[PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

Walter Wu walter-zh.wu at mediatek.com
Mon Jul 6 02:59:15 EDT 2020


On Mon, 2020-07-06 at 08:19 +0200, Dmitry Vyukov wrote:
> On Mon, Jul 6, 2020 at 4:21 AM Walter Wu <walter-zh.wu at mediatek.com> wrote:
> >
> > We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
> > memory access. They need to be fixed.
> >
> > With tag-based KASAN, the state of each 16 aligned bytes of memory is
> > encoded in one shadow byte and the shadow value is tag of pointer, so
> > we need to read next shadow byte, the shadow value is not equal to tag
> > value of pointer, so that tag-based KASAN will detect out-of-bounds
> > memory access.
> >
> > Signed-off-by: Walter Wu <walter-zh.wu at mediatek.com>
> > Cc: Andrey Ryabinin <aryabinin at virtuozzo.com>
> > Cc: Dmitry Vyukov <dvyukov at google.com>
> > Cc: Alexander Potapenko <glider at google.com>
> > Cc: Matthias Brugger <matthias.bgg at gmail.com>
> > Cc: Andrey Konovalov <andreyknvl at google.com>
> > Cc: Andrew Morton <akpm at linux-foundation.org>
> > ---
> >
> > changes since v1:
> > - Reduce amount of non-compiled code.
> > - KUnit-KASAN Integration patchset are not merged yet. My patch should
> >   have conflict with it, if needed, we can continue to wait it.
> >
> > ---
> >
> >  lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
> >  1 file changed, 64 insertions(+), 17 deletions(-)
> >
> > diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> > index e3087d90e00d..660664439d52 100644
> > --- a/lib/test_kasan.c
> > +++ b/lib/test_kasan.c
> > @@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
> >                 return;
> >         }
> >
> > -       ptr[size] = 'x';
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               ptr[size] = 'x';
> > +       else
> > +               ptr[size + 5] = 'x';
> > +
> 
> Hi Walter,
> 
> Would if be possible to introduce something like:
> 
> #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 8)
> 

It is good suggestion. Thanks.

> and then add it throughout as
> 
>         ptr[size + OOB_TAG_OFF] = 'x';
> 
> ?
> The current version results in quite some amount of additional code
> that needs to be read, extended  and maintained in the future. So I am
> thinking if it's possible to minimize it somehow...
> 

Ok, I will send next patch by your suggestion.

Thanks.

> >         kfree(ptr);
> >  }
> >
> > @@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
> >                 return;
> >         }
> >
> > -       ptr[size] = 0;
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               ptr[size] = 0;
> > +       else
> > +               ptr[size + 6] = 0;
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
> >                 return;
> >         }
> >
> > -       ptr2[size2] = 'x';
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               ptr2[size2] = 'x';
> > +       else
> > +               ptr2[size2 + 13] = 'x';
> > +
> >         kfree(ptr2);
> >  }
> >
> > @@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
> >                 kfree(ptr1);
> >                 return;
> >         }
> > -       ptr2[size2] = 'x';
> > +
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               ptr2[size2] = 'x';
> > +       else
> > +               ptr2[size2 + 2] = 'x';
> > +
> >         kfree(ptr2);
> >  }
> >
> > @@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
> >                 return;
> >         }
> >
> > -       memset(ptr+7, 0, 2);
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               memset(ptr+7, 0, 2);
> > +       else
> > +               memset(ptr+15, 0, 2);
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
> >                 return;
> >         }
> >
> > -       memset(ptr+5, 0, 4);
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               memset(ptr+5, 0, 4);
> > +       else
> > +               memset(ptr+15, 0, 4);
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
> >                 return;
> >         }
> >
> > -       memset(ptr+1, 0, 8);
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               memset(ptr+1, 0, 8);
> > +       else
> > +               memset(ptr+15, 0, 8);
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
> >                 return;
> >         }
> >
> > -       memset(ptr+1, 0, 16);
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               memset(ptr+1, 0, 16);
> > +       else
> > +               memset(ptr+15, 0, 16);
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
> >                 return;
> >         }
> >
> > -       memset(ptr, 0, size+5);
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               memset(ptr, 0, size+5);
> > +       else
> > +               memset(ptr, 0, size+7);
> > +
> >         kfree(ptr);
> >  }
> >
> > @@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
> >                 return;
> >         }
> >
> > -       *p = p[size];
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               *p = p[size];
> > +       else
> > +               *p = p[size + 8];
> > +
> >         kmem_cache_free(cache, p);
> >         kmem_cache_destroy(cache);
> >  }
> > @@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
> >         char __user *usermem;
> >         size_t size = 10;
> >         int unused;
> > +       size_t oob_size;
> >
> >         kmem = kmalloc(size, GFP_KERNEL);
> >         if (!kmem)
> > @@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
> >                 return;
> >         }
> >
> > +       if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> > +               oob_size = 1;
> > +       else
> > +               oob_size = 7;
> > +
> >         pr_info("out-of-bounds in copy_from_user()\n");
> > -       unused = copy_from_user(kmem, usermem, size + 1);
> > +       unused = copy_from_user(kmem, usermem, size + oob_size);
> >
> >         pr_info("out-of-bounds in copy_to_user()\n");
> > -       unused = copy_to_user(usermem, kmem, size + 1);
> > +       unused = copy_to_user(usermem, kmem, size + oob_size);
> >
> >         pr_info("out-of-bounds in __copy_from_user()\n");
> > -       unused = __copy_from_user(kmem, usermem, size + 1);
> > +       unused = __copy_from_user(kmem, usermem, size + oob_size);
> >
> >         pr_info("out-of-bounds in __copy_to_user()\n");
> > -       unused = __copy_to_user(usermem, kmem, size + 1);
> > +       unused = __copy_to_user(usermem, kmem, size + oob_size);
> >
> >         pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
> > -       unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
> > +       unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
> >
> >         pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
> > -       unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
> > +       unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
> >
> >         pr_info("out-of-bounds in strncpy_from_user()\n");
> > -       unused = strncpy_from_user(kmem, usermem, size + 1);
> > +       unused = strncpy_from_user(kmem, usermem, size + oob_size);
> >
> >         vm_munmap((unsigned long)usermem, PAGE_SIZE);
> >         kfree(kmem);
> > --
> > 2.18.0
> >
> > --
> > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe at googlegroups.com.
> > To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu*40mediatek.com__;JQ!!CTRNKA9wMg0ARbw!zqGS_g-oLI7o6850GjV_P7YQPr8SufdeC8fbnt27o4WtvhX5PZ8-eZ6BWyF3bwm7Tizipw$ .



More information about the Linux-mediatek mailing list