lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Sep 2022 23:05:49 +0200 From: andrey.konovalov@...ux.dev To: Andrew Morton <akpm@...ux-foundation.org> Cc: Andrey Konovalov <andreyknvl@...il.com>, Marco Elver <elver@...gle.com>, Alexander Potapenko <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Andrey Ryabinin <ryabinin.a.a@...il.com>, kasan-dev@...glegroups.com, Peter Collingbourne <pcc@...gle.com>, Evgenii Stepanov <eugenis@...gle.com>, Florian Mayer <fmayer@...gle.com>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, Andrey Konovalov <andreyknvl@...gle.com> Subject: [PATCH mm v3 34/34] kasan: add another use-after-free test From: Andrey Konovalov <andreyknvl@...gle.com> Add a new use-after-free test that checks that KASAN detects use-after-free when another object was allocated in the same slot. This test is mainly relevant for the tag-based modes, which do not use quarantine. Once [1] is resolved, this test can be extended to check that the stack traces in the report point to the proper kmalloc/kfree calls. [1] https://bugzilla.kernel.org/show_bug.cgi?id=212203 Signed-off-by: Andrey Konovalov <andreyknvl@...gle.com> --- Changes v2->v3: - This is a new patch. --- lib/test_kasan.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 58c1b01ccfe2..505f77ffad27 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -612,6 +612,29 @@ static void kmalloc_uaf2(struct kunit *test) kfree(ptr2); } +/* + * Check that KASAN detects use-after-free when another object was allocated in + * the same slot. Relevant for the tag-based modes, which do not use quarantine. + */ +static void kmalloc_uaf3(struct kunit *test) +{ + char *ptr1, *ptr2; + size_t size = 100; + + /* This test is specifically crafted for tag-based modes. */ + KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); + + ptr1 = kmalloc(size, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + kfree(ptr1); + + ptr2 = kmalloc(size, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + kfree(ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]); +} + static void kfree_via_page(struct kunit *test) { char *ptr; @@ -1382,6 +1405,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(kmalloc_uaf), KUNIT_CASE(kmalloc_uaf_memset), KUNIT_CASE(kmalloc_uaf2), + KUNIT_CASE(kmalloc_uaf3), KUNIT_CASE(kfree_via_page), KUNIT_CASE(kfree_via_phys), KUNIT_CASE(kmem_cache_oob), -- 2.25.1
Powered by blists - more mailing lists