lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160506115048.GA2611@cherokee.in.rdlabs.hpecorp.net>
Date:	Fri, 6 May 2016 17:20:48 +0530
From:	Kuthonuzo Luruo <kuthonuzo.luruo@....com>
To:	aryabinin@...tuozzo.com, glider@...gle.com, dvyukov@...gle.com,
	cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
	iamjoonsoo.kim@....com, akpm@...ux-foundation.org
Cc:	kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org,
	linux-mm@...ck.org, kuthonuzo.luruo@....com
Subject: [PATCH v2 2/2] kasan: add kasan_double_free() test

This patch adds a new 'test_kasan' test for KASAN double-free error
detection when the same slab object is concurrently deallocated.

Signed-off-by: Kuthonuzo Luruo <kuthonuzo.luruo@....com>
---
Changes in v2:
- This patch is new for v2.
---
 lib/test_kasan.c |   79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 79 insertions(+), 0 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index bd75a03..dec5f74 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -16,6 +16,7 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/module.h>
+#include <linux/kthread.h>
 
 static noinline void __init kmalloc_oob_right(void)
 {
@@ -389,6 +390,83 @@ static noinline void __init ksize_unpoisons_memory(void)
 	kfree(ptr);
 }
 
+#ifdef CONFIG_SLAB
+#ifdef CONFIG_SMP
+static DECLARE_COMPLETION(starting_gun);
+static DECLARE_COMPLETION(finish_line);
+
+static int try_free(void *p)
+{
+	wait_for_completion(&starting_gun);
+	kfree(p);
+	complete(&finish_line);
+	return 0;
+}
+
+/*
+ * allocs an object; then all cpus concurrently attempt to free the
+ * same object.
+ */
+static noinline void __init kasan_double_free(void)
+{
+	char *p;
+	int cpu;
+	struct task_struct **tasks;
+	size_t size = (KMALLOC_MAX_CACHE_SIZE/4 + 1);
+
+	/*
+	 * max slab size instrumented by KASAN is KMALLOC_MAX_CACHE_SIZE/2.
+	 * Do not increase size beyond this: slab corruption from double-free
+	 * may ensue.
+	 */
+	pr_info("concurrent double-free test\n");
+	init_completion(&starting_gun);
+	init_completion(&finish_line);
+	tasks = kzalloc((sizeof(tasks) * nr_cpu_ids), GFP_KERNEL);
+	if (!tasks) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+
+	for_each_online_cpu(cpu) {
+		tasks[cpu] = kthread_create(try_free, (void *)p, "try_free%d",
+				cpu);
+		if (IS_ERR(tasks[cpu])) {
+			WARN(1, "kthread_create failed.\n");
+			return;
+		}
+		kthread_bind(tasks[cpu], cpu);
+		wake_up_process(tasks[cpu]);
+	}
+
+	complete_all(&starting_gun);
+	for_each_online_cpu(cpu)
+		wait_for_completion(&finish_line);
+	kfree(tasks);
+}
+#else
+static noinline void __init kasan_double_free(void)
+{
+	char *p;
+	size_t size = 2049;
+
+	pr_info("double-free test\n");
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+	kfree(p);
+	kfree(p);
+}
+#endif
+#endif
+
 static int __init kmalloc_tests_init(void)
 {
 	kmalloc_oob_right();
@@ -414,6 +492,7 @@ static int __init kmalloc_tests_init(void)
 	kasan_global_oob();
 #ifdef CONFIG_SLAB
 	kasan_quarantine_cache();
+	kasan_double_free();
 #endif
 	ksize_unpoisons_memory();
 	return -EAGAIN;
-- 
1.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ