kasan: test: avoid corrupting memory via memset
kmalloc_oob_memset_*() tests do writes past the allocated objects. As the result, they corrupt memory, which might lead to crashes with the HW_TAGS mode, as it neither uses quarantine nor redzones. Adjust the tests to only write memory within the aligned kmalloc objects. Also add a comment mentioning that memset tests are designed to touch both valid and invalid memory. Link: https://lkml.kernel.org/r/64fd457668a16e7b58d094f14a165f9d5170c5a9.1628779805.git.andreyknvl@gmail.com Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com> Reviewed-by: Marco Elver <elver@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
8fbad19bdc
commit
555999a009
@ -428,64 +428,70 @@ static void kmalloc_uaf_16(struct kunit *test)
|
||||
kfree(ptr1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Note: in the memset tests below, the written range touches both valid and
|
||||
* invalid memory. This makes sure that the instrumentation does not only check
|
||||
* the starting address but the whole range.
|
||||
*/
|
||||
|
||||
static void kmalloc_oob_memset_2(struct kunit *test)
|
||||
{
|
||||
char *ptr;
|
||||
size_t size = 8;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
|
||||
ptr = kmalloc(size, GFP_KERNEL);
|
||||
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
|
||||
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, 2));
|
||||
kfree(ptr);
|
||||
}
|
||||
|
||||
static void kmalloc_oob_memset_4(struct kunit *test)
|
||||
{
|
||||
char *ptr;
|
||||
size_t size = 8;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
|
||||
ptr = kmalloc(size, GFP_KERNEL);
|
||||
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
|
||||
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, 4));
|
||||
kfree(ptr);
|
||||
}
|
||||
|
||||
|
||||
static void kmalloc_oob_memset_8(struct kunit *test)
|
||||
{
|
||||
char *ptr;
|
||||
size_t size = 8;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
|
||||
ptr = kmalloc(size, GFP_KERNEL);
|
||||
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
|
||||
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, 8));
|
||||
kfree(ptr);
|
||||
}
|
||||
|
||||
static void kmalloc_oob_memset_16(struct kunit *test)
|
||||
{
|
||||
char *ptr;
|
||||
size_t size = 16;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
|
||||
ptr = kmalloc(size, GFP_KERNEL);
|
||||
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
|
||||
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, 16));
|
||||
kfree(ptr);
|
||||
}
|
||||
|
||||
static void kmalloc_oob_in_memset(struct kunit *test)
|
||||
{
|
||||
char *ptr;
|
||||
size_t size = 666;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
|
||||
ptr = kmalloc(size, GFP_KERNEL);
|
||||
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
|
||||
|
||||
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
|
||||
KUNIT_EXPECT_KASAN_FAIL(test,
|
||||
memset(ptr, 0, size + KASAN_GRANULE_SIZE));
|
||||
kfree(ptr);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user