| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANpmjNNCV_sioFk0C3mChxCq6-eED+ThV2h-ygPVyaWg3667LQ@mail.gmail.com>
Date: Thu, 12 Aug 2021 10:57:18 +0200
From: Marco Elver <elver@...gle.com>
To: andrey.konovalov@...ux.dev
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Andrey Konovalov <andreyknvl@...il.com>,
Andrey Ryabinin <aryabinin@...tuozzo.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Alexander Potapenko <glider@...gle.com>,
kasan-dev@...glegroups.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/8] kasan: test: rework kmalloc_oob_right
On Wed, 11 Aug 2021 at 21:21, <andrey.konovalov@...ux.dev> wrote:
> From: Andrey Konovalov <andreyknvl@...il.com>
>
> Rework kmalloc_oob_right() to do these bad access checks:
>
> 1. An unaligned access one byte past the requested kmalloc size
> (can only be detected by KASAN_GENERIC).
> 2. An aligned access into the first out-of-bounds granule that falls
> within the aligned kmalloc object.
> 3. Out-of-bounds access past the aligned kmalloc object.
>
> Test #3 deliberately uses a read access to avoid corrupting memory.
> Otherwise, this test might lead to crashes with the HW_TAGS mode, as it
> neither uses quarantine nor redzones.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@...il.com>
Reviewed-by: Marco Elver <elver@...gle.com>
> ---
> lib/test_kasan.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 8f7b0b2f6e11..1bc3cdd2957f 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -122,12 +122,28 @@ static void kasan_test_exit(struct kunit *test)
> static void kmalloc_oob_right(struct kunit *test)
> {
> char *ptr;
> - size_t size = 123;
> + size_t size = 128 - KASAN_GRANULE_SIZE - 5;
>
> ptr = kmalloc(size, GFP_KERNEL);
> KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
>
> - KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
> + /*
> + * An unaligned access past the requested kmalloc size.
> + * Only generic KASAN can precisely detect these.
> + */
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
> +
> + /*
> + * An aligned access into the first out-of-bounds granule that falls
> + * within the aligned kmalloc object.
> + */
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
> +
> + /* Out-of-bounds access past the aligned kmalloc object. */
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
> + ptr[size + KASAN_GRANULE_SIZE + 5]);
> +
> kfree(ptr);
> }
>
> --
> 2.25.1
Powered by blists - more mailing lists