lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGS_qxrPauYtkrfB37ne9bOXJR2JQc4=jaJP5tGN4mnha7mANg@mail.gmail.com>
Date:   Wed, 4 May 2022 14:58:02 -0500
From:   Daniel Latypov <dlatypov@...gle.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     "Gustavo A . R . Silva" <gustavoars@...nel.org>,
        David Gow <davidgow@...gle.com>, kunit-dev@...glegroups.com,
        Alexei Starovoitov <ast@...nel.org>,
        alsa-devel@...a-project.org, Al Viro <viro@...iv.linux.org.uk>,
        Andrew Gabbasov <andrew_gabbasov@...tor.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Andy Gross <agross@...nel.org>,
        Andy Lavr <andy.lavr@...il.com>,
        Arend van Spriel <aspriel@...il.com>,
        Baowen Zheng <baowen.zheng@...igine.com>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>,
        Bradley Grove <linuxdrivers@...otech.com>,
        brcm80211-dev-list.pdl@...adcom.com,
        Christian Brauner <brauner@...nel.org>,
        Christian Göttsche <cgzones@...glemail.com>,
        Christian Lamparter <chunkeey@...glemail.com>,
        Chris Zankel <chris@...kel.net>,
        Cong Wang <cong.wang@...edance.com>,
        Daniel Axtens <dja@...ens.net>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        Dan Williams <dan.j.williams@...el.com>,
        David Howells <dhowells@...hat.com>,
        "David S. Miller" <davem@...emloft.net>,
        Dennis Dalessandro <dennis.dalessandro@...nelisnetworks.com>,
        devicetree@...r.kernel.org, Dexuan Cui <decui@...rosoft.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Eli Cohen <elic@...dia.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Eric Paris <eparis@...isplace.org>,
        Eugeniu Rosca <erosca@...adit-jv.com>,
        Felipe Balbi <balbi@...nel.org>,
        Francis Laniel <laniel_francis@...vacyrequired.com>,
        Frank Rowand <frowand.list@...il.com>,
        Franky Lin <franky.lin@...adcom.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Gregory Greenman <gregory.greenman@...el.com>,
        Guenter Roeck <linux@...ck-us.net>,
        Haiyang Zhang <haiyangz@...rosoft.com>,
        Hante Meuleman <hante.meuleman@...adcom.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        Hulk Robot <hulkci@...wei.com>,
        Jakub Kicinski <kuba@...nel.org>,
        "James E.J. Bottomley" <jejb@...ux.ibm.com>,
        James Morris <jmorris@...ei.org>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        Jaroslav Kysela <perex@...ex.cz>,
        Jason Gunthorpe <jgg@...pe.ca>, Jens Axboe <axboe@...nel.dk>,
        Johan Hedberg <johan.hedberg@...il.com>,
        Johannes Berg <johannes.berg@...el.com>,
        Johannes Berg <johannes@...solutions.net>,
        John Keeping <john@...anate.com>,
        Juergen Gross <jgross@...e.com>, Kalle Valo <kvalo@...nel.org>,
        Keith Packard <keithp@...thp.com>, keyrings@...r.kernel.org,
        Kuniyuki Iwashima <kuniyu@...zon.co.jp>,
        "K. Y. Srinivasan" <kys@...rosoft.com>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Lee Jones <lee.jones@...aro.org>,
        Leon Romanovsky <leon@...nel.org>,
        Liam Girdwood <lgirdwood@...il.com>,
        linux1394-devel@...ts.sourceforge.net,
        linux-afs@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-arm-msm@...r.kernel.org, linux-bluetooth@...r.kernel.org,
        linux-hardening@...r.kernel.org, linux-hyperv@...r.kernel.org,
        linux-integrity@...r.kernel.org, linux-rdma@...r.kernel.org,
        linux-scsi@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-usb@...r.kernel.org, linux-wireless@...r.kernel.org,
        linux-xtensa@...ux-xtensa.org, llvm@...ts.linux.dev,
        Loic Poulain <loic.poulain@...aro.org>,
        Louis Peens <louis.peens@...igine.com>,
        Luca Coelho <luciano.coelho@...el.com>,
        Luiz Augusto von Dentz <luiz.dentz@...il.com>,
        Marc Dionne <marc.dionne@...istor.com>,
        Marcel Holtmann <marcel@...tmann.org>,
        Mark Brown <broonie@...nel.org>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        Max Filippov <jcmvbkbc@...il.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        Muchun Song <songmuchun@...edance.com>,
        Nathan Chancellor <nathan@...nel.org>, netdev@...r.kernel.org,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Nuno Sá <nuno.sa@...log.com>,
        Paolo Abeni <pabeni@...hat.com>,
        Paul Moore <paul@...l-moore.com>,
        Rich Felker <dalias@...ifal.cx>,
        Rob Herring <robh+dt@...nel.org>,
        Russell King <linux@...linux.org.uk>, selinux@...r.kernel.org,
        "Serge E. Hallyn" <serge@...lyn.com>,
        SHA-cyfmac-dev-list@...ineon.com,
        Simon Horman <simon.horman@...igine.com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        Stefan Richter <stefanr@...6.in-berlin.de>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        Stephen Hemminger <sthemmin@...rosoft.com>,
        Stephen Smalley <stephen.smalley.work@...il.com>,
        Tadeusz Struk <tadeusz.struk@...aro.org>,
        Takashi Iwai <tiwai@...e.com>, Tom Rix <trix@...hat.com>,
        Udipto Goswami <quic_ugoswami@...cinc.com>,
        Vincenzo Frascino <vincenzo.frascino@....com>,
        wcn36xx@...ts.infradead.org, Wei Liu <wei.liu@...nel.org>,
        xen-devel@...ts.xenproject.org,
        Xiu Jianfeng <xiujianfeng@...wei.com>,
        Yang Yingliang <yangyingliang@...wei.com>
Subject: Re: [PATCH 03/32] flex_array: Add Kunit tests

On Tue, May 3, 2022 at 8:47 PM Kees Cook <keescook@...omium.org> wrote:
> +#define COMPARE_STRUCTS(STRUCT_A, STRUCT_B)    do {                    \
> +       STRUCT_A *ptr_A;                                                \
> +       STRUCT_B *ptr_B;                                                \
> +       int rc;                                                         \
> +       size_t size_A, size_B;                                          \
> +                                                                       \
> +       /* matching types for flex array elements and count */          \
> +       KUNIT_EXPECT_EQ(test, sizeof(*ptr_A), sizeof(*ptr_B));          \
> +       KUNIT_EXPECT_TRUE(test, __same_type(*ptr_A->data,               \
> +               *ptr_B->__flex_array_elements));                        \

Leaving some minor suggestions to go along with David's comments.

Should we make these KUNIT_ASSERT_.* instead?
I assume if we have a type-mismatch, then we should bail out instead
of continuing to produce more error messages.

> +       KUNIT_EXPECT_TRUE(test, __same_type(ptr_A->datalen,             \
> +               ptr_B->__flex_array_elements_count));                   \
> +       KUNIT_EXPECT_EQ(test, sizeof(*ptr_A->data),                     \
> +                             sizeof(*ptr_B->__flex_array_elements));   \
> +       KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), data),           \
> +                             offsetof(typeof(*ptr_B),                  \
> +                                      __flex_array_elements));         \
> +       KUNIT_EXPECT_EQ(test, offsetof(typeof(*ptr_A), datalen),        \
> +                             offsetof(typeof(*ptr_B),                  \
> +                                      __flex_array_elements_count));   \
> +                                                                       \
> +       /* struct_size() vs __fas_bytes() */                            \
> +       size_A = struct_size(ptr_A, data, 13);                          \
> +       rc = __fas_bytes(ptr_B, __flex_array_elements,                  \
> +                        __flex_array_elements_count, 13, &size_B);     \
> +       KUNIT_EXPECT_EQ(test, rc, 0);                                   \

Hmm, what do you think about inlining the call/dropping rc?

i.e. something like
KUNIT_EXPECT_EQ(test, 0, __fas_bytes(ptr_B, __flex_array_elements, \
                        __flex_array_elements_count, 13, &size_B));

That would give a slightly clearer error message on failure.
Otherwise the user only really gets a line number to try and start to
understand what went wrong.

> +
> +#define CHECK_COPY(ptr)                do {                                            \
> +       typeof(*(ptr)) *_cc_dst = (ptr);                                        \
> +       KUNIT_EXPECT_EQ(test, _cc_dst->induce_padding, 0);                      \
> +       memcpy(&padding, &_cc_dst->induce_padding + sizeof(_cc_dst->induce_padding), \
> +              sizeof(padding));                                                \
> +       /* Padding should be zero too. */                                       \
> +       KUNIT_EXPECT_EQ(test, padding, 0);                                      \
> +       KUNIT_EXPECT_EQ(test, src->count, _cc_dst->count);                      \

This also seems like a good place to use ASSERT instead of EXPECT.


> +       KUNIT_EXPECT_EQ(test, _cc_dst->count, TEST_TARGET);                     \
> +       for (i = 0; i < _cc_dst->count - 1; i++) {                              \
> +               /* 'A' is 0x41, and here repeated in a u32. */                  \
> +               KUNIT_EXPECT_EQ(test, _cc_dst->flex[i], 0x41414141);            \
> +       }                                                                       \
> +       /* Last item should be different. */                                    \
> +       KUNIT_EXPECT_EQ(test, _cc_dst->flex[_cc_dst->count - 1], 0x14141414);   \
> +} while (0)
> +
> +/* Test copying from one flexible array struct into another. */
> +static void flex_cpy_test(struct kunit *test)
> +{
> +#define TEST_BOUNDS    13
> +#define TEST_TARGET    12
> +#define TEST_SMALL     10
> +       struct flex_cpy_obj *src, *dst;
> +       unsigned long padding;
> +       int i, rc;
> +
> +       /* Prepare open-coded source. */
> +       src = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL);

Looks like we could use kunit_kzalloc() here and avoid needing the
manual call to kfree?
This also holds for the other test cases where they don't have early
calls to kfree().

Doing so would also let you use KUNIT_ASSERT's without fear of leaking
these allocations.

> +       src->count = TEST_BOUNDS;
> +       memset(src->flex, 'A', flex_array_size(src, flex, TEST_BOUNDS));
> +       src->flex[src->count - 2] = 0x14141414;
> +       src->flex[src->count - 1] = 0x24242424;
> +
> +       /* Prepare open-coded destination, alloc only. */
> +       dst = kzalloc(struct_size(src, flex, TEST_BOUNDS), GFP_KERNEL);
> +       /* Pre-fill with 0xFE marker. */
> +       memset(dst, 0xFE, struct_size(src, flex, TEST_BOUNDS));
> +       /* Pretend we're 1 element smaller. */
> +       dst->count = TEST_TARGET;
> +
> +       /* Pretend to match the target destination size. */
> +       src->count = TEST_TARGET;
> +
> +       rc = flex_cpy(dst, src);
> +       KUNIT_EXPECT_EQ(test, rc, 0);
> +       CHECK_COPY(dst);
> +       /* Item past last copied item is unchanged from initial memset. */
> +       KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE);
> +
> +       /* Now trip overflow, and verify we didn't clobber beyond end. */
> +       src->count = TEST_BOUNDS;
> +       rc = flex_cpy(dst, src);
> +       KUNIT_EXPECT_EQ(test, rc, -E2BIG);
> +       /* Item past last copied item is unchanged from initial memset. */
> +       KUNIT_EXPECT_EQ(test, dst->flex[dst->count], 0xFEFEFEFE);
> +
> +       /* Reset destination contents. */
> +       memset(dst, 0xFD, struct_size(src, flex, TEST_BOUNDS));
> +       dst->count = TEST_TARGET;
> +
> +       /* Copy less than max. */
> +       src->count = TEST_SMALL;
> +       rc = flex_cpy(dst, src);
> +       KUNIT_EXPECT_EQ(test, rc, 0);
> +       /* Verify count was adjusted. */
> +       KUNIT_EXPECT_EQ(test, dst->count, TEST_SMALL);

Just an FYI, macros get evaluated before the expect macros can stringify them.
So the error message would look something like
  Expected dest->count == 10
     but dest->count = 9

Not a big concern, but just noting that "TEST_SMALL" won't be visible at all.
Could opt for

KUNIT_EXPECT_EQ_MSG(test, dst->count, TEST_SMALL, "my custom extra message");

if you think it'd be usable to make the test more grokkable.

> +       /* Verify element beyond src size was wiped. */
> +       KUNIT_EXPECT_EQ(test, dst->flex[TEST_SMALL], 0);
> +       /* Verify element beyond original dst size was untouched. */
> +       KUNIT_EXPECT_EQ(test, dst->flex[TEST_TARGET], 0xFDFDFDFD);
> +
> +       kfree(dst);
> +       kfree(src);
> +#undef TEST_BOUNDS
> +#undef TEST_TARGET
> +#undef TEST_SMALL
> +}
> +
> +static void flex_dup_test(struct kunit *test)
> +{
> +#define TEST_TARGET    12
> +       struct flex_cpy_obj *src, *dst = NULL, **null = NULL;
> +       struct flex_dup_obj *encap = NULL;
> +       unsigned long padding;
> +       int i, rc;
> +
> +       /* Prepare open-coded source. */
> +       src = kzalloc(struct_size(src, flex, TEST_TARGET), GFP_KERNEL);
> +       src->count = TEST_TARGET;
> +       memset(src->flex, 'A', flex_array_size(src, flex, TEST_TARGET));
> +       src->flex[src->count - 1] = 0x14141414;
> +
> +       /* Reject NULL @alloc. */
> +       rc = flex_dup(null, src, GFP_KERNEL);
> +       KUNIT_EXPECT_EQ(test, rc, -EINVAL);
> +
> +       /* Check good copy. */
> +       rc = flex_dup(&dst, src, GFP_KERNEL);
> +       KUNIT_EXPECT_EQ(test, rc, 0);
> +       KUNIT_ASSERT_TRUE(test, dst != NULL);
> +       CHECK_COPY(dst);
> +
> +       /* Reject non-NULL *@...oc. */
> +       rc = flex_dup(&dst, src, GFP_KERNEL);
> +       KUNIT_EXPECT_EQ(test, rc, -EINVAL);
> +
> +       kfree(dst);
> +
> +       /* Check good encap copy. */
> +       rc = __flex_dup(&encap, .fas, src, GFP_KERNEL);
> +       KUNIT_EXPECT_EQ(test, rc, 0);
> +       KUNIT_ASSERT_TRUE(test, dst != NULL);

FYI, there's a new KUNIT_ASSERT_NOT_NULL() macro in the
-kselftest/kunit branch,
https://patchwork.kernel.org/project/linux-kselftest/patch/20220211164246.410079-1-ribalda@chromium.org/

But that's not planned for inclusion into mainline until 5.19, so
leaving this as-is is better for now.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ