200423154503.5103-2-dja@axtens.net
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-06-03 15:56:43 -07:00
/*
2021-02-24 12:05:13 -08:00
* Some tests use these global variables to store return values from function
* calls that could otherwise be eliminated by the compiler as dead code .
kasan: stop tests being eliminated as dead code with FORTIFY_SOURCE
Patch series "Fix some incompatibilites between KASAN and FORTIFY_SOURCE", v4.
3 KASAN self-tests fail on a kernel with both KASAN and FORTIFY_SOURCE:
memchr, memcmp and strlen.
When FORTIFY_SOURCE is on, a number of functions are replaced with
fortified versions, which attempt to check the sizes of the operands.
However, these functions often directly invoke __builtin_foo() once they
have performed the fortify check. The compiler can detect that the
results of these functions are not used, and knows that they have no other
side effects, and so can eliminate them as dead code.
Why are only memchr, memcmp and strlen affected?
================================================
Of string and string-like functions, kasan_test tests:
* strchr -> not affected, no fortified version
* strrchr -> likewise
* strcmp -> likewise
* strncmp -> likewise
* strnlen -> not affected, the fortify source implementation calls the
underlying strnlen implementation which is instrumented, not
a builtin
* strlen -> affected, the fortify souce implementation calls a __builtin
version which the compiler can determine is dead.
* memchr -> likewise
* memcmp -> likewise
* memset -> not affected, the compiler knows that memset writes to its
first argument and therefore is not dead.
Why does this not affect the functions normally?
================================================
In string.h, these functions are not marked as __pure, so the compiler
cannot know that they do not have side effects. If relevant functions are
marked as __pure in string.h, we see the following warnings and the
functions are elided:
lib/test_kasan.c: In function `kasan_memchr':
lib/test_kasan.c:606:2: warning: statement with no effect [-Wunused-value]
memchr(ptr, '1', size + 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~
lib/test_kasan.c: In function `kasan_memcmp':
lib/test_kasan.c:622:2: warning: statement with no effect [-Wunused-value]
memcmp(ptr, arr, size+1);
^~~~~~~~~~~~~~~~~~~~~~~~
lib/test_kasan.c: In function `kasan_strings':
lib/test_kasan.c:645:2: warning: statement with no effect [-Wunused-value]
strchr(ptr, '1');
^~~~~~~~~~~~~~~~
...
This annotation would make sense to add and could be added at any point,
so the behaviour of test_kasan.c should change.
The fix
=======
Make all the functions that are pure write their results to a global,
which makes them live. The strlen and memchr tests now pass.
The memcmp test still fails to trigger, which is addressed in the next
patch.
[dja@axtens.net: drop patch 3]
Link: http://lkml.kernel.org/r/20200424145521.8203-2-dja@axtens.net
Fixes: 0c96350a2d2f ("lib/test_kasan.c: add tests for several string/memory API functions")
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: David Gow <davidgow@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Daniel Micay <danielmicay@gmail.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Link: http://lkml.kernel.org/r/20200423154503.5103-1-dja@axtens.net
Link: http://lkml.kernel.org/r/20200423154503.5103-2-dja@axtens.net
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2020-06-03 15:56:43 -07:00
*/
void * kasan_ptr_result ;
2020-10-13 16:55:02 -07:00
int kasan_int_result ;
2022-09-27 19:09:09 +02:00
/* Probe for console output: obtains test_status lines of interest. */
static void probe_console ( void * ignore , const char * buf , size_t len )
{
if ( strnstr ( buf , " BUG: KASAN: " , len ) )
WRITE_ONCE ( test_status . report_found , true ) ;
else if ( strnstr ( buf , " Asynchronous fault: " , len ) )
WRITE_ONCE ( test_status . async_fault , true ) ;
}
2020-10-13 16:55:02 -07:00
2022-09-27 19:09:09 +02:00
static int kasan_suite_init ( struct kunit_suite * suite )
2020-10-13 16:55:02 -07:00
{
2021-02-24 12:06:02 -08:00
if ( ! kasan_enabled ( ) ) {
2022-09-27 19:09:09 +02:00
pr_err ( " Can't run KASAN tests with KASAN disabled " ) ;
2021-02-24 12:06:02 -08:00
return - 1 ;
}
2022-11-30 16:02:03 +01:00
/* Stop failing KUnit tests on KASAN reports. */
kasan_kunit_test_suite_start ( ) ;
2022-09-27 19:09:09 +02:00
/*
* Temporarily enable multi - shot mode . Otherwise , KASAN would only
* report the first detected bug and panic the kernel if panic_on_warn
* is enabled .
*/
2020-10-13 16:55:02 -07:00
multishot = kasan_save_enable_multi_shot ( ) ;
2022-09-27 19:09:09 +02:00
2023-04-13 15:38:59 +05:30
register_trace_console ( probe_console , NULL ) ;
2020-10-13 16:55:02 -07:00
return 0 ;
}
2022-09-27 19:09:09 +02:00
static void kasan_suite_exit ( struct kunit_suite * suite )
2020-10-13 16:55:02 -07:00
{
2022-11-30 16:02:03 +01:00
kasan_kunit_test_suite_end ( ) ;
2020-10-13 16:55:02 -07:00
kasan_restore_multi_shot ( multishot ) ;
2023-04-13 15:38:59 +05:30
unregister_trace_console ( probe_console , NULL ) ;
2022-09-27 19:09:09 +02:00
tracepoint_synchronize_unregister ( ) ;
}
static void kasan_test_exit ( struct kunit * test )
{
KUNIT_EXPECT_FALSE ( test , READ_ONCE ( test_status . report_found ) ) ;
2020-10-13 16:55:02 -07:00
}
/**
2023-10-06 17:18:45 +02:00
* KUNIT_EXPECT_KASAN_FAIL - check that the executed expression produces a
* KASAN report ; causes a KUnit test failure otherwise .
*
* @ test : Currently executing KUnit test .
* @ expression : Expression that must produce a KASAN report .
2021-02-24 12:05:26 -08:00
*
2022-03-24 18:12:02 -07:00
* For hardware tag - based KASAN , when a synchronous tag fault happens , tag
2021-03-15 13:20:19 +00:00
* checking is auto - disabled . When this happens , this test handler reenables
* tag checking . As tag checking can be only disabled or enabled per CPU ,
* this handler disables migration ( preemption ) .
2021-02-24 12:05:34 -08:00
*
2022-03-24 18:12:02 -07:00
* Since the compiler doesn ' t see that the expression can change the test_status
2021-02-24 12:05:34 -08:00
* fields , it can reorder or optimize away the accesses to those fields .
* Use READ / WRITE_ONCE ( ) for the accesses and compiler barriers around the
* expression to prevent that .
2021-04-29 23:00:49 -07:00
*
2022-03-24 18:12:02 -07:00
* In between KUNIT_EXPECT_KASAN_FAIL checks , test_status . report_found is kept
* as false . This allows detecting KASAN reports that happen outside of the
* checks by asserting ! test_status . report_found at the start of
* KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit .
2020-10-13 16:55:02 -07:00
*/
2021-04-29 23:00:49 -07:00
# define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
if ( IS_ENABLED ( CONFIG_KASAN_HW_TAGS ) & & \
2021-10-06 16:47:51 +01:00
kasan_sync_fault_possible ( ) ) \
2021-04-29 23:00:49 -07:00
migrate_disable ( ) ; \
2022-03-24 18:12:02 -07:00
KUNIT_EXPECT_FALSE ( test , READ_ONCE ( test_status . report_found ) ) ; \
2021-04-29 23:00:49 -07:00
barrier ( ) ; \
expression ; \
barrier ( ) ; \
2022-03-24 18:12:02 -07:00
if ( kasan_async_fault_possible ( ) ) \
kasan_force_async_fault ( ) ; \
if ( ! READ_ONCE ( test_status . report_found ) ) { \
kasan: test: improve failure message in KUNIT_EXPECT_KASAN_FAIL()
The KUNIT_EXPECT_KASAN_FAIL() macro currently uses KUNIT_EXPECT_EQ() to
compare fail_data.report_expected and fail_data.report_found. This always
gave a somewhat useless error message on failure, but the addition of
extra compile-time checking with READ_ONCE() has caused it to get much
longer, and be truncated before anything useful is displayed.
Instead, just check fail_data.report_found by hand (we've just set
report_expected to 'true'), and print a better failure message with
KUNIT_FAIL(). Because of this, report_expected is no longer used
anywhere, and can be removed.
Beforehand, a failure in:
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
would have looked like:
[22:00:34] [FAILED] vmalloc_oob
[22:00:34] # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:991
[22:00:34] Expected ({ do { extern void __compiletime_assert_705(void) __attribute__((__error__("Unsupported access size for {READ,WRITE}_ONCE()."))); if (!((sizeof(fail_data.report_expected) == sizeof(char) || sizeof(fail_data.repp
[22:00:34] not ok 45 - vmalloc_oob
With this change, it instead looks like:
[22:04:04] [FAILED] vmalloc_oob
[22:04:04] # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:993
[22:04:04] KASAN failure expected in "((volatile char *)area)[3100]", but none occurred
[22:04:04] not ok 45 - vmalloc_oob
Also update the example failure in the documentation to reflect this.
Link: https://lkml.kernel.org/r/20210606005531.165954-1-davidgow@google.com
Signed-off-by: David Gow <davidgow@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Reviewed-by: Marco Elver <elver@google.com>
Acked-by: Brendan Higgins <brendanhiggins@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Daniel Axtens <dja@axtens.net>
Cc: David Gow <davidgow@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-06-28 19:40:36 -07:00
KUNIT_FAIL ( test , KUNIT_SUBTEST_INDENT " KASAN failure " \
" expected in \" " # expression \
" \" , but none occurred " ) ; \
} \
2022-03-24 18:12:02 -07:00
if ( IS_ENABLED ( CONFIG_KASAN_HW_TAGS ) & & \
kasan_sync_fault_possible ( ) ) { \
if ( READ_ONCE ( test_status . report_found ) & & \
2022-09-27 19:09:09 +02:00
! READ_ONCE ( test_status . async_fault ) ) \
2023-03-11 00:43:30 +01:00
kasan_enable_hw_tags ( ) ; \
2021-04-29 23:00:49 -07:00
migrate_enable ( ) ; \
} \
2022-03-24 18:12:02 -07:00
WRITE_ONCE ( test_status . report_found , false ) ; \
2022-09-27 19:09:09 +02:00
WRITE_ONCE ( test_status . async_fault , false ) ; \
2020-10-13 16:55:02 -07:00
} while ( 0 )
2021-02-24 12:05:17 -08:00
# define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
2021-06-24 23:58:15 -07:00
if ( ! IS_ENABLED ( config ) ) \
kunit_skip ( ( test ) , " Test requires " # config " =y " ) ; \
2021-02-24 12:05:17 -08:00
} while ( 0 )
# define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
2021-06-24 23:58:15 -07:00
if ( IS_ENABLED ( config ) ) \
kunit_skip ( ( test ) , " Test requires " # config " =n " ) ; \
2021-02-24 12:05:17 -08:00
} while ( 0 )
2023-02-24 09:59:41 +01:00
# define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do { \
if ( IS_ENABLED ( CONFIG_KASAN_HW_TAGS ) ) \
break ; /* No compiler instrumentation. */ \
if ( IS_ENABLED ( CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX ) ) \
break ; /* Should always be instrumented! */ \
if ( IS_ENABLED ( CONFIG_GENERIC_ENTRY ) ) \
kunit_skip ( ( test ) , " Test requires checked mem*() " ) ; \
} while ( 0 )
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_right ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
2021-09-02 14:57:32 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE - 5 ;
2015-02-13 14:39:53 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2022-06-08 14:40:24 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-09-02 14:57:32 -07:00
/*
* An unaligned access past the requested kmalloc size .
* Only generic KASAN can precisely detect these .
*/
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ size ] = ' x ' ) ;
/*
* An aligned access into the first out - of - bounds granule that falls
* within the aligned kmalloc object .
*/
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ size + 5 ] = ' y ' ) ;
/* Out-of-bounds access past the aligned kmalloc object. */
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ 0 ] =
ptr [ size + KASAN_GRANULE_SIZE + 5 ] ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_left ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
size_t size = 15 ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2015-02-13 14:39:53 -08:00
2022-06-08 14:40:24 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ptr = * ( ptr - 1 ) ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_node_oob_right ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
size_t size = 4096 ;
ptr = kmalloc_node ( size , GFP_KERNEL , 0 ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2015-02-13 14:39:53 -08:00
2022-06-08 14:40:24 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ 0 ] = ptr [ size ] ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
}
2023-12-19 23:29:02 +01:00
/*
* Check that KASAN detects an out - of - bounds access for a big object allocated
2023-12-21 21:04:52 +01:00
* via kmalloc ( ) . But not as big as to trigger the page_alloc fallback .
2023-12-19 23:29:02 +01:00
*/
static void kmalloc_big_oob_right ( struct kunit * test )
{
char * ptr ;
size_t size = KMALLOC_MAX_CACHE_SIZE - 256 ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
OPTIMIZER_HIDE_VAR ( ptr ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ size ] = 0 ) ;
kfree ( ptr ) ;
}
2021-02-24 12:05:55 -08:00
/*
2023-12-19 23:29:01 +01:00
* The kmalloc_large_ * tests below use kmalloc ( ) to allocate a memory chunk
* that does not fit into the largest slab cache and therefore is allocated via
2023-12-21 21:04:52 +01:00
* the page_alloc fallback .
2021-02-24 12:05:55 -08:00
*/
2023-12-19 23:29:01 +01:00
static void kmalloc_large_oob_right ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 10 ;
2016-03-25 14:21:56 -07:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2022-06-08 14:40:24 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ size + OOB_TAG_OFF ] = 0 ) ;
2021-02-24 12:05:55 -08:00
2016-03-25 14:21:56 -07:00
kfree ( ptr ) ;
}
2018-02-06 15:36:23 -08:00
2023-12-19 23:29:01 +01:00
static void kmalloc_large_uaf ( struct kunit * test )
2018-02-06 15:36:23 -08:00
{
char * ptr ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 10 ;
2020-10-13 16:55:06 -07:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2018-02-06 15:36:23 -08:00
kfree ( ptr ) ;
2021-02-24 12:05:55 -08:00
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ 0 ] ) ;
2018-02-06 15:36:23 -08:00
}
2023-12-19 23:29:01 +01:00
static void kmalloc_large_invalid_free ( struct kunit * test )
2018-02-06 15:36:23 -08:00
{
char * ptr ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 10 ;
2020-10-13 16:55:06 -07:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , kfree ( ptr + 1 ) ) ;
2018-02-06 15:36:23 -08:00
}
2016-03-25 14:21:56 -07:00
2023-12-19 23:29:01 +01:00
static void page_alloc_oob_right ( struct kunit * test )
2021-02-24 12:05:55 -08:00
{
char * ptr ;
struct page * pages ;
size_t order = 4 ;
size_t size = ( 1UL < < ( PAGE_SHIFT + order ) ) ;
/*
* With generic KASAN page allocations have no redzones , thus
* out - of - bounds detection is not guaranteed .
* See https : //bugzilla.kernel.org/show_bug.cgi?id=210503.
*/
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
pages = alloc_pages ( GFP_KERNEL , order ) ;
ptr = page_address ( pages ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ptr [ 0 ] = ptr [ size ] ) ;
2021-02-24 12:05:55 -08:00
free_pages ( ( unsigned long ) ptr , order ) ;
}
2023-12-19 23:29:01 +01:00
static void page_alloc_uaf ( struct kunit * test )
2021-02-24 12:05:55 -08:00
{
char * ptr ;
struct page * pages ;
size_t order = 4 ;
pages = alloc_pages ( GFP_KERNEL , order ) ;
ptr = page_address ( pages ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
free_pages ( ( unsigned long ) ptr , order ) ;
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ 0 ] ) ;
2021-02-24 12:05:55 -08:00
}
2021-02-25 17:20:15 -08:00
static void krealloc_more_oob_helper ( struct kunit * test ,
size_t size1 , size_t size2 )
2015-02-13 14:39:53 -08:00
{
char * ptr1 , * ptr2 ;
2021-02-25 17:20:15 -08:00
size_t middle ;
KUNIT_ASSERT_LT ( test , size1 , size2 ) ;
middle = size1 + ( size2 - size1 ) / 2 ;
2015-02-13 14:39:53 -08:00
ptr1 = kmalloc ( size1 , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
2015-02-13 14:39:53 -08:00
2020-10-13 16:55:06 -07:00
ptr2 = krealloc ( ptr1 , size2 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
2020-08-06 23:24:54 -07:00
2022-09-26 20:08:47 +02:00
/* Suppress -Warray-bounds warnings. */
OPTIMIZER_HIDE_VAR ( ptr2 ) ;
2021-02-25 17:20:15 -08:00
/* All offsets up to size2 must be accessible. */
ptr2 [ size1 - 1 ] = ' x ' ;
ptr2 [ size1 ] = ' x ' ;
ptr2 [ middle ] = ' x ' ;
ptr2 [ size2 - 1 ] = ' x ' ;
/* Generic mode is precise, so unaligned size2 must be inaccessible. */
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 [ size2 ] = ' x ' ) ;
/* For all modes first aligned offset after size2 must be inaccessible. */
KUNIT_EXPECT_KASAN_FAIL ( test ,
ptr2 [ round_up ( size2 , KASAN_GRANULE_SIZE ) ] = ' x ' ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr2 ) ;
}
2021-02-25 17:20:15 -08:00
static void krealloc_less_oob_helper ( struct kunit * test ,
size_t size1 , size_t size2 )
2015-02-13 14:39:53 -08:00
{
char * ptr1 , * ptr2 ;
2021-02-25 17:20:15 -08:00
size_t middle ;
KUNIT_ASSERT_LT ( test , size2 , size1 ) ;
middle = size2 + ( size1 - size2 ) / 2 ;
2015-02-13 14:39:53 -08:00
ptr1 = kmalloc ( size1 , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
2020-08-06 23:24:54 -07:00
2020-10-13 16:55:06 -07:00
ptr2 = krealloc ( ptr1 , size2 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
2020-08-06 23:24:54 -07:00
2022-09-26 20:08:47 +02:00
/* Suppress -Warray-bounds warnings. */
OPTIMIZER_HIDE_VAR ( ptr2 ) ;
2021-02-25 17:20:15 -08:00
/* Must be accessible for all modes. */
ptr2 [ size2 - 1 ] = ' x ' ;
/* Generic mode is precise, so unaligned size2 must be inaccessible. */
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 [ size2 ] = ' x ' ) ;
/* For all modes first aligned offset after size2 must be inaccessible. */
KUNIT_EXPECT_KASAN_FAIL ( test ,
ptr2 [ round_up ( size2 , KASAN_GRANULE_SIZE ) ] = ' x ' ) ;
/*
* For all modes all size2 , middle , and size1 should land in separate
* granules and thus the latter two offsets should be inaccessible .
*/
KUNIT_EXPECT_LE ( test , round_up ( size2 , KASAN_GRANULE_SIZE ) ,
round_down ( middle , KASAN_GRANULE_SIZE ) ) ;
KUNIT_EXPECT_LE ( test , round_up ( middle , KASAN_GRANULE_SIZE ) ,
round_down ( size1 , KASAN_GRANULE_SIZE ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 [ middle ] = ' x ' ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 [ size1 - 1 ] = ' x ' ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 [ size1 ] = ' x ' ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr2 ) ;
}
2021-02-25 17:20:15 -08:00
static void krealloc_more_oob ( struct kunit * test )
{
krealloc_more_oob_helper ( test , 201 , 235 ) ;
}
static void krealloc_less_oob ( struct kunit * test )
{
krealloc_less_oob_helper ( test , 235 , 201 ) ;
}
2023-12-19 23:29:01 +01:00
static void krealloc_large_more_oob ( struct kunit * test )
2021-02-25 17:20:15 -08:00
{
krealloc_more_oob_helper ( test , KMALLOC_MAX_CACHE_SIZE + 201 ,
KMALLOC_MAX_CACHE_SIZE + 235 ) ;
}
2023-12-19 23:29:01 +01:00
static void krealloc_large_less_oob ( struct kunit * test )
2021-02-25 17:20:15 -08:00
{
krealloc_less_oob_helper ( test , KMALLOC_MAX_CACHE_SIZE + 235 ,
KMALLOC_MAX_CACHE_SIZE + 201 ) ;
}
2021-02-25 17:20:19 -08:00
/*
* Check that krealloc ( ) detects a use - after - free , returns NULL ,
* and doesn ' t unpoison the freed object .
*/
static void krealloc_uaf ( struct kunit * test )
{
char * ptr1 , * ptr2 ;
int size1 = 201 ;
int size2 = 235 ;
ptr1 = kmalloc ( size1 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
kfree ( ptr1 ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ptr2 = krealloc ( ptr1 , size2 , GFP_KERNEL ) ) ;
2022-02-11 17:42:44 +01:00
KUNIT_ASSERT_NULL ( test , ptr2 ) ;
2021-02-25 17:20:19 -08:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) ptr1 ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_16 ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
struct {
u64 words [ 2 ] ;
} * ptr1 , * ptr2 ;
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2020-11-01 17:07:37 -08:00
/* This test is specifically crafted for the generic mode. */
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
2020-11-01 17:07:37 -08:00
2024-02-12 12:15:52 +01:00
/* RELOC_HIDE to prevent gcc from warning about short alloc */
ptr1 = RELOC_HIDE ( kmalloc ( sizeof ( * ptr1 ) - 3 , GFP_KERNEL ) , 0 ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
2015-02-13 14:39:53 -08:00
ptr2 = kmalloc ( sizeof ( * ptr2 ) , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
2022-06-08 14:40:24 -07:00
OPTIMIZER_HIDE_VAR ( ptr1 ) ;
OPTIMIZER_HIDE_VAR ( ptr2 ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ptr1 = * ptr2 ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr1 ) ;
kfree ( ptr2 ) ;
}
2020-11-01 17:07:37 -08:00
static void kmalloc_uaf_16 ( struct kunit * test )
{
struct {
u64 words [ 2 ] ;
} * ptr1 , * ptr2 ;
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2020-11-01 17:07:37 -08:00
ptr1 = kmalloc ( sizeof ( * ptr1 ) , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
ptr2 = kmalloc ( sizeof ( * ptr2 ) , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
kfree ( ptr2 ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , * ptr1 = * ptr2 ) ;
kfree ( ptr1 ) ;
}
2021-09-02 14:57:38 -07:00
/*
* Note : in the memset tests below , the written range touches both valid and
* invalid memory . This makes sure that the instrumentation does not only check
* the starting address but the whole range .
*/
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_memset_2 ( struct kunit * test )
2015-11-05 18:51:15 -08:00
{
char * ptr ;
2021-09-02 14:57:38 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE ;
2023-12-12 16:26:59 -07:00
size_t memset_size = 2 ;
2015-11-05 18:51:15 -08:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2015-11-05 18:51:15 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( size ) ;
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( memset_size ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , memset ( ptr + size - 1 , 0 , memset_size ) ) ;
2015-11-05 18:51:15 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_memset_4 ( struct kunit * test )
2015-11-05 18:51:15 -08:00
{
char * ptr ;
2021-09-02 14:57:38 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE ;
2023-12-12 16:26:59 -07:00
size_t memset_size = 4 ;
2015-11-05 18:51:15 -08:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2015-11-05 18:51:15 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( size ) ;
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( memset_size ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , memset ( ptr + size - 3 , 0 , memset_size ) ) ;
2015-11-05 18:51:15 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_memset_8 ( struct kunit * test )
2015-11-05 18:51:15 -08:00
{
char * ptr ;
2021-09-02 14:57:38 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE ;
2023-12-12 16:26:59 -07:00
size_t memset_size = 8 ;
2015-11-05 18:51:15 -08:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2015-11-05 18:51:15 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( size ) ;
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( memset_size ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , memset ( ptr + size - 7 , 0 , memset_size ) ) ;
2015-11-05 18:51:15 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_memset_16 ( struct kunit * test )
2015-11-05 18:51:15 -08:00
{
char * ptr ;
2021-09-02 14:57:38 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE ;
2023-12-12 16:26:59 -07:00
size_t memset_size = 16 ;
2015-11-05 18:51:15 -08:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2015-11-05 18:51:15 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( size ) ;
2023-12-12 16:26:59 -07:00
OPTIMIZER_HIDE_VAR ( memset_size ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , memset ( ptr + size - 15 , 0 , memset_size ) ) ;
2015-11-05 18:51:15 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_oob_in_memset ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
2021-09-02 14:57:38 -07:00
size_t size = 128 - KASAN_GRANULE_SIZE ;
2015-02-13 14:39:53 -08:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2015-02-13 14:39:53 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-08-06 23:24:54 -07:00
2022-01-29 13:41:11 -08:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( size ) ;
2021-09-02 14:57:38 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test ,
memset ( ptr , 0 , size + KASAN_GRANULE_SIZE ) ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
}
2021-11-05 13:35:56 -07:00
static void kmalloc_memmove_negative_size ( struct kunit * test )
2020-04-01 21:09:40 -07:00
{
char * ptr ;
size_t size = 64 ;
2021-11-05 13:36:12 -07:00
size_t invalid_size = - 2 ;
2020-04-01 21:09:40 -07:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2021-09-02 14:57:41 -07:00
/*
* Hardware tag - based mode doesn ' t check memmove for negative size .
* As a result , this test introduces a side - effect memory corruption ,
* which can result in a crash .
*/
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_HW_TAGS ) ;
2020-04-01 21:09:40 -07:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-04-01 21:09:40 -07:00
memset ( ( char * ) ptr , 0 , 64 ) ;
2022-01-29 13:41:11 -08:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2021-11-05 13:36:12 -07:00
OPTIMIZER_HIDE_VAR ( invalid_size ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test ,
memmove ( ( char * ) ptr , ( char * ) ptr + 4 , invalid_size ) ) ;
2020-04-01 21:09:40 -07:00
kfree ( ptr ) ;
}
2021-11-05 13:35:56 -07:00
static void kmalloc_memmove_invalid_size ( struct kunit * test )
{
char * ptr ;
size_t size = 64 ;
2022-09-26 20:08:47 +02:00
size_t invalid_size = size ;
2021-11-05 13:35:56 -07:00
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2021-11-05 13:35:56 -07:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2020-04-01 21:09:40 -07:00
memset ( ( char * ) ptr , 0 , 64 ) ;
2022-01-29 13:41:11 -08:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
2022-09-26 20:08:47 +02:00
OPTIMIZER_HIDE_VAR ( invalid_size ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test ,
memmove ( ( char * ) ptr , ( char * ) ptr + 4 , invalid_size ) ) ;
2020-04-01 21:09:40 -07:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kmalloc_uaf ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
size_t size = 10 ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ 8 ] ) ;
2015-02-13 14:39:53 -08:00
}
2020-10-13 16:55:06 -07:00
static void kmalloc_uaf_memset ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr ;
size_t size = 33 ;
2023-02-24 09:59:41 +01:00
KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS ( test ) ;
2021-09-02 14:57:44 -07:00
/*
* Only generic KASAN uses quarantine , which is required to avoid a
* kernel memory corruption this test causes .
*/
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
2015-02-13 14:39:53 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , memset ( ptr , 0 , size ) ) ;
2015-02-13 14:39:53 -08:00
}
2020-10-13 16:55:06 -07:00
static void kmalloc_uaf2 ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * ptr1 , * ptr2 ;
size_t size = 43 ;
2021-02-24 12:05:38 -08:00
int counter = 0 ;
2015-02-13 14:39:53 -08:00
2021-02-24 12:05:38 -08:00
again :
2015-02-13 14:39:53 -08:00
ptr1 = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr1 ) ;
2020-10-13 16:55:06 -07:00
2015-02-13 14:39:53 -08:00
ptr2 = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
2021-02-24 12:05:38 -08:00
/*
* For tag - based KASAN ptr1 and ptr2 tags might happen to be the same .
* Allow up to 16 attempts at generating different tags .
*/
if ( ! IS_ENABLED ( CONFIG_KASAN_GENERIC ) & & ptr1 = = ptr2 & & counter + + < 16 ) {
kfree ( ptr2 ) ;
goto again ;
}
2021-09-02 14:57:35 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr1 ) [ 40 ] ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_PTR_NE ( test , ptr1 , ptr2 ) ;
2015-02-13 14:39:53 -08:00
kfree ( ptr2 ) ;
}
2022-09-05 23:05:49 +02:00
/*
* Check that KASAN detects use - after - free when another object was allocated in
* the same slot . Relevant for the tag - based modes , which do not use quarantine .
*/
static void kmalloc_uaf3 ( struct kunit * test )
{
char * ptr1 , * ptr2 ;
size_t size = 100 ;
/* This test is specifically crafted for tag-based modes. */
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
ptr1 = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr1 ) ;
kfree ( ptr1 ) ;
ptr2 = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr2 ) ;
kfree ( ptr2 ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr1 ) [ 8 ] ) ;
}
2024-02-02 11:32:59 +00:00
static void kasan_atomics_helper ( struct kunit * test , void * unsafe , void * safe )
{
2024-02-24 10:54:14 +00:00
int * i_unsafe = unsafe ;
2024-02-02 11:32:59 +00:00
KUNIT_EXPECT_KASAN_FAIL ( test , READ_ONCE ( * i_unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , WRITE_ONCE ( * i_unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , smp_load_acquire ( i_unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , smp_store_release ( i_unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_read ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_set ( unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_add ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_sub ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_inc ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_dec ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_and ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_andnot ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_or ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_xor ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_xchg ( unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_cmpxchg ( unsafe , 21 , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_try_cmpxchg ( unsafe , safe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_try_cmpxchg ( safe , unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_sub_and_test ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_dec_and_test ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_inc_and_test ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_add_negative ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_add_unless ( unsafe , 21 , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_inc_not_zero ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_inc_unless_negative ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_dec_unless_positive ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_dec_if_positive ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_read ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_set ( unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_add ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_sub ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_inc ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_dec ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_and ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_andnot ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_or ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_xor ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_xchg ( unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_cmpxchg ( unsafe , 21 , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_try_cmpxchg ( unsafe , safe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_try_cmpxchg ( safe , unsafe , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_sub_and_test ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_dec_and_test ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_inc_and_test ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_add_negative ( 42 , unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_add_unless ( unsafe , 21 , 42 ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_inc_not_zero ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_inc_unless_negative ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_dec_unless_positive ( unsafe ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , atomic_long_dec_if_positive ( unsafe ) ) ;
}
static void kasan_atomics ( struct kunit * test )
{
void * a1 , * a2 ;
/*
* Just as with kasan_bitops_tags ( ) , we allocate 48 bytes of memory such
* that the following 16 bytes will make up the redzone .
*/
a1 = kzalloc ( 48 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , a1 ) ;
2024-02-24 10:54:14 +00:00
a2 = kzalloc ( sizeof ( atomic_long_t ) , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , a2 ) ;
2024-02-02 11:32:59 +00:00
/* Use atomics to access the redzone. */
kasan_atomics_helper ( test , a1 + 48 , a2 ) ;
kfree ( a1 ) ;
kfree ( a2 ) ;
}
2023-12-19 23:29:02 +01:00
static void kmalloc_double_kzfree ( struct kunit * test )
{
char * ptr ;
size_t size = 16 ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
kfree_sensitive ( ptr ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , kfree_sensitive ( ptr ) ) ;
}
/* Check that ksize() does NOT unpoison whole object. */
static void ksize_unpoisons_memory ( struct kunit * test )
{
char * ptr ;
size_t size = 128 - KASAN_GRANULE_SIZE - 5 ;
size_t real_size ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
real_size = ksize ( ptr ) ;
KUNIT_EXPECT_GT ( test , real_size , size ) ;
OPTIMIZER_HIDE_VAR ( ptr ) ;
/* These accesses shouldn't trigger a KASAN report. */
ptr [ 0 ] = ' x ' ;
ptr [ size - 1 ] = ' x ' ;
/* These must trigger a KASAN report. */
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ size ] ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ size + 5 ] ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ real_size - 1 ] ) ;
kfree ( ptr ) ;
}
/*
* Check that a use - after - free is detected by ksize ( ) and via normal accesses
* after it .
*/
static void ksize_uaf ( struct kunit * test )
{
char * ptr ;
int size = 128 - KASAN_GRANULE_SIZE ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
kfree ( ptr ) ;
OPTIMIZER_HIDE_VAR ( ptr ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ksize ( ptr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ 0 ] ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ size ] ) ;
}
/*
* The two tests below check that Generic KASAN prints auxiliary stack traces
* for RCU callbacks and workqueues . The reports need to be inspected manually .
*
* These tests are still enabled for other KASAN modes to make sure that all
* modes report bad accesses in tested scenarios .
*/
static struct kasan_rcu_info {
int i ;
struct rcu_head rcu ;
} * global_rcu_ptr ;
static void rcu_uaf_reclaim ( struct rcu_head * rp )
{
struct kasan_rcu_info * fp =
container_of ( rp , struct kasan_rcu_info , rcu ) ;
kfree ( fp ) ;
( ( volatile struct kasan_rcu_info * ) fp ) - > i ;
}
static void rcu_uaf ( struct kunit * test )
{
struct kasan_rcu_info * ptr ;
ptr = kmalloc ( sizeof ( struct kasan_rcu_info ) , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
global_rcu_ptr = rcu_dereference_protected (
( struct kasan_rcu_info __rcu * ) ptr , NULL ) ;
KUNIT_EXPECT_KASAN_FAIL ( test ,
call_rcu ( & global_rcu_ptr - > rcu , rcu_uaf_reclaim ) ;
rcu_barrier ( ) ) ;
}
static void workqueue_uaf_work ( struct work_struct * work )
{
kfree ( work ) ;
}
static void workqueue_uaf ( struct kunit * test )
{
struct workqueue_struct * workqueue ;
struct work_struct * work ;
workqueue = create_workqueue ( " kasan_workqueue_test " ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , workqueue ) ;
work = kmalloc ( sizeof ( struct work_struct ) , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , work ) ;
INIT_WORK ( work , workqueue_uaf_work ) ;
queue_work ( workqueue , work ) ;
destroy_workqueue ( workqueue ) ;
KUNIT_EXPECT_KASAN_FAIL ( test ,
( ( volatile struct work_struct * ) work ) - > data ) ;
}
2020-10-13 16:55:06 -07:00
static void kfree_via_page ( struct kunit * test )
2019-09-23 15:34:16 -07:00
{
char * ptr ;
size_t size = 8 ;
struct page * page ;
unsigned long offset ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2019-09-23 15:34:16 -07:00
page = virt_to_page ( ptr ) ;
offset = offset_in_page ( ptr ) ;
kfree ( page_address ( page ) + offset ) ;
}
2020-10-13 16:55:06 -07:00
static void kfree_via_phys ( struct kunit * test )
2019-09-23 15:34:16 -07:00
{
char * ptr ;
size_t size = 8 ;
phys_addr_t phys ;
ptr = kmalloc ( size , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2019-09-23 15:34:16 -07:00
phys = virt_to_phys ( ptr ) ;
kfree ( phys_to_virt ( phys ) ) ;
}
2020-10-13 16:55:06 -07:00
static void kmem_cache_oob ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
char * p ;
size_t size = 200 ;
2021-02-24 12:05:59 -08:00
struct kmem_cache * cache ;
cache = kmem_cache_create ( " test_cache " , size , 0 , 0 , NULL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
2021-02-24 12:05:59 -08:00
2015-02-13 14:39:53 -08:00
p = kmem_cache_alloc ( cache , GFP_KERNEL ) ;
if ( ! p ) {
2020-10-13 16:55:06 -07:00
kunit_err ( test , " Allocation failed: %s \n " , __func__ ) ;
2015-02-13 14:39:53 -08:00
kmem_cache_destroy ( cache ) ;
return ;
}
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * p = p [ size + OOB_TAG_OFF ] ) ;
2021-02-24 12:05:59 -08:00
2015-02-13 14:39:53 -08:00
kmem_cache_free ( cache , p ) ;
kmem_cache_destroy ( cache ) ;
}
2023-12-19 23:29:02 +01:00
static void kmem_cache_double_free ( struct kunit * test )
{
char * p ;
size_t size = 200 ;
struct kmem_cache * cache ;
cache = kmem_cache_create ( " test_cache " , size , 0 , 0 , NULL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
p = kmem_cache_alloc ( cache , GFP_KERNEL ) ;
if ( ! p ) {
kunit_err ( test , " Allocation failed: %s \n " , __func__ ) ;
kmem_cache_destroy ( cache ) ;
return ;
}
kmem_cache_free ( cache , p ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , kmem_cache_free ( cache , p ) ) ;
kmem_cache_destroy ( cache ) ;
}
static void kmem_cache_invalid_free ( struct kunit * test )
{
char * p ;
size_t size = 200 ;
struct kmem_cache * cache ;
cache = kmem_cache_create ( " test_cache " , size , 0 , SLAB_TYPESAFE_BY_RCU ,
NULL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
p = kmem_cache_alloc ( cache , GFP_KERNEL ) ;
if ( ! p ) {
kunit_err ( test , " Allocation failed: %s \n " , __func__ ) ;
kmem_cache_destroy ( cache ) ;
return ;
}
/* Trigger invalid free, the object doesn't get freed. */
KUNIT_EXPECT_KASAN_FAIL ( test , kmem_cache_free ( cache , p + 1 ) ) ;
/*
* Properly free the object to prevent the " Objects remaining in
* test_cache on __kmem_cache_shutdown " BUG failure.
*/
kmem_cache_free ( cache , p ) ;
kmem_cache_destroy ( cache ) ;
}
static void empty_cache_ctor ( void * object ) { }
static void kmem_cache_double_destroy ( struct kunit * test )
{
struct kmem_cache * cache ;
/* Provide a constructor to prevent cache merging. */
cache = kmem_cache_create ( " test_cache " , 200 , 0 , 0 , empty_cache_ctor ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
kmem_cache_destroy ( cache ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , kmem_cache_destroy ( cache ) ) ;
}
2021-02-24 12:05:59 -08:00
static void kmem_cache_accounted ( struct kunit * test )
2017-02-24 15:00:08 -08:00
{
int i ;
char * p ;
size_t size = 200 ;
struct kmem_cache * cache ;
cache = kmem_cache_create ( " test_cache " , size , 0 , SLAB_ACCOUNT , NULL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
2017-02-24 15:00:08 -08:00
/*
* Several allocations with a delay to allow for lazy per memcg kmem
* cache creation .
*/
for ( i = 0 ; i < 5 ; i + + ) {
p = kmem_cache_alloc ( cache , GFP_KERNEL ) ;
2017-11-17 15:28:00 -08:00
if ( ! p )
2017-02-24 15:00:08 -08:00
goto free_cache ;
2017-11-17 15:28:00 -08:00
2017-02-24 15:00:08 -08:00
kmem_cache_free ( cache , p ) ;
msleep ( 100 ) ;
}
free_cache :
kmem_cache_destroy ( cache ) ;
}
2021-02-24 12:05:59 -08:00
static void kmem_cache_bulk ( struct kunit * test )
{
struct kmem_cache * cache ;
size_t size = 200 ;
char * p [ 10 ] ;
bool ret ;
int i ;
cache = kmem_cache_create ( " test_cache " , size , 0 , 0 , NULL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
ret = kmem_cache_alloc_bulk ( cache , GFP_KERNEL , ARRAY_SIZE ( p ) , ( void * * ) & p ) ;
if ( ! ret ) {
kunit_err ( test , " Allocation failed: %s \n " , __func__ ) ;
kmem_cache_destroy ( cache ) ;
return ;
}
for ( i = 0 ; i < ARRAY_SIZE ( p ) ; i + + )
p [ i ] [ 0 ] = p [ i ] [ size - 1 ] = 42 ;
kmem_cache_free_bulk ( cache , ARRAY_SIZE ( p ) , ( void * * ) & p ) ;
kmem_cache_destroy ( cache ) ;
}
2023-12-19 23:29:00 +01:00
static void * mempool_prepare_kmalloc ( struct kunit * test , mempool_t * pool , size_t size )
{
int pool_size = 4 ;
int ret ;
void * elem ;
memset ( pool , 0 , sizeof ( * pool ) ) ;
ret = mempool_init_kmalloc_pool ( pool , pool_size , size ) ;
KUNIT_ASSERT_EQ ( test , ret , 0 ) ;
/*
* Allocate one element to prevent mempool from freeing elements to the
* underlying allocator and instead make it add them to the element
* list when the tests trigger double - free and invalid - free bugs .
* This allows testing KASAN annotations in add_element ( ) .
*/
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
return elem ;
}
static struct kmem_cache * mempool_prepare_slab ( struct kunit * test , mempool_t * pool , size_t size )
{
struct kmem_cache * cache ;
int pool_size = 4 ;
int ret ;
cache = kmem_cache_create ( " test_cache " , size , 0 , 0 , NULL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , cache ) ;
memset ( pool , 0 , sizeof ( * pool ) ) ;
ret = mempool_init_slab_pool ( pool , pool_size , cache ) ;
KUNIT_ASSERT_EQ ( test , ret , 0 ) ;
/*
* Do not allocate one preallocated element , as we skip the double - free
* and invalid - free tests for slab mempool for simplicity .
*/
return cache ;
}
static void * mempool_prepare_page ( struct kunit * test , mempool_t * pool , int order )
{
int pool_size = 4 ;
int ret ;
void * elem ;
memset ( pool , 0 , sizeof ( * pool ) ) ;
ret = mempool_init_page_pool ( pool , pool_size , order ) ;
KUNIT_ASSERT_EQ ( test , ret , 0 ) ;
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
return elem ;
}
static void mempool_oob_right_helper ( struct kunit * test , mempool_t * pool , size_t size )
{
char * elem ;
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
OPTIMIZER_HIDE_VAR ( elem ) ;
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test ,
( ( volatile char * ) & elem [ size ] ) [ 0 ] ) ;
else
KUNIT_EXPECT_KASAN_FAIL ( test ,
( ( volatile char * ) & elem [ round_up ( size , KASAN_GRANULE_SIZE ) ] ) [ 0 ] ) ;
mempool_free ( elem , pool ) ;
}
static void mempool_kmalloc_oob_right ( struct kunit * test )
{
mempool_t pool ;
size_t size = 128 - KASAN_GRANULE_SIZE - 5 ;
void * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_oob_right_helper ( test , & pool , size ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_kmalloc_large_oob_right ( struct kunit * test )
{
mempool_t pool ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 1 ;
void * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_oob_right_helper ( test , & pool , size ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_slab_oob_right ( struct kunit * test )
{
mempool_t pool ;
size_t size = 123 ;
struct kmem_cache * cache ;
cache = mempool_prepare_slab ( test , & pool , size ) ;
mempool_oob_right_helper ( test , & pool , size ) ;
mempool_exit ( & pool ) ;
kmem_cache_destroy ( cache ) ;
}
/*
* Skip the out - of - bounds test for page mempool . With Generic KASAN , page
* allocations have no redzones , and thus the out - of - bounds detection is not
* guaranteed ; see https : //bugzilla.kernel.org/show_bug.cgi?id=210503. With
* the tag - based KASAN modes , the neighboring allocation might have the same
* tag ; see https : //bugzilla.kernel.org/show_bug.cgi?id=203505.
*/
static void mempool_uaf_helper ( struct kunit * test , mempool_t * pool , bool page )
{
char * elem , * ptr ;
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
mempool_free ( elem , pool ) ;
ptr = page ? page_address ( ( struct page * ) elem ) : elem ;
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) ptr ) [ 0 ] ) ;
}
static void mempool_kmalloc_uaf ( struct kunit * test )
{
mempool_t pool ;
size_t size = 128 ;
void * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_uaf_helper ( test , & pool , false ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_kmalloc_large_uaf ( struct kunit * test )
{
mempool_t pool ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 1 ;
void * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_uaf_helper ( test , & pool , false ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_slab_uaf ( struct kunit * test )
{
mempool_t pool ;
size_t size = 123 ;
struct kmem_cache * cache ;
cache = mempool_prepare_slab ( test , & pool , size ) ;
mempool_uaf_helper ( test , & pool , false ) ;
mempool_exit ( & pool ) ;
kmem_cache_destroy ( cache ) ;
}
static void mempool_page_alloc_uaf ( struct kunit * test )
{
mempool_t pool ;
int order = 2 ;
void * extra_elem ;
extra_elem = mempool_prepare_page ( test , & pool , order ) ;
mempool_uaf_helper ( test , & pool , true ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_double_free_helper ( struct kunit * test , mempool_t * pool )
{
char * elem ;
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
mempool_free ( elem , pool ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , mempool_free ( elem , pool ) ) ;
}
static void mempool_kmalloc_double_free ( struct kunit * test )
{
mempool_t pool ;
size_t size = 128 ;
char * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_double_free_helper ( test , & pool ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_kmalloc_large_double_free ( struct kunit * test )
{
mempool_t pool ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 1 ;
char * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_double_free_helper ( test , & pool ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_page_alloc_double_free ( struct kunit * test )
{
mempool_t pool ;
int order = 2 ;
char * extra_elem ;
extra_elem = mempool_prepare_page ( test , & pool , order ) ;
mempool_double_free_helper ( test , & pool ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_kmalloc_invalid_free_helper ( struct kunit * test , mempool_t * pool )
{
char * elem ;
elem = mempool_alloc_preallocated ( pool ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , elem ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , mempool_free ( elem + 1 , pool ) ) ;
mempool_free ( elem , pool ) ;
}
static void mempool_kmalloc_invalid_free ( struct kunit * test )
{
mempool_t pool ;
size_t size = 128 ;
char * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_kmalloc_invalid_free_helper ( test , & pool ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
static void mempool_kmalloc_large_invalid_free ( struct kunit * test )
{
mempool_t pool ;
size_t size = KMALLOC_MAX_CACHE_SIZE + 1 ;
char * extra_elem ;
extra_elem = mempool_prepare_kmalloc ( test , & pool , size ) ;
mempool_kmalloc_invalid_free_helper ( test , & pool ) ;
mempool_free ( extra_elem , & pool ) ;
mempool_exit ( & pool ) ;
}
/*
* Skip the invalid - free test for page mempool . The invalid - free detection only
* works for compound pages and mempool preallocates all page elements without
* the __GFP_COMP flag .
*/
2015-02-13 14:39:53 -08:00
static char global_array [ 10 ] ;
2022-01-14 14:04:51 -08:00
static void kasan_global_oob_right ( struct kunit * test )
2015-02-13 14:39:53 -08:00
{
2021-05-14 17:27:27 -07:00
/*
* Deliberate out - of - bounds access . To prevent CONFIG_UBSAN_LOCAL_BOUNDS
2021-07-07 18:07:28 -07:00
* from failing here and panicking the kernel , access the array via a
2021-05-14 17:27:27 -07:00
* volatile pointer , which will prevent the compiler from being able to
* determine the array bounds .
*
* This access uses a volatile pointer to char ( char * volatile ) rather
* than the more conventional pointer to volatile char ( volatile char * )
* because we want to prevent the compiler from making inferences about
* the pointer itself ( i . e . its array bounds ) , not the data that it
* refers to .
*/
char * volatile array = global_array ;
char * p = & array [ ARRAY_SIZE ( global_array ) + 3 ] ;
2015-02-13 14:39:53 -08:00
2020-11-01 17:07:37 -08:00
/* Only generic mode instruments globals. */
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
2020-11-01 17:07:37 -08:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) p ) ;
2015-02-13 14:39:53 -08:00
}
2022-01-14 14:04:51 -08:00
static void kasan_global_oob_left ( struct kunit * test )
{
char * volatile array = global_array ;
char * p = array - 3 ;
/*
* GCC is known to fail this test , skip it .
* See https : //bugzilla.kernel.org/show_bug.cgi?id=215051.
*/
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_CC_IS_CLANG ) ;
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) p ) ;
}
2020-10-13 16:55:06 -07:00
static void kasan_stack_oob ( struct kunit * test )
2016-05-20 16:59:34 -07:00
{
2020-10-13 16:55:06 -07:00
char stack_array [ 10 ] ;
2022-03-24 18:12:08 -07:00
/* See comment in kasan_global_oob_right. */
2021-05-14 17:27:27 -07:00
char * volatile array = stack_array ;
char * p = & array [ ARRAY_SIZE ( stack_array ) + OOB_TAG_OFF ] ;
2016-05-20 16:59:34 -07:00
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_STACK ) ;
2016-05-20 16:59:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) p ) ;
2016-05-20 16:59:34 -07:00
}
2020-10-13 16:55:06 -07:00
static void kasan_alloca_oob_left ( struct kunit * test )
2018-02-06 15:36:16 -08:00
{
volatile int i = 10 ;
char alloca_array [ i ] ;
2022-03-24 18:12:08 -07:00
/* See comment in kasan_global_oob_right. */
2021-05-14 17:27:27 -07:00
char * volatile array = alloca_array ;
char * p = array - 1 ;
2018-02-06 15:36:16 -08:00
2020-11-01 17:07:37 -08:00
/* Only generic mode instruments dynamic allocas. */
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_STACK ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) p ) ;
2018-02-06 15:36:16 -08:00
}
2020-10-13 16:55:06 -07:00
static void kasan_alloca_oob_right ( struct kunit * test )
2018-02-06 15:36:16 -08:00
{
volatile int i = 10 ;
char alloca_array [ i ] ;
2022-03-24 18:12:08 -07:00
/* See comment in kasan_global_oob_right. */
2021-05-14 17:27:27 -07:00
char * volatile array = alloca_array ;
char * p = array + i ;
2018-02-06 15:36:16 -08:00
2020-11-01 17:07:37 -08:00
/* Only generic mode instruments dynamic allocas. */
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_STACK ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , * ( volatile char * ) p ) ;
2018-02-06 15:36:16 -08:00
}
2020-10-13 16:55:06 -07:00
static void kasan_memchr ( struct kunit * test )
2018-10-26 15:02:34 -07:00
{
char * ptr ;
size_t size = 24 ;
2021-02-24 12:05:13 -08:00
/*
* str * functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT .
* See https : //bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
*/
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_AMD_MEM_ENCRYPT ) ;
2020-10-13 16:55:06 -07:00
2020-11-01 17:07:37 -08:00
if ( OOB_TAG_OFF )
size = round_up ( size , OOB_TAG_OFF ) ;
2020-10-13 16:55:06 -07:00
ptr = kmalloc ( size , GFP_KERNEL | __GFP_ZERO ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2022-01-29 13:41:11 -08:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
kasan: test: silence intentional read overflow warnings
As done in commit d73dad4eb5ad ("kasan: test: bypass __alloc_size
checks") for __write_overflow warnings, also silence some more cases
that trip the __read_overflow warnings seen in 5.16-rc1[1]:
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:10,
from include/linux/cpumask.h:12,
from include/linux/mm_types_task.h:14,
from include/linux/mm_types.h:5,
from include/linux/page-flags.h:13,
from arch/arm64/include/asm/mte.h:14,
from arch/arm64/include/asm/pgtable.h:12,
from include/linux/pgtable.h:6,
from include/linux/kasan.h:29,
from lib/test_kasan.c:10:
In function 'memcmp',
inlined from 'kasan_memcmp' at lib/test_kasan.c:897:2:
include/linux/fortify-string.h:263:25: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
263 | __read_overflow();
| ^~~~~~~~~~~~~~~~~
In function 'memchr',
inlined from 'kasan_memchr' at lib/test_kasan.c:872:2:
include/linux/fortify-string.h:277:17: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
277 | __read_overflow();
| ^~~~~~~~~~~~~~~~~
[1] http://kisskb.ellerman.id.au/kisskb/buildresult/14660585/log/
Link: https://lkml.kernel.org/r/20211116004111.3171781-1-keescook@chromium.org
Fixes: d73dad4eb5ad ("kasan: test: bypass __alloc_size checks")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Marco Elver <elver@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-11-19 16:43:46 -08:00
OPTIMIZER_HIDE_VAR ( size ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test ,
kasan_ptr_result = memchr ( ptr , ' 1 ' , size + 1 ) ) ;
2018-10-26 15:02:34 -07:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kasan_memcmp ( struct kunit * test )
2018-10-26 15:02:34 -07:00
{
char * ptr ;
size_t size = 24 ;
int arr [ 9 ] ;
2021-02-24 12:05:13 -08:00
/*
* str * functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT .
* See https : //bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
*/
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_AMD_MEM_ENCRYPT ) ;
2018-10-26 15:02:34 -07:00
2020-11-01 17:07:37 -08:00
if ( OOB_TAG_OFF )
size = round_up ( size , OOB_TAG_OFF ) ;
2020-10-13 16:55:06 -07:00
ptr = kmalloc ( size , GFP_KERNEL | __GFP_ZERO ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2018-10-26 15:02:34 -07:00
memset ( arr , 0 , sizeof ( arr ) ) ;
2020-10-13 16:55:06 -07:00
2022-01-29 13:41:11 -08:00
OPTIMIZER_HIDE_VAR ( ptr ) ;
kasan: test: silence intentional read overflow warnings
As done in commit d73dad4eb5ad ("kasan: test: bypass __alloc_size
checks") for __write_overflow warnings, also silence some more cases
that trip the __read_overflow warnings seen in 5.16-rc1[1]:
In file included from include/linux/string.h:253,
from include/linux/bitmap.h:10,
from include/linux/cpumask.h:12,
from include/linux/mm_types_task.h:14,
from include/linux/mm_types.h:5,
from include/linux/page-flags.h:13,
from arch/arm64/include/asm/mte.h:14,
from arch/arm64/include/asm/pgtable.h:12,
from include/linux/pgtable.h:6,
from include/linux/kasan.h:29,
from lib/test_kasan.c:10:
In function 'memcmp',
inlined from 'kasan_memcmp' at lib/test_kasan.c:897:2:
include/linux/fortify-string.h:263:25: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
263 | __read_overflow();
| ^~~~~~~~~~~~~~~~~
In function 'memchr',
inlined from 'kasan_memchr' at lib/test_kasan.c:872:2:
include/linux/fortify-string.h:277:17: error: call to '__read_overflow' declared with attribute error: detected read beyond size of object (1st parameter)
277 | __read_overflow();
| ^~~~~~~~~~~~~~~~~
[1] http://kisskb.ellerman.id.au/kisskb/buildresult/14660585/log/
Link: https://lkml.kernel.org/r/20211116004111.3171781-1-keescook@chromium.org
Fixes: d73dad4eb5ad ("kasan: test: bypass __alloc_size checks")
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Marco Elver <elver@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2021-11-19 16:43:46 -08:00
OPTIMIZER_HIDE_VAR ( size ) ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test ,
kasan_int_result = memcmp ( ptr , arr , size + 1 ) ) ;
2018-10-26 15:02:34 -07:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void kasan_strings ( struct kunit * test )
2018-10-26 15:02:34 -07:00
{
char * ptr ;
size_t size = 24 ;
2021-02-24 12:05:13 -08:00
/*
* str * functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT .
* See https : //bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
*/
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_AMD_MEM_ENCRYPT ) ;
2020-10-13 16:55:06 -07:00
ptr = kmalloc ( size , GFP_KERNEL | __GFP_ZERO ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
2018-10-26 15:02:34 -07:00
kfree ( ptr ) ;
/*
* Try to cause only 1 invalid access ( less spam in dmesg ) .
* For that we need ptr to point to zeroed byte .
* Skip metadata that could be stored in freed object so ptr
* will likely point to zeroed byte .
*/
ptr + = 16 ;
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_ptr_result = strchr ( ptr , ' 1 ' ) ) ;
2018-10-26 15:02:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_ptr_result = strrchr ( ptr , ' 1 ' ) ) ;
2018-10-26 15:02:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result = strcmp ( ptr , " 2 " ) ) ;
2018-10-26 15:02:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result = strncmp ( ptr , " 2 " , 1 ) ) ;
2018-10-26 15:02:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result = strlen ( ptr ) ) ;
2018-10-26 15:02:34 -07:00
2020-10-13 16:55:06 -07:00
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result = strnlen ( ptr , 1 ) ) ;
2018-10-26 15:02:34 -07:00
}
2020-11-01 17:07:37 -08:00
static void kasan_bitops_modify ( struct kunit * test , int nr , void * addr )
{
KUNIT_EXPECT_KASAN_FAIL ( test , set_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __set_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , clear_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __clear_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , clear_bit_unlock ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __clear_bit_unlock ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , change_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __change_bit ( nr , addr ) ) ;
}
static void kasan_bitops_test_and_modify ( struct kunit * test , int nr , void * addr )
{
KUNIT_EXPECT_KASAN_FAIL ( test , test_and_set_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __test_and_set_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , test_and_set_bit_lock ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , test_and_clear_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __test_and_clear_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , test_and_change_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , __test_and_change_bit ( nr , addr ) ) ;
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result = test_bit ( nr , addr ) ) ;
2023-10-04 17:53:07 +01:00
if ( nr < 7 )
KUNIT_EXPECT_KASAN_FAIL ( test , kasan_int_result =
xor_unlock_is_negative_byte ( 1 < < nr , addr ) ) ;
2020-11-01 17:07:37 -08:00
}
static void kasan_bitops_generic ( struct kunit * test )
2019-07-11 20:53:52 -07:00
{
2020-11-01 17:07:37 -08:00
long * bits ;
/* This test is specifically crafted for the generic mode. */
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_GENERIC ) ;
2020-11-01 17:07:37 -08:00
2019-07-11 20:53:52 -07:00
/*
2021-02-24 12:05:13 -08:00
* Allocate 1 more byte , which causes kzalloc to round up to 16 bytes ;
2019-07-11 20:53:52 -07:00
* this way we do not actually corrupt other memory .
*/
2020-11-01 17:07:37 -08:00
bits = kzalloc ( sizeof ( * bits ) + 1 , GFP_KERNEL ) ;
2020-10-13 16:55:06 -07:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , bits ) ;
2019-07-11 20:53:52 -07:00
/*
* Below calls try to access bit within allocated memory ; however , the
* below accesses are still out - of - bounds , since bitops are defined to
* operate on the whole long the bit is in .
*/
2020-11-01 17:07:37 -08:00
kasan_bitops_modify ( test , BITS_PER_LONG , bits ) ;
2019-07-11 20:53:52 -07:00
/*
* Below calls try to access bit beyond allocated memory .
*/
2020-11-01 17:07:37 -08:00
kasan_bitops_test_and_modify ( test , BITS_PER_LONG + BITS_PER_BYTE , bits ) ;
2019-07-11 20:53:52 -07:00
2020-11-01 17:07:37 -08:00
kfree ( bits ) ;
}
2019-07-11 20:53:52 -07:00
2020-11-01 17:07:37 -08:00
static void kasan_bitops_tags ( struct kunit * test )
{
long * bits ;
2019-07-11 20:53:52 -07:00
2021-02-24 12:05:17 -08:00
/* This test is specifically crafted for tag-based modes. */
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
2019-07-11 20:53:52 -07:00
2021-02-24 12:05:42 -08:00
/* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
bits = kzalloc ( 48 , GFP_KERNEL ) ;
2020-11-01 17:07:37 -08:00
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , bits ) ;
2019-07-11 20:53:52 -07:00
2021-02-24 12:05:42 -08:00
/* Do the accesses past the 48 allocated bytes, but within the redone. */
kasan_bitops_modify ( test , BITS_PER_LONG , ( void * ) bits + 48 ) ;
kasan_bitops_test_and_modify ( test , BITS_PER_LONG + BITS_PER_BYTE , ( void * ) bits + 48 ) ;
2019-07-11 20:53:52 -07:00
kfree ( bits ) ;
}
2022-03-24 18:11:59 -07:00
static void vmalloc_helpers_tags ( struct kunit * test )
{
void * ptr ;
/* This test is intended for tag-based modes. */
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_VMALLOC ) ;
2023-12-21 21:04:50 +01:00
if ( ! kasan_vmalloc_enabled ( ) )
kunit_skip ( test , " Test requires kasan.vmalloc=on " ) ;
2022-03-24 18:11:59 -07:00
ptr = vmalloc ( PAGE_SIZE ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
/* Check that the returned pointer is tagged. */
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
/* Make sure exported vmalloc helpers handle tagged pointers. */
KUNIT_ASSERT_TRUE ( test , is_vmalloc_addr ( ptr ) ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , vmalloc_to_page ( ptr ) ) ;
# if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST)
{
int rv ;
/* Make sure vmalloc'ed memory permissions can be changed. */
rv = set_memory_ro ( ( unsigned long ) ptr , 1 ) ;
KUNIT_ASSERT_GE ( test , rv , 0 ) ;
rv = set_memory_rw ( ( unsigned long ) ptr , 1 ) ;
KUNIT_ASSERT_GE ( test , rv , 0 ) ;
}
# endif
vfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static void vmalloc_oob ( struct kunit * test )
2019-11-30 17:54:53 -08:00
{
2022-03-24 18:11:59 -07:00
char * v_ptr , * p_ptr ;
struct page * page ;
size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5 ;
2019-11-30 17:54:53 -08:00
2021-02-24 12:05:17 -08:00
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_VMALLOC ) ;
2019-11-30 17:54:53 -08:00
2023-12-21 21:04:50 +01:00
if ( ! kasan_vmalloc_enabled ( ) )
kunit_skip ( test , " Test requires kasan.vmalloc=on " ) ;
2022-03-24 18:11:59 -07:00
v_ptr = vmalloc ( size ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , v_ptr ) ;
OPTIMIZER_HIDE_VAR ( v_ptr ) ;
2019-11-30 17:54:53 -08:00
/*
2022-03-24 18:11:59 -07:00
* We have to be careful not to hit the guard page in vmalloc tests .
2019-11-30 17:54:53 -08:00
* The MMU will catch that and crash us .
*/
2022-03-24 18:11:59 -07:00
/* Make sure in-bounds accesses are valid. */
v_ptr [ 0 ] = 0 ;
v_ptr [ size - 1 ] = 0 ;
/*
* An unaligned access past the requested vmalloc size .
* Only generic KASAN can precisely detect these .
*/
if ( IS_ENABLED ( CONFIG_KASAN_GENERIC ) )
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) v_ptr ) [ size ] ) ;
/* An aligned access into the first out-of-bounds granule. */
KUNIT_EXPECT_KASAN_FAIL ( test , ( ( volatile char * ) v_ptr ) [ size + 5 ] ) ;
/* Check that in-bounds accesses to the physical page are valid. */
page = vmalloc_to_page ( v_ptr ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , page ) ;
p_ptr = page_address ( page ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , p_ptr ) ;
p_ptr [ 0 ] = 0 ;
vfree ( v_ptr ) ;
/*
* We can ' t check for use - after - unmap bugs in this nor in the following
* vmalloc tests , as the page might be fully unmapped and accessing it
* will crash the kernel .
*/
}
static void vmap_tags ( struct kunit * test )
{
char * p_ptr , * v_ptr ;
struct page * p_page , * v_page ;
/*
* This test is specifically crafted for the software tag - based mode ,
* the only tag - based mode that poisons vmap mappings .
*/
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_SW_TAGS ) ;
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_VMALLOC ) ;
2023-12-21 21:04:50 +01:00
if ( ! kasan_vmalloc_enabled ( ) )
kunit_skip ( test , " Test requires kasan.vmalloc=on " ) ;
2022-03-24 18:11:59 -07:00
p_page = alloc_pages ( GFP_KERNEL , 1 ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , p_page ) ;
p_ptr = page_address ( p_page ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , p_ptr ) ;
v_ptr = vmap ( & p_page , 1 , VM_MAP , PAGE_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , v_ptr ) ;
/*
* We can ' t check for out - of - bounds bugs in this nor in the following
* vmalloc tests , as allocations have page granularity and accessing
* the guard page will crash the kernel .
*/
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( v_ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( v_ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
/* Make sure that in-bounds accesses through both pointers work. */
* p_ptr = 0 ;
* v_ptr = 0 ;
/* Make sure vmalloc_to_page() correctly recovers the page pointer. */
v_page = vmalloc_to_page ( v_ptr ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , v_page ) ;
KUNIT_EXPECT_PTR_EQ ( test , p_page , v_page ) ;
vunmap ( v_ptr ) ;
free_pages ( ( unsigned long ) p_ptr , 1 ) ;
}
static void vm_map_ram_tags ( struct kunit * test )
{
char * p_ptr , * v_ptr ;
struct page * page ;
/*
* This test is specifically crafted for the software tag - based mode ,
* the only tag - based mode that poisons vm_map_ram mappings .
*/
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_SW_TAGS ) ;
page = alloc_pages ( GFP_KERNEL , 1 ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , page ) ;
p_ptr = page_address ( page ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , p_ptr ) ;
v_ptr = vm_map_ram ( & page , 1 , - 1 ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , v_ptr ) ;
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( v_ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( v_ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
/* Make sure that in-bounds accesses through both pointers work. */
* p_ptr = 0 ;
* v_ptr = 0 ;
vm_unmap_ram ( v_ptr , 1 ) ;
free_pages ( ( unsigned long ) p_ptr , 1 ) ;
}
static void vmalloc_percpu ( struct kunit * test )
{
char __percpu * ptr ;
int cpu ;
/*
* This test is specifically crafted for the software tag - based mode ,
* the only tag - based mode that poisons percpu mappings .
*/
KASAN_TEST_NEEDS_CONFIG_ON ( test , CONFIG_KASAN_SW_TAGS ) ;
ptr = __alloc_percpu ( PAGE_SIZE , PAGE_SIZE ) ;
for_each_possible_cpu ( cpu ) {
char * c_ptr = per_cpu_ptr ( ptr , cpu ) ;
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( c_ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( c_ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
/* Make sure that in-bounds accesses don't crash the kernel. */
* c_ptr = 0 ;
}
free_percpu ( ptr ) ;
2019-11-30 17:54:53 -08:00
}
2020-08-06 23:24:42 -07:00
2021-02-24 12:05:21 -08:00
/*
* Check that the assigned pointer tag falls within the [ KASAN_TAG_MIN ,
* KASAN_TAG_KERNEL ) range ( note : excluding the match - all tag ) for tag - based
* modes .
*/
static void match_all_not_assigned ( struct kunit * test )
{
char * ptr ;
struct page * pages ;
int i , size , order ;
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
for ( i = 0 ; i < 256 ; i + + ) {
2022-10-09 20:44:02 -06:00
size = get_random_u32_inclusive ( 1 , 1024 ) ;
2021-02-24 12:05:21 -08:00
ptr = kmalloc ( size , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
kfree ( ptr ) ;
}
for ( i = 0 ; i < 256 ; i + + ) {
2022-10-09 20:44:02 -06:00
order = get_random_u32_inclusive ( 1 , 4 ) ;
2021-02-24 12:05:21 -08:00
pages = alloc_pages ( GFP_KERNEL , order ) ;
ptr = page_address ( pages ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
free_pages ( ( unsigned long ) ptr , order ) ;
}
2022-03-24 18:11:59 -07:00
2023-12-21 21:04:50 +01:00
if ( ! kasan_vmalloc_enabled ( ) )
2022-03-24 18:11:59 -07:00
return ;
for ( i = 0 ; i < 256 ; i + + ) {
2022-10-09 20:44:02 -06:00
size = get_random_u32_inclusive ( 1 , 1024 ) ;
2022-03-24 18:11:59 -07:00
ptr = vmalloc ( size ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
KUNIT_EXPECT_GE ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_MIN ) ;
KUNIT_EXPECT_LT ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
vfree ( ptr ) ;
}
2021-02-24 12:05:21 -08:00
}
/* Check that 0xff works as a match-all pointer tag for tag-based modes. */
static void match_all_ptr_tag ( struct kunit * test )
{
char * ptr ;
u8 tag ;
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
ptr = kmalloc ( 128 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
/* Backup the assigned tag. */
tag = get_tag ( ptr ) ;
KUNIT_EXPECT_NE ( test , tag , ( u8 ) KASAN_TAG_KERNEL ) ;
/* Reset the tag to 0xff.*/
ptr = set_tag ( ptr , KASAN_TAG_KERNEL ) ;
/* This access shouldn't trigger a KASAN report. */
* ptr = 0 ;
/* Recover the pointer tag and free. */
ptr = set_tag ( ptr , tag ) ;
kfree ( ptr ) ;
}
/* Check that there are no match-all memory tags for tag-based modes. */
static void match_all_mem_tag ( struct kunit * test )
{
char * ptr ;
int tag ;
KASAN_TEST_NEEDS_CONFIG_OFF ( test , CONFIG_KASAN_GENERIC ) ;
ptr = kmalloc ( 128 , GFP_KERNEL ) ;
KUNIT_ASSERT_NOT_ERR_OR_NULL ( test , ptr ) ;
KUNIT_EXPECT_NE ( test , ( u8 ) get_tag ( ptr ) , ( u8 ) KASAN_TAG_KERNEL ) ;
/* For each possible tag value not matching the pointer tag. */
for ( tag = KASAN_TAG_MIN ; tag < = KASAN_TAG_KERNEL ; tag + + ) {
2023-12-21 21:04:53 +01:00
/*
* For Software Tag - Based KASAN , skip the majority of tag
* values to avoid the test printing too many reports .
*/
if ( IS_ENABLED ( CONFIG_KASAN_SW_TAGS ) & &
tag > = KASAN_TAG_MIN + 8 & & tag < = KASAN_TAG_KERNEL - 8 )
continue ;
2021-02-24 12:05:21 -08:00
if ( tag = = get_tag ( ptr ) )
continue ;
/* Mark the first memory granule with the chosen memory tag. */
2021-04-29 22:59:59 -07:00
kasan_poison ( ptr , KASAN_GRANULE_SIZE , ( u8 ) tag , false ) ;
2021-02-24 12:05:21 -08:00
/* This access must cause a KASAN report. */
KUNIT_EXPECT_KASAN_FAIL ( test , * ptr = 0 ) ;
}
/* Recover the memory tag and free. */
2021-04-29 22:59:59 -07:00
kasan_poison ( ptr , KASAN_GRANULE_SIZE , get_tag ( ptr ) , false ) ;
2021-02-24 12:05:21 -08:00
kfree ( ptr ) ;
}
2020-10-13 16:55:06 -07:00
static struct kunit_case kasan_kunit_test_cases [ ] = {
KUNIT_CASE ( kmalloc_oob_right ) ,
KUNIT_CASE ( kmalloc_oob_left ) ,
KUNIT_CASE ( kmalloc_node_oob_right ) ,
2023-12-19 23:29:02 +01:00
KUNIT_CASE ( kmalloc_big_oob_right ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kmalloc_large_oob_right ) ,
2023-12-19 23:29:01 +01:00
KUNIT_CASE ( kmalloc_large_uaf ) ,
KUNIT_CASE ( kmalloc_large_invalid_free ) ,
KUNIT_CASE ( page_alloc_oob_right ) ,
KUNIT_CASE ( page_alloc_uaf ) ,
2021-02-25 17:20:15 -08:00
KUNIT_CASE ( krealloc_more_oob ) ,
KUNIT_CASE ( krealloc_less_oob ) ,
2023-12-19 23:29:01 +01:00
KUNIT_CASE ( krealloc_large_more_oob ) ,
KUNIT_CASE ( krealloc_large_less_oob ) ,
2021-02-25 17:20:19 -08:00
KUNIT_CASE ( krealloc_uaf ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kmalloc_oob_16 ) ,
2020-11-01 17:07:37 -08:00
KUNIT_CASE ( kmalloc_uaf_16 ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kmalloc_oob_in_memset ) ,
KUNIT_CASE ( kmalloc_oob_memset_2 ) ,
KUNIT_CASE ( kmalloc_oob_memset_4 ) ,
KUNIT_CASE ( kmalloc_oob_memset_8 ) ,
KUNIT_CASE ( kmalloc_oob_memset_16 ) ,
2021-11-05 13:35:56 -07:00
KUNIT_CASE ( kmalloc_memmove_negative_size ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kmalloc_memmove_invalid_size ) ,
KUNIT_CASE ( kmalloc_uaf ) ,
KUNIT_CASE ( kmalloc_uaf_memset ) ,
KUNIT_CASE ( kmalloc_uaf2 ) ,
2022-09-05 23:05:49 +02:00
KUNIT_CASE ( kmalloc_uaf3 ) ,
2023-12-19 23:29:02 +01:00
KUNIT_CASE ( kmalloc_double_kzfree ) ,
KUNIT_CASE ( ksize_unpoisons_memory ) ,
KUNIT_CASE ( ksize_uaf ) ,
KUNIT_CASE ( rcu_uaf ) ,
KUNIT_CASE ( workqueue_uaf ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kfree_via_page ) ,
KUNIT_CASE ( kfree_via_phys ) ,
KUNIT_CASE ( kmem_cache_oob ) ,
2023-12-19 23:29:02 +01:00
KUNIT_CASE ( kmem_cache_double_free ) ,
KUNIT_CASE ( kmem_cache_invalid_free ) ,
KUNIT_CASE ( kmem_cache_double_destroy ) ,
2021-02-24 12:05:59 -08:00
KUNIT_CASE ( kmem_cache_accounted ) ,
KUNIT_CASE ( kmem_cache_bulk ) ,
2023-12-19 23:29:00 +01:00
KUNIT_CASE ( mempool_kmalloc_oob_right ) ,
KUNIT_CASE ( mempool_kmalloc_large_oob_right ) ,
KUNIT_CASE ( mempool_slab_oob_right ) ,
KUNIT_CASE ( mempool_kmalloc_uaf ) ,
KUNIT_CASE ( mempool_kmalloc_large_uaf ) ,
KUNIT_CASE ( mempool_slab_uaf ) ,
KUNIT_CASE ( mempool_page_alloc_uaf ) ,
KUNIT_CASE ( mempool_kmalloc_double_free ) ,
KUNIT_CASE ( mempool_kmalloc_large_double_free ) ,
KUNIT_CASE ( mempool_page_alloc_double_free ) ,
KUNIT_CASE ( mempool_kmalloc_invalid_free ) ,
KUNIT_CASE ( mempool_kmalloc_large_invalid_free ) ,
2022-01-14 14:04:51 -08:00
KUNIT_CASE ( kasan_global_oob_right ) ,
KUNIT_CASE ( kasan_global_oob_left ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( kasan_stack_oob ) ,
KUNIT_CASE ( kasan_alloca_oob_left ) ,
KUNIT_CASE ( kasan_alloca_oob_right ) ,
KUNIT_CASE ( kasan_memchr ) ,
KUNIT_CASE ( kasan_memcmp ) ,
KUNIT_CASE ( kasan_strings ) ,
2020-11-01 17:07:37 -08:00
KUNIT_CASE ( kasan_bitops_generic ) ,
KUNIT_CASE ( kasan_bitops_tags ) ,
2024-02-02 11:32:59 +00:00
KUNIT_CASE ( kasan_atomics ) ,
2022-03-24 18:11:59 -07:00
KUNIT_CASE ( vmalloc_helpers_tags ) ,
2020-10-13 16:55:06 -07:00
KUNIT_CASE ( vmalloc_oob ) ,
2022-03-24 18:11:59 -07:00
KUNIT_CASE ( vmap_tags ) ,
KUNIT_CASE ( vm_map_ram_tags ) ,
KUNIT_CASE ( vmalloc_percpu ) ,
2021-02-24 12:05:21 -08:00
KUNIT_CASE ( match_all_not_assigned ) ,
KUNIT_CASE ( match_all_ptr_tag ) ,
KUNIT_CASE ( match_all_mem_tag ) ,
2020-10-13 16:55:06 -07:00
{ }
} ;
static struct kunit_suite kasan_kunit_test_suite = {
. name = " kasan " ,
. test_cases = kasan_kunit_test_cases ,
. exit = kasan_test_exit ,
2022-09-27 19:09:09 +02:00
. suite_init = kasan_suite_init ,
. suite_exit = kasan_suite_exit ,
2020-10-13 16:55:06 -07:00
} ;
kunit_test_suite ( kasan_kunit_test_suite ) ;
2015-02-13 14:39:53 -08:00
MODULE_LICENSE ( " GPL " ) ;