lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160529161707.GA5711@cherokee.in.rdlabs.hpecorp.net>
Date:	Sun, 29 May 2016 21:47:07 +0530
From:	Kuthonuzo Luruo <kuthonuzo.luruo@....com>
To:	aryabinin@...tuozzo.com, glider@...gle.com, dvyukov@...gle.com,
	cl@...ux.com, penberg@...nel.org, rientjes@...gle.com,
	iamjoonsoo.kim@....com, akpm@...ux-foundation.org
Cc:	kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org,
	ynorov@...iumnetworks.com, kuthonuzo.luruo@....com
Subject: [PATCH v4 2/2] kasan: add double-free tests

This patch adds new tests for KASAN double-free error detection when the
same slab object is concurrently deallocated.

Signed-off-by: Kuthonuzo Luruo <kuthonuzo.luruo@....com>
---

Changes in v4:
- There are *no* changes for v4.

Changes in v3:
- concurrent double-free test simplified to use on_each_cpu_mask() instead
  of custom threads.
- reduced #threads and removed CONFIG_SMP guards per suggestion from Dmitry
  Vyukov.

---

 lib/test_kasan.c |   47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 47 insertions(+), 0 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 5e51872..0f589e7 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -411,6 +411,49 @@ static noinline void __init copy_user_test(void)
 	kfree(kmem);
 }
 
+#ifdef CONFIG_SLAB
+static void try_free(void *p)
+{
+	kfree(p);
+}
+
+static void __init kasan_double_free_concurrent(void)
+{
+#define MAX_THREADS 3
+	char *p;
+	int cpu, cnt = num_online_cpus();
+	cpumask_t mask = { CPU_BITS_NONE };
+	size_t size = 4097;     /* must be <= KMALLOC_MAX_CACHE_SIZE/2 */
+
+	if (cnt == 1)
+		return;
+	cnt = cnt < MAX_THREADS ? cnt : MAX_THREADS;
+	pr_info("concurrent double-free (%d threads)\n", cnt);
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p)
+		return;
+	for_each_online_cpu(cpu) {
+		cpumask_set_cpu(cpu, &mask);
+		if (!--cnt)
+			break;
+	}
+	on_each_cpu_mask(&mask, try_free, p, 0);
+}
+
+static noinline void __init kasan_double_free(void)
+{
+	char *p;
+	size_t size = 2049;
+
+	pr_info("double-free\n");
+	p = kmalloc(size, GFP_KERNEL);
+	if (!p)
+		return;
+	kfree(p);
+	kfree(p);
+}
+#endif
+
 static int __init kmalloc_tests_init(void)
 {
 	kmalloc_oob_right();
@@ -436,6 +479,10 @@ static int __init kmalloc_tests_init(void)
 	kasan_global_oob();
 	ksize_unpoisons_memory();
 	copy_user_test();
+#ifdef CONFIG_SLAB
+	kasan_double_free();
+	kasan_double_free_concurrent();
+#endif
 	return -EAGAIN;
 }
 
-- 
1.7.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ