lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 21 Apr 2020 09:40:07 +0800
From:   Walter Wu <walter-zh.wu@...iatek.com>
To:     Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Andrey Konovalov <andreyknvl@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>
CC:     <kasan-dev@...glegroups.com>, <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        wsd_upstream <wsd_upstream@...iatek.com>,
        <linux-mediatek@...ts.infradead.org>,
        Walter Wu <walter-zh.wu@...iatek.com>
Subject: [PATCH] kasan: fix KASAN unit tests for tag-based KASAN

When we use tag-based KASAN, then KASAN unit tests don't detect
out-of-bounds memory access. Because with tag-based KASAN the state
of each 16 aligned bytes of memory is encoded in one shadow byte
and the shadow value is tag of pointer, so we need to read next
shadow byte, the shadow value is not equal to tag of pointer,
then tag-based KASAN will detect out-of-bounds memory access.

Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Alexander Potapenko <glider@...gle.com>
Cc: Matthias Brugger <matthias.bgg@...il.com>
Cc: Andrey Konovalov <andreyknvl@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
---
 lib/test_kasan.c | 62 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 55 insertions(+), 7 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index e3087d90e00d..a164f6b47fe5 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -40,7 +40,12 @@ static noinline void __init kmalloc_oob_right(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	ptr[size] = 'x';
+#else
+	ptr[size + 5] = 'x';
+#endif
+
 	kfree(ptr);
 }
 
@@ -92,7 +97,12 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	ptr[size] = 0;
+#else
+	ptr[size + 6] = 0;
+#endif
+
 	kfree(ptr);
 }
 
@@ -162,7 +172,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	ptr2[size2] = 'x';
+#else
+	ptr2[size2 + 13] = 'x';
+#endif
 	kfree(ptr2);
 }
 
@@ -180,7 +194,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
 		kfree(ptr1);
 		return;
 	}
+
+#ifdef CONFIG_KASAN_GENERIC
 	ptr2[size2] = 'x';
+#else
+	ptr2[size2 + 2] = 'x';
+#endif
 	kfree(ptr2);
 }
 
@@ -216,7 +235,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	memset(ptr+7, 0, 2);
+#else
+	memset(ptr+15, 0, 2);
+#endif
 	kfree(ptr);
 }
 
@@ -232,7 +255,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	memset(ptr+5, 0, 4);
+#else
+	memset(ptr+15, 0, 4);
+#endif
 	kfree(ptr);
 }
 
@@ -249,7 +276,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	memset(ptr+1, 0, 8);
+#else
+	memset(ptr+15, 0, 8);
+#endif
 	kfree(ptr);
 }
 
@@ -265,7 +296,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	memset(ptr+1, 0, 16);
+#else
+	memset(ptr+15, 0, 16);
+#endif
 	kfree(ptr);
 }
 
@@ -281,7 +316,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	memset(ptr, 0, size+5);
+#else
+	memset(ptr, 0, size+7);
+#endif
 	kfree(ptr);
 }
 
@@ -415,7 +454,11 @@ static noinline void __init kmem_cache_oob(void)
 		return;
 	}
 
+#ifdef CONFIG_KASAN_GENERIC
 	*p = p[size];
+#else
+	*p = p[size + 8];
+#endif
 	kmem_cache_free(cache, p);
 	kmem_cache_destroy(cache);
 }
@@ -497,6 +540,11 @@ static noinline void __init copy_user_test(void)
 	char __user *usermem;
 	size_t size = 10;
 	int unused;
+#ifdef CONFIG_KASAN_GENERIC
+	size_t oob_size = 1;
+#else
+	size_t oob_size = 7;
+#endif
 
 	kmem = kmalloc(size, GFP_KERNEL);
 	if (!kmem)
@@ -512,25 +560,25 @@ static noinline void __init copy_user_test(void)
 	}
 
 	pr_info("out-of-bounds in copy_from_user()\n");
-	unused = copy_from_user(kmem, usermem, size + 1);
+	unused = copy_from_user(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in copy_to_user()\n");
-	unused = copy_to_user(usermem, kmem, size + 1);
+	unused = copy_to_user(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_from_user()\n");
-	unused = __copy_from_user(kmem, usermem, size + 1);
+	unused = __copy_from_user(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_to_user()\n");
-	unused = __copy_to_user(usermem, kmem, size + 1);
+	unused = __copy_to_user(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
-	unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
+	unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
-	unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
+	unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in strncpy_from_user()\n");
-	unused = strncpy_from_user(kmem, usermem, size + 1);
+	unused = strncpy_from_user(kmem, usermem, size + oob_size);
 
 	vm_munmap((unsigned long)usermem, PAGE_SIZE);
 	kfree(kmem);
-- 
2.18.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ