lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 May 2020 14:30:17 +0800 From: Walter Wu <walter-zh.wu@...iatek.com> To: Andrey Ryabinin <aryabinin@...tuozzo.com>, Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Matthias Brugger <matthias.bgg@...il.com> CC: <kasan-dev@...glegroups.com>, <linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>, <linux-arm-kernel@...ts.infradead.org>, wsd_upstream <wsd_upstream@...iatek.com>, <linux-mediatek@...ts.infradead.org>, Walter Wu <walter-zh.wu@...iatek.com> Subject: [PATCH v3 3/4] kasan: add tests for call_rcu stack recording Test call_rcu() call stack recording whether it correctly is printed in KASAN report. Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com> Cc: Andrey Ryabinin <aryabinin@...tuozzo.com> Cc: Dmitry Vyukov <dvyukov@...gle.com> Cc: Alexander Potapenko <glider@...gle.com> Cc: Matthias Brugger <matthias.bgg@...il.com> --- lib/test_kasan.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index e3087d90e00d..0e9ff02f0a8b 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -792,6 +792,35 @@ static noinline void __init vmalloc_oob(void) static void __init vmalloc_oob(void) {} #endif +static struct kasan_rcu_info { + int i; + struct rcu_head rcu; +} *global_ptr; + +static noinline void __init kasan_rcu_reclaim(struct rcu_head *rp) +{ + struct kasan_rcu_info *fp = container_of(rp, + struct kasan_rcu_info, rcu); + + kfree(fp); + fp->i = 1; +} + +static noinline void __init kasan_rcu_uaf(void) +{ + struct kasan_rcu_info *ptr; + + pr_info("use-after-free in kasan_rcu_reclaim\n"); + ptr = kmalloc(sizeof(struct kasan_rcu_info), GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + global_ptr = rcu_dereference_protected(ptr, NULL); + call_rcu(&global_ptr->rcu, kasan_rcu_reclaim); +} + static int __init kmalloc_tests_init(void) { /* @@ -839,6 +868,7 @@ static int __init kmalloc_tests_init(void) kasan_bitops(); kmalloc_double_kzfree(); vmalloc_oob(); + kasan_rcu_uaf(); kasan_restore_multi_shot(multishot); -- 2.18.0
Powered by blists - more mailing lists