lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200706022150.20848-1-walter-zh.wu@mediatek.com>
Date:   Mon, 6 Jul 2020 10:21:50 +0800
From:   Walter Wu <walter-zh.wu@...iatek.com>
To:     Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Matthias Brugger <matthias.bgg@...il.com>
CC:     <kasan-dev@...glegroups.com>, <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        wsd_upstream <wsd_upstream@...iatek.com>,
        <linux-mediatek@...ts.infradead.org>,
        Walter Wu <walter-zh.wu@...iatek.com>,
        Andrey Konovalov <andreyknvl@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Subject: [PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
memory access. They need to be fixed.

With tag-based KASAN, the state of each 16 aligned bytes of memory is
encoded in one shadow byte and the shadow value is tag of pointer, so
we need to read next shadow byte, the shadow value is not equal to tag
value of pointer, so that tag-based KASAN will detect out-of-bounds
memory access.

Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Alexander Potapenko <glider@...gle.com>
Cc: Matthias Brugger <matthias.bgg@...il.com>
Cc: Andrey Konovalov <andreyknvl@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
---

changes since v1:
- Reduce amount of non-compiled code.
- KUnit-KASAN Integration patchset are not merged yet. My patch should
  have conflict with it, if needed, we can continue to wait it.

---

 lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 64 insertions(+), 17 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index e3087d90e00d..660664439d52 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
 		return;
 	}
 
-	ptr[size] = 'x';
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		ptr[size] = 'x';
+	else
+		ptr[size + 5] = 'x';
+
 	kfree(ptr);
 }
 
@@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
 		return;
 	}
 
-	ptr[size] = 0;
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		ptr[size] = 0;
+	else
+		ptr[size + 6] = 0;
+
 	kfree(ptr);
 }
 
@@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
 		return;
 	}
 
-	ptr2[size2] = 'x';
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		ptr2[size2] = 'x';
+	else
+		ptr2[size2 + 13] = 'x';
+
 	kfree(ptr2);
 }
 
@@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
 		kfree(ptr1);
 		return;
 	}
-	ptr2[size2] = 'x';
+
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		ptr2[size2] = 'x';
+	else
+		ptr2[size2 + 2] = 'x';
+
 	kfree(ptr2);
 }
 
@@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
 		return;
 	}
 
-	memset(ptr+7, 0, 2);
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		memset(ptr+7, 0, 2);
+	else
+		memset(ptr+15, 0, 2);
+
 	kfree(ptr);
 }
 
@@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
 		return;
 	}
 
-	memset(ptr+5, 0, 4);
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		memset(ptr+5, 0, 4);
+	else
+		memset(ptr+15, 0, 4);
+
 	kfree(ptr);
 }
 
@@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
 		return;
 	}
 
-	memset(ptr+1, 0, 8);
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		memset(ptr+1, 0, 8);
+	else
+		memset(ptr+15, 0, 8);
+
 	kfree(ptr);
 }
 
@@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
 		return;
 	}
 
-	memset(ptr+1, 0, 16);
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		memset(ptr+1, 0, 16);
+	else
+		memset(ptr+15, 0, 16);
+
 	kfree(ptr);
 }
 
@@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
 		return;
 	}
 
-	memset(ptr, 0, size+5);
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		memset(ptr, 0, size+5);
+	else
+		memset(ptr, 0, size+7);
+
 	kfree(ptr);
 }
 
@@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
 		return;
 	}
 
-	*p = p[size];
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		*p = p[size];
+	else
+		*p = p[size + 8];
+
 	kmem_cache_free(cache, p);
 	kmem_cache_destroy(cache);
 }
@@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
 	char __user *usermem;
 	size_t size = 10;
 	int unused;
+	size_t oob_size;
 
 	kmem = kmalloc(size, GFP_KERNEL);
 	if (!kmem)
@@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
 		return;
 	}
 
+	if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+		oob_size = 1;
+	else
+		oob_size = 7;
+
 	pr_info("out-of-bounds in copy_from_user()\n");
-	unused = copy_from_user(kmem, usermem, size + 1);
+	unused = copy_from_user(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in copy_to_user()\n");
-	unused = copy_to_user(usermem, kmem, size + 1);
+	unused = copy_to_user(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_from_user()\n");
-	unused = __copy_from_user(kmem, usermem, size + 1);
+	unused = __copy_from_user(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_to_user()\n");
-	unused = __copy_to_user(usermem, kmem, size + 1);
+	unused = __copy_to_user(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
-	unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
+	unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
 
 	pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
-	unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
+	unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
 
 	pr_info("out-of-bounds in strncpy_from_user()\n");
-	unused = strncpy_from_user(kmem, usermem, size + 1);
+	unused = strncpy_from_user(kmem, usermem, size + oob_size);
 
 	vm_munmap((unsigned long)usermem, PAGE_SIZE);
 	kfree(kmem);
-- 
2.18.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ