| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jun 2016 16:02:34 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Kuthonuzo Luruo <kuthonuzo.luruo@....com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Dmitriy Vyukov <dvyukov@...gle.com>,
Christoph Lameter <cl@...ux.com>, penberg@...nel.org,
rientjes@...gle.com, Joonsoo Kim <iamjoonsoo.kim@....com>,
Andrew Morton <akpm@...ux-foundation.org>,
kasan-dev <kasan-dev@...glegroups.com>,
LKML <linux-kernel@...r.kernel.org>, ynorov@...iumnetworks.com
Subject: Re: [PATCH v4 2/2] kasan: add double-free tests
On Sun, May 29, 2016 at 6:17 PM, Kuthonuzo Luruo
<kuthonuzo.luruo@....com> wrote:
> This patch adds new tests for KASAN double-free error detection when the
> same slab object is concurrently deallocated.
>
> Signed-off-by: Kuthonuzo Luruo <kuthonuzo.luruo@....com>
> ---
>
> Changes in v4:
> - There are *no* changes for v4.
>
> Changes in v3:
> - concurrent double-free test simplified to use on_each_cpu_mask() instead
> of custom threads.
> - reduced #threads and removed CONFIG_SMP guards per suggestion from Dmitry
> Vyukov.
>
> ---
>
> lib/test_kasan.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 47 insertions(+), 0 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 5e51872..0f589e7 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -411,6 +411,49 @@ static noinline void __init copy_user_test(void)
> kfree(kmem);
> }
>
> +#ifdef CONFIG_SLAB
> +static void try_free(void *p)
> +{
> + kfree(p);
> +}
> +
> +static void __init kasan_double_free_concurrent(void)
> +{
> +#define MAX_THREADS 3
> + char *p;
> + int cpu, cnt = num_online_cpus();
> + cpumask_t mask = { CPU_BITS_NONE };
> + size_t size = 4097; /* must be <= KMALLOC_MAX_CACHE_SIZE/2 */
Can you please explicitly calculate |size| from KMALLOC_MAX_CACHE_SIZE?
> +
> + if (cnt == 1)
> + return;
> + cnt = cnt < MAX_THREADS ? cnt : MAX_THREADS;
> + pr_info("concurrent double-free (%d threads)\n", cnt);
> + p = kmalloc(size, GFP_KERNEL);
> + if (!p)
> + return;
> + for_each_online_cpu(cpu) {
> + cpumask_set_cpu(cpu, &mask);
> + if (!--cnt)
> + break;
> + }
> + on_each_cpu_mask(&mask, try_free, p, 0);
> +}
> +
> +static noinline void __init kasan_double_free(void)
> +{
> + char *p;
> + size_t size = 2049;
Please avoid using magic constants.
> +
> + pr_info("double-free\n");
> + p = kmalloc(size, GFP_KERNEL);
> + if (!p)
> + return;
> + kfree(p);
> + kfree(p);
> +}
> +#endif
> +
> static int __init kmalloc_tests_init(void)
> {
> kmalloc_oob_right();
> @@ -436,6 +479,10 @@ static int __init kmalloc_tests_init(void)
> kasan_global_oob();
> ksize_unpoisons_memory();
> copy_user_test();
> +#ifdef CONFIG_SLAB
> + kasan_double_free();
> + kasan_double_free_concurrent();
> +#endif
> return -EAGAIN;
> }
>
> --
> 1.7.1
>
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-Straße, 33
80636 München
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Powered by blists - more mailing lists