| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Dec 2020 09:32:35 +0800
From: Walter Wu <walter-zh.wu@...iatek.com>
To: Marco Elver <elver@...gle.com>
CC: Andrew Morton <akpm@...ux-foundation.org>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
"Dmitry Vyukov" <dvyukov@...gle.com>,
Andrey Konovalov <andreyknvl@...gle.com>,
Matthias Brugger <matthias.bgg@...il.com>,
kasan-dev <kasan-dev@...glegroups.com>,
Linux Memory Management List <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
wsd_upstream <wsd_upstream@...iatek.com>,
<linux-mediatek@...ts.infradead.org>
Subject: Re: [PATCH v5 3/4] lib/test_kasan.c: add workqueue test case
On Thu, 2020-12-03 at 11:29 +0100, Marco Elver wrote:
> On Thu, 3 Dec 2020 at 03:27, Walter Wu <walter-zh.wu@...iatek.com> wrote:
> >
> > Adds a test to verify workqueue stack recording and print it in
> > KASAN report.
> >
> > The KASAN report was as follows(cleaned up slightly):
> >
> > BUG: KASAN: use-after-free in kasan_workqueue_uaf
> >
> > Freed by task 54:
> > kasan_save_stack+0x24/0x50
> > kasan_set_track+0x24/0x38
> > kasan_set_free_info+0x20/0x40
> > __kasan_slab_free+0x10c/0x170
> > kasan_slab_free+0x10/0x18
> > kfree+0x98/0x270
> > kasan_workqueue_work+0xc/0x18
> >
> > Last potentially related work creation:
> > kasan_save_stack+0x24/0x50
> > kasan_record_wq_stack+0xa8/0xb8
> > insert_work+0x48/0x288
> > __queue_work+0x3e8/0xc40
> > queue_work_on+0xf4/0x118
> > kasan_workqueue_uaf+0xfc/0x190
> >
> > Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
> > Acked-by: Marco Elver <elver@...gle.com>
> > Reviewed-by: Dmitry Vyukov <dvyukov@...gle.com>
> > Reviewed-by: Andrey Konovalov <andreyknvl@...gle.com>
> > Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
> > Cc: Alexander Potapenko <glider@...gle.com>
> > Cc: Matthias Brugger <matthias.bgg@...il.com>
> > ---
> >
> > v4:
> > - testcase has merge conflict, so that rebase onto the KASAN-KUNIT
> >
> > ---
> > lib/test_kasan_module.c | 29 +++++++++++++++++++++++++++++
> > 1 file changed, 29 insertions(+)
> >
> > diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c
> > index 2d68db6ae67b..62a87854b120 100644
> > --- a/lib/test_kasan_module.c
> > +++ b/lib/test_kasan_module.c
> > @@ -91,6 +91,34 @@ static noinline void __init kasan_rcu_uaf(void)
> > call_rcu(&global_rcu_ptr->rcu, kasan_rcu_reclaim);
> > }
> >
> > +static noinline void __init kasan_workqueue_work(struct work_struct *work)
> > +{
> > + kfree(work);
> > +}
> > +
> > +static noinline void __init kasan_workqueue_uaf(void)
> > +{
> > + struct workqueue_struct *workqueue;
> > + struct work_struct *work;
> > +
> > + workqueue = create_workqueue("kasan_wq_test");
> > + if (!workqueue) {
> > + pr_err("Allocation failed\n");
> > + return;
> > + }
> > + work = kmalloc(sizeof(struct work_struct), GFP_KERNEL);
> > + if (!work) {
> > + pr_err("Allocation failed\n");
> > + return;
> > + }
> > +
> > + INIT_WORK(work, kasan_workqueue_work);
> > + queue_work(workqueue, work);
> > + destroy_workqueue(workqueue);
> > +
> > + pr_info("use-after-free on workqueue\n");
> > + ((volatile struct work_struct *)work)->data;
> > +}
> >
> > static int __init test_kasan_module_init(void)
> > {
> > @@ -102,6 +130,7 @@ static int __init test_kasan_module_init(void)
> >
> > copy_user_test();
> > kasan_rcu_uaf();
> > + kasan_workqueue_uaf();
>
>
> Why can't this go into the KUnit based KASAN test?
This test case has not been ported to KUnit, because KUnit's expect
failure will not check whether the work stack is exist. So it remains in
test_kasan_module, it is the same with kasan_rcu_uaf()[1].
[1]https://lkml.org/lkml/2020/8/1/45
Thanks.
Walter
Powered by blists - more mailing lists