Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-08 14:13:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

lib/test_kasan.c: add tests for several string/memory API functions

Browse Source 
Arch code may have asm implementation of string/memory API functions
instead of using generic one from lib/string.c.  KASAN don't see memory
accesses in asm code, thus can miss many bugs.

E.g.  on ARM64 KASAN don't see bugs in memchr(), memcmp(), str[r]chr(),
str[n]cmp(), str[n]len().  Add tests for these functions to be sure that
we notice the problem on other architectures.

Link: http://lkml.kernel.org/r/20180920135631.23833-3-aryabinin@virtuozzo.com
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Andrey Ryabinin 2018-10-26 15:02:34 -07:00 committed by Linus Torvalds
parent 19a2ca0fb5
commit 0c96350a2d
1 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
lib/test_kasan.c
View File

@ -579,6 +579,73 @@ static noinline void __init kmem_cache_invalid_free(void)
kmem_cache_destroy(cache); kmem_cache_destroy(cache);
} }
static noinline void __init kasan_memchr(void)
{
char *ptr;
size_t size = 24;
pr_info("out-of-bounds in memchr\n");
ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
if (!ptr)
return;
memchr(ptr, '1', size + 1);
kfree(ptr);
}
static noinline void __init kasan_memcmp(void)
{
char *ptr;
size_t size = 24;
int arr[9];
pr_info("out-of-bounds in memcmp\n");
ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
if (!ptr)
return;
memset(arr, 0, sizeof(arr));
memcmp(ptr, arr, size+1);
kfree(ptr);
}
static noinline void __init kasan_strings(void)
{
char *ptr;
size_t size = 24;
pr_info("use-after-free in strchr\n");
ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
if (!ptr)
return;
kfree(ptr);
/*
* Try to cause only 1 invalid access (less spam in dmesg).
* For that we need ptr to point to zeroed byte.
* Skip metadata that could be stored in freed object so ptr
* will likely point to zeroed byte.
*/
ptr += 16;
strchr(ptr, '1');
pr_info("use-after-free in strrchr\n");
strrchr(ptr, '1');
pr_info("use-after-free in strcmp\n");
strcmp(ptr, "2");
pr_info("use-after-free in strncmp\n");
strncmp(ptr, "2", 1);
pr_info("use-after-free in strlen\n");
strlen(ptr);
pr_info("use-after-free in strnlen\n");
strnlen(ptr, 1);
}
static int __init kmalloc_tests_init(void) static int __init kmalloc_tests_init(void)
{ {
/* /*
@ -618,6 +685,9 @@ static int __init kmalloc_tests_init(void)
use_after_scope_test(); use_after_scope_test();
kmem_cache_double_free(); kmem_cache_double_free();
kmem_cache_invalid_free(); kmem_cache_invalid_free();
kasan_memchr();
kasan_memcmp();
kasan_strings();
kasan_restore_multi_shot(multishot); kasan_restore_multi_shot(multishot);