kasan: test: avoid corrupting memory in copy_user_test
copy_user_test() does writes past the allocated object. As the result, it corrupts kernel memory, which might lead to crashes with the HW_TAGS mode, as it neither uses quarantine nor redzones. (Technically, this test can't yet be enabled with the HW_TAGS mode, but this will be implemented in the future.) Adjust the test to only write memory within the aligned kmalloc object. Link: https://lkml.kernel.org/r/19bf3a5112ee65b7db88dc731643b657b816c5e8.1628779805.git.andreyknvl@gmail.com Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com> Reviewed-by: Marco Elver <elver@google.com> Cc: Alexander Potapenko <glider@google.com> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com> Cc: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
b38fcca339
commit
756e5a47a5
@ -15,13 +15,11 @@
|
||||
|
||||
#include "../mm/kasan/kasan.h"
|
||||
|
||||
#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
|
||||
|
||||
static noinline void __init copy_user_test(void)
|
||||
{
|
||||
char *kmem;
|
||||
char __user *usermem;
|
||||
size_t size = 10;
|
||||
size_t size = 128 - KASAN_GRANULE_SIZE;
|
||||
int __maybe_unused unused;
|
||||
|
||||
kmem = kmalloc(size, GFP_KERNEL);
|
||||
@ -38,25 +36,25 @@ static noinline void __init copy_user_test(void)
|
||||
}
|
||||
|
||||
pr_info("out-of-bounds in copy_from_user()\n");
|
||||
unused = copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);
|
||||
unused = copy_from_user(kmem, usermem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in copy_to_user()\n");
|
||||
unused = copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF);
|
||||
unused = copy_to_user(usermem, kmem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in __copy_from_user()\n");
|
||||
unused = __copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);
|
||||
unused = __copy_from_user(kmem, usermem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in __copy_to_user()\n");
|
||||
unused = __copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF);
|
||||
unused = __copy_to_user(usermem, kmem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
|
||||
unused = __copy_from_user_inatomic(kmem, usermem, size + 1 + OOB_TAG_OFF);
|
||||
unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
|
||||
unused = __copy_to_user_inatomic(usermem, kmem, size + 1 + OOB_TAG_OFF);
|
||||
unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
|
||||
|
||||
pr_info("out-of-bounds in strncpy_from_user()\n");
|
||||
unused = strncpy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);
|
||||
unused = strncpy_from_user(kmem, usermem, size + 1);
|
||||
|
||||
vm_munmap((unsigned long)usermem, PAGE_SIZE);
|
||||
kfree(kmem);
|
||||
|
Loading…
Reference in New Issue
Block a user