This patchset contains everything needed to integrate KASAN and KUnit.
KUnit will be able to: (1) Fail tests when an unexpected KASAN error occurs (2) Pass tests when an expected KASAN error occurs
KASAN Tests have been converted to KUnit with the exception of copy_user_test because KUnit is unable to test those. I am working on documentation on how to use these new tests to be included in the next version of this patchset.
Changes since v1: - Make use of Alan Maguire's suggestion to use his patch that allows static resources for integration instead of adding a new attribute to the kunit struct - All KUNIT_EXPECT_KASAN_FAIL statements are local to each test - The definition of KUNIT_EXPECT_KASAN_FAIL is local to the test_kasan.c file since it seems this is the only place this will be used. - Integration relies on KUnit being builtin - copy_user_test has been separated into its own file since KUnit is unable to test these. This can be run as a module just as before, using CONFIG_TEST_KASAN_USER - The addition to the current task has been separated into its own patch as this is a significant enough change to be on its own.
Patricia Alfonso (3): Add KUnit Struct to Current Task KUnit: KASAN Integration KASAN: Port KASAN Tests to KUnit
include/kunit/test.h | 10 + include/linux/sched.h | 4 + lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/kunit/test.c | 10 +- lib/test_kasan.c | 639 +++++++++++++++---------------------- lib/test_kasan_copy_user.c | 75 +++++ mm/kasan/report.c | 33 ++ 8 files changed, 400 insertions(+), 385 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com --- include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT) + struct kunit *kunit_test; +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack;
On Thu, Mar 19, 2020 at 5:42 PM Patricia Alfonso trishalfonso@google.com wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
struct kunit *kunit_test;+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
Why can't this be used if KUNIT is built as a module?
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif +#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
- struct kunit *kunit_test;
+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
#ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; -- 2.25.1.696.g5e7596f4ac-goog
On Tue, Mar 24, 2020 at 9:40 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
I suppose this could be changed so that this can be used in possible future scenarios, but for now, since built-in things can't rely on modules, the KASAN integration relies on KUnit being built-in.
struct kunit *kunit_test;+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
#ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; -- 2.25.1.696.g5e7596f4ac-goog
On Tue, 24 Mar 2020, Patricia Alfonso wrote:
On Tue, Mar 24, 2020 at 9:40 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
I suppose this could be changed so that this can be used in possible future scenarios, but for now, since built-in things can't rely on modules, the KASAN integration relies on KUnit being built-in.
I think we can get around that. I've tried tweaking the resources patchset such that the functions you need in KASAN (which is builtin) are declared as "static inline" in include/kunit/test.h; doing this allows us to build kunit and test_kasan as a module while supporting the builtin functionality required to retrieve and use kunit resources within KASAN itself.
The impact of this amounts to a few functions, but it would require a rebase of your changes. I'll send out a v3 of the resources patches shortly; I just want to do some additional testing on them. I can also send you the modified versions of your patches that I used to test with.
With these changes I can run the tests on baremetal x86_64 by modprobe'ing test_kasan. However I see a few failures:
[ 87.577012] # kasan_memchr: EXPECTATION FAILED at lib/test_kasan.c:509 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.577104] not ok 30 - kasan_memchr [ 87.603823] # kasan_memcmp: EXPECTATION FAILED at lib/test_kasan.c:523 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.603929] not ok 31 - kasan_memcmp [ 87.630644] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:544 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.630910] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:546 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.654037] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:548 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.677179] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:550 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.700242] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:552 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.723336] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:554 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.746304] not ok 32 - kasan_strings
The above three tests consistently fail while everything else passes, and happen irrespective of whether kunit is built as a module or built-in. Let me know if you need any more info to debug (I built the kernel with CONFIG_SLUB=y if that matters).
Thanks!
Alan
struct kunit *kunit_test;+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
#ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; -- 2.25.1.696.g5e7596f4ac-goog
-- Best, Patricia
On Wed, Mar 25, 2020 at 5:42 AM Alan Maguire alan.maguire@oracle.com wrote:
On Tue, 24 Mar 2020, Patricia Alfonso wrote:
On Tue, Mar 24, 2020 at 9:40 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
I suppose this could be changed so that this can be used in possible future scenarios, but for now, since built-in things can't rely on modules, the KASAN integration relies on KUnit being built-in.
I think we can get around that. I've tried tweaking the resources patchset such that the functions you need in KASAN (which is builtin) are declared as "static inline" in include/kunit/test.h; doing this allows us to build kunit and test_kasan as a module while supporting the builtin functionality required to retrieve and use kunit resources within KASAN itself.
Okay, great!
The impact of this amounts to a few functions, but it would require a rebase of your changes. I'll send out a v3 of the resources patches shortly; I just want to do some additional testing on them. I can also send you the modified versions of your patches that I used to test with.
That sounds good.
With these changes I can run the tests on baremetal x86_64 by modprobe'ing test_kasan. However I see a few failures:
[ 87.577012] # kasan_memchr: EXPECTATION FAILED at lib/test_kasan.c:509 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.577104] not ok 30 - kasan_memchr [ 87.603823] # kasan_memcmp: EXPECTATION FAILED at lib/test_kasan.c:523 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.603929] not ok 31 - kasan_memcmp [ 87.630644] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:544 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.630910] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:546 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.654037] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:548 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.677179] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:550 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.700242] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:552 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.723336] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:554 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.746304] not ok 32 - kasan_strings
The above three tests consistently fail while everything else passes, and happen irrespective of whether kunit is built as a module or built-in. Let me know if you need any more info to debug (I built the kernel with CONFIG_SLUB=y if that matters).
Unfortunately, I have not been able to replicate this issue and I don't have a clue why these specific tests would fail with a different configuration. I've tried running these tests on UML with KUnit built-in with SLUB=y and SLAB=y, and I've done the same in x86_64. Let me know if there's anything else that could help me debug this myself.
Thanks!
Alan
struct kunit *kunit_test;+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
#ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; -- 2.25.1.696.g5e7596f4ac-goog
-- Best, Patricia
-- Best, Patricia
On Wed, Mar 25, 2020 at 12:00 PM Patricia Alfonso trishalfonso@google.com wrote:
On Wed, Mar 25, 2020 at 5:42 AM Alan Maguire alan.maguire@oracle.com wrote:
On Tue, 24 Mar 2020, Patricia Alfonso wrote:
On Tue, Mar 24, 2020 at 9:40 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
I suppose this could be changed so that this can be used in possible future scenarios, but for now, since built-in things can't rely on modules, the KASAN integration relies on KUnit being built-in.
I think we can get around that. I've tried tweaking the resources patchset such that the functions you need in KASAN (which is builtin) are declared as "static inline" in include/kunit/test.h; doing this allows us to build kunit and test_kasan as a module while supporting the builtin functionality required to retrieve and use kunit resources within KASAN itself.
Okay, great!
The impact of this amounts to a few functions, but it would require a rebase of your changes. I'll send out a v3 of the resources patches shortly; I just want to do some additional testing on them. I can also send you the modified versions of your patches that I used to test with.
That sounds good.
With these changes I can run the tests on baremetal x86_64 by modprobe'ing test_kasan. However I see a few failures:
[ 87.577012] # kasan_memchr: EXPECTATION FAILED at lib/test_kasan.c:509 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.577104] not ok 30 - kasan_memchr [ 87.603823] # kasan_memcmp: EXPECTATION FAILED at lib/test_kasan.c:523 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.603929] not ok 31 - kasan_memcmp [ 87.630644] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:544 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.630910] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:546 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.654037] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:548 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.677179] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:550 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.700242] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:552 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.723336] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:554 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.746304] not ok 32 - kasan_strings
The above three tests consistently fail while everything else passes, and happen irrespective of whether kunit is built as a module or built-in. Let me know if you need any more info to debug (I built the kernel with CONFIG_SLUB=y if that matters).
Unfortunately, I have not been able to replicate this issue and I don't have a clue why these specific tests would fail with a different configuration. I've tried running these tests on UML with KUnit built-in with SLUB=y and SLAB=y, and I've done the same in x86_64. Let me know if there's anything else that could help me debug this myself.
Alan sent me the .config and I was able to replicate the test failures found above. I traced the problem config to CONFIG_AMD_MEM_ENCRYPT=y. The interesting part is that I ran the original test module with this config enabled and the same tests failed there too. I wonder if this is an expected failure or something in the test that is causing this problem?
Thanks!
Alan
struct kunit *kunit_test;+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
#ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; -- 2.25.1.696.g5e7596f4ac-goog
-- Best, Patricia
-- Best, Patricia
On Mon, Mar 30, 2020 at 9:30 PM Patricia Alfonso trishalfonso@google.com wrote:
On Wed, Mar 25, 2020 at 12:00 PM Patricia Alfonso trishalfonso@google.com wrote:
On Wed, Mar 25, 2020 at 5:42 AM Alan Maguire alan.maguire@oracle.com wrote:
On Tue, 24 Mar 2020, Patricia Alfonso wrote:
On Tue, Mar 24, 2020 at 9:40 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif
+#if IS_BUILTIN(CONFIG_KUNIT)
This patch set looks great! You might have noticed I refreshed the kunit resources stuff to incorporate feedback from Brendan, but I don't think any API changes were made that should have consequences for your code (I'm building with your patches on top to make sure). I'd suggest promoting from RFC to v3 on the next round unless anyone objects.
As Dmitry suggested, the above could likely be changed to be "#ifdef CONFIG_KUNIT" as kunit can be built as a module also. More on this in patch 2..
I suppose this could be changed so that this can be used in possible future scenarios, but for now, since built-in things can't rely on modules, the KASAN integration relies on KUnit being built-in.
I think we can get around that. I've tried tweaking the resources patchset such that the functions you need in KASAN (which is builtin) are declared as "static inline" in include/kunit/test.h; doing this allows us to build kunit and test_kasan as a module while supporting the builtin functionality required to retrieve and use kunit resources within KASAN itself.
Okay, great!
The impact of this amounts to a few functions, but it would require a rebase of your changes. I'll send out a v3 of the resources patches shortly; I just want to do some additional testing on them. I can also send you the modified versions of your patches that I used to test with.
That sounds good.
With these changes I can run the tests on baremetal x86_64 by modprobe'ing test_kasan. However I see a few failures:
[ 87.577012] # kasan_memchr: EXPECTATION FAILED at lib/test_kasan.c:509 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.577104] not ok 30 - kasan_memchr [ 87.603823] # kasan_memcmp: EXPECTATION FAILED at lib/test_kasan.c:523 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.603929] not ok 31 - kasan_memcmp [ 87.630644] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:544 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.630910] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:546 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.654037] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:548 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.677179] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:550 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.700242] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:552 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.723336] # kasan_strings: EXPECTATION FAILED at lib/test_kasan.c:554 Expected kasan_data->report_expected == kasan_data->report_found, but kasan_data->report_expected == 1 kasan_data->report_found == 0 [ 87.746304] not ok 32 - kasan_strings
The above three tests consistently fail while everything else passes, and happen irrespective of whether kunit is built as a module or built-in. Let me know if you need any more info to debug (I built the kernel with CONFIG_SLUB=y if that matters).
Unfortunately, I have not been able to replicate this issue and I don't have a clue why these specific tests would fail with a different configuration. I've tried running these tests on UML with KUnit built-in with SLUB=y and SLAB=y, and I've done the same in x86_64. Let me know if there's anything else that could help me debug this myself.
Alan sent me the .config and I was able to replicate the test failures found above. I traced the problem config to CONFIG_AMD_MEM_ENCRYPT=y. The interesting part is that I ran the original test module with this config enabled and the same tests failed there too. I wonder if this is an expected failure or something in the test that is causing this problem?
This is: https://bugzilla.kernel.org/show_bug.cgi?id=206337
I think we should add:
// See https://bugzilla.kernel.org/show_bug.cgi?id=206337 if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) return;
On Thu, Mar 19, 2020 at 9:42 AM Patricia Alfonso trishalfonso@google.com wrote:
In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
Reviewed-by: Brendan Higgins brendanhiggins@google.com
Integrate KASAN into KUnit testing framework. - Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - Expected KASAN reports pass tests and are still printed when run without kunit_tool (kunit_tool still bypasses the report due to the test passing) - KUnit struct in current task used to keep track of the current test from KASAN code
Make use of "[RFC PATCH kunit-next 1/2] kunit: generalize kunit_resource API beyond allocated resources" and "[RFC PATCH kunit-next 2/2] kunit: add support for named resources" from Alan Maguire [1] - A named resource is added to a test when a KASAN report is expected - This resource contains a struct for kasan_data containing booleans representing if a KASAN report is expected and if a KASAN report is found
[1] (https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...)
Signed-off-by: Patricia Alfonso trishalfonso@google.com --- include/kunit/test.h | 10 ++++++++++ lib/kunit/test.c | 10 +++++++++- lib/test_kasan.c | 37 +++++++++++++++++++++++++++++++++++++ mm/kasan/report.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h index 70ee581b19cd..2ab265f4f76c 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -19,9 +19,19 @@
struct kunit_resource;
+#ifdef CONFIG_KASAN +/* kasan_data struct is used in KUnit tests for KASAN expected failures */ +struct kunit_kasan_expectation { + bool report_expected; + bool report_found; +}; +#endif /* CONFIG_KASAN */ + typedef int (*kunit_resource_init_t)(struct kunit_resource *, void *); typedef void (*kunit_resource_free_t)(struct kunit_resource *);
+void kunit_set_failure(struct kunit *test); + /** * struct kunit_resource - represents a *test managed resource* * @data: for the user to store arbitrary data. diff --git a/lib/kunit/test.c b/lib/kunit/test.c index 86a4d9ca0a45..3f927ef45827 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -10,11 +10,12 @@ #include <linux/kernel.h> #include <linux/kref.h> #include <linux/sched/debug.h> +#include <linux/sched.h>
#include "string-stream.h" #include "try-catch-impl.h"
-static void kunit_set_failure(struct kunit *test) +void kunit_set_failure(struct kunit *test) { WRITE_ONCE(test->success, false); } @@ -237,6 +238,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case;
+#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)) + current->kunit_test = test; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT) */ + /* * kunit_run_case_internal may encounter a fatal error; if it does, * abort will be called, this thread will exit, and finally the parent @@ -590,6 +595,9 @@ void kunit_cleanup(struct kunit *test) spin_unlock(&test->lock); kunit_remove_resource(test, res); } +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)) + current->kunit_test = NULL; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)*/ } EXPORT_SYMBOL_GPL(kunit_cleanup);
diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 3872d250ed2c..cf73c6bee81b 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,6 +23,43 @@
#include <asm/page.h>
+#include <kunit/test.h> + +struct kunit_resource resource; +struct kunit_kasan_expectation fail_data; + +#define KUNIT_SET_KASAN_DATA(test) do { \ + fail_data.report_expected = true; \ + fail_data.report_found = false; \ + kunit_add_named_resource(test, \ + NULL, \ + NULL, \ + &resource, \ + "kasan_data", &fail_data); \ +} while (0) + +#define KUNIT_DO_EXPECT_KASAN_FAIL(test, condition) do { \ + struct kunit_resource *resource; \ + struct kunit_kasan_expectation *kasan_data; \ + condition; \ + resource = kunit_find_named_resource(test, "kasan_data"); \ + kasan_data = resource->data; \ + KUNIT_EXPECT_EQ(test, \ + kasan_data->report_expected, \ + kasan_data->report_found); \ + kunit_put_resource(resource); \ +} while (0) + +/** + * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does + * not cause a KASAN error. + * + */ +#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \ + KUNIT_SET_KASAN_DATA(test); \ + KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ +} while (0) + /* * Note: test functions are marked noinline so that their names appear in * reports. diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 5ef9f24f566b..ef3d0f54097e 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -32,6 +32,8 @@
#include <asm/sections.h>
+#include <kunit/test.h> + #include "kasan.h" #include "../slab.h"
@@ -455,12 +457,38 @@ static bool report_enabled(void) return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags); }
+#if IS_BUILTIN(CONFIG_KUNIT) +void kasan_update_kunit_status(struct kunit *cur_test) +{ + struct kunit_resource *resource; + struct kunit_kasan_expectation *kasan_data; + + if (kunit_find_named_resource(cur_test, "kasan_data")) { + resource = kunit_find_named_resource(cur_test, "kasan_data"); + kasan_data = resource->data; + kasan_data->report_found = true; + + if (!kasan_data->report_expected) + kunit_set_failure(current->kunit_test); + else + return; + } else + kunit_set_failure(current->kunit_test); +} +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + void kasan_report_invalid_free(void *object, unsigned long ip) { unsigned long flags; u8 tag = get_tag(object);
object = reset_tag(object); + +#if IS_BUILTIN(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object); @@ -481,6 +509,11 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon if (likely(!report_enabled())) return;
+#if IS_BUILTIN(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + disable_trace_on_warning();
tagged_addr = (void *)addr;
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
Integrate KASAN into KUnit testing framework.
- Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - Expected KASAN reports pass tests and are still printed when run without kunit_tool (kunit_tool still bypasses the report due to the
test passing) - KUnit struct in current task used to keep track of the current test from KASAN code
Make use of "[RFC PATCH kunit-next 1/2] kunit: generalize kunit_resource API beyond allocated resources" and "[RFC PATCH kunit-next 2/2] kunit: add support for named resources" from Alan Maguire [1]
- A named resource is added to a test when a KASAN report is
expected - This resource contains a struct for kasan_data containing booleans representing if a KASAN report is expected and if a KASAN report is found[1] (https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...)
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/kunit/test.h | 10 ++++++++++ lib/kunit/test.c | 10 +++++++++- lib/test_kasan.c | 37 +++++++++++++++++++++++++++++++++++++ mm/kasan/report.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h index 70ee581b19cd..2ab265f4f76c 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -19,9 +19,19 @@ struct kunit_resource; +#ifdef CONFIG_KASAN +/* kasan_data struct is used in KUnit tests for KASAN expected failures */ +struct kunit_kasan_expectation {
- bool report_expected;
- bool report_found;
+}; +#endif /* CONFIG_KASAN */
Above should be moved to mm/kasan/kasan.h I think.
typedef int (*kunit_resource_init_t)(struct kunit_resource *, void *); typedef void (*kunit_resource_free_t)(struct kunit_resource *); +void kunit_set_failure(struct kunit *test);
Can you explain a bit more about why we need this exported? I see where it's used but I'd just like to make sure I understand what you're trying to do. Thanks!
/**
- struct kunit_resource - represents a *test managed resource*
- @data: for the user to store arbitrary data.
diff --git a/lib/kunit/test.c b/lib/kunit/test.c index 86a4d9ca0a45..3f927ef45827 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -10,11 +10,12 @@ #include <linux/kernel.h> #include <linux/kref.h> #include <linux/sched/debug.h> +#include <linux/sched.h> #include "string-stream.h" #include "try-catch-impl.h" -static void kunit_set_failure(struct kunit *test) +void kunit_set_failure(struct kunit *test) { WRITE_ONCE(test->success, false); } @@ -237,6 +238,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case; +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT))
- current->kunit_test = test;
+#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT) */
- /*
- kunit_run_case_internal may encounter a fatal error; if it does,
- abort will be called, this thread will exit, and finally the parent
@@ -590,6 +595,9 @@ void kunit_cleanup(struct kunit *test) spin_unlock(&test->lock); kunit_remove_resource(test, res); } +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT))
- current->kunit_test = NULL;
As per patch 1, I'd suggest changing here and elsewhere to "IS_ENABLED(CONFIG_KUNIT)".
+#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)*/ } EXPORT_SYMBOL_GPL(kunit_cleanup); diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 3872d250ed2c..cf73c6bee81b 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,6 +23,43 @@ #include <asm/page.h> +#include <kunit/test.h>
+struct kunit_resource resource; +struct kunit_kasan_expectation fail_data;
+#define KUNIT_SET_KASAN_DATA(test) do { \
- fail_data.report_expected = true; \
- fail_data.report_found = false; \
- kunit_add_named_resource(test, \
NULL, \NULL, \&resource, \"kasan_data", &fail_data); \+} while (0)
+#define KUNIT_DO_EXPECT_KASAN_FAIL(test, condition) do { \
- struct kunit_resource *resource; \
- struct kunit_kasan_expectation *kasan_data; \
- condition; \
- resource = kunit_find_named_resource(test, "kasan_data"); \
- kasan_data = resource->data; \
- KUNIT_EXPECT_EQ(test, \
kasan_data->report_expected, \kasan_data->report_found); \- kunit_put_resource(resource); \
+} while (0)
+/**
- KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does
- not cause a KASAN error.
- */
+#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \
- KUNIT_SET_KASAN_DATA(test); \
- KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \
+} while (0)
/*
- Note: test functions are marked noinline so that their names appear in
- reports.
diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 5ef9f24f566b..ef3d0f54097e 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -32,6 +32,8 @@ #include <asm/sections.h> +#include <kunit/test.h>
#include "kasan.h" #include "../slab.h" @@ -455,12 +457,38 @@ static bool report_enabled(void) return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags); } +#if IS_BUILTIN(CONFIG_KUNIT)
again we could tweak this to IS_ENABLED(CONFIG_KUNIT); BTW the reason we can compile kunit as a module for these tests is the KASAN tests are tristate themselves. If they were builtin only it wouldn't be possible to build kunit as a module.
+void kasan_update_kunit_status(struct kunit *cur_test) +{
- struct kunit_resource *resource;
- struct kunit_kasan_expectation *kasan_data;
- if (kunit_find_named_resource(cur_test, "kasan_data")) {
resource = kunit_find_named_resource(cur_test, "kasan_data");kasan_data = resource->data;kasan_data->report_found = true;if (!kasan_data->report_expected)kunit_set_failure(current->kunit_test);elsereturn;- } else
kunit_set_failure(current->kunit_test);+} +#endif /* IS_BUILTIN(CONFIG_KUNIT) */
void kasan_report_invalid_free(void *object, unsigned long ip) { unsigned long flags; u8 tag = get_tag(object); object = reset_tag(object);
+#if IS_BUILTIN(CONFIG_KUNIT)
same comment as above.
- if (current->kunit_test)
kasan_update_kunit_status(current->kunit_test);+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
- start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object);
@@ -481,6 +509,11 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon if (likely(!report_enabled())) return; +#if IS_BUILTIN(CONFIG_KUNIT)
here too.
- if (current->kunit_test)
kasan_update_kunit_status(current->kunit_test);+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
- disable_trace_on_warning();
tagged_addr = (void *)addr; -- 2.25.1.696.g5e7596f4ac-goog
On Tue, Mar 24, 2020 at 9:45 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
Integrate KASAN into KUnit testing framework. - Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - Expected KASAN reports pass tests and are still printed when run without kunit_tool (kunit_tool still bypasses the report due to the test passing) - KUnit struct in current task used to keep track of the current test from KASAN code
Make use of "[RFC PATCH kunit-next 1/2] kunit: generalize kunit_resource API beyond allocated resources" and "[RFC PATCH kunit-next 2/2] kunit: add support for named resources" from Alan Maguire [1] - A named resource is added to a test when a KASAN report is expected - This resource contains a struct for kasan_data containing booleans representing if a KASAN report is expected and if a KASAN report is found
[1] (https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...)
Signed-off-by: Patricia Alfonso trishalfonso@google.com
include/kunit/test.h | 10 ++++++++++ lib/kunit/test.c | 10 +++++++++- lib/test_kasan.c | 37 +++++++++++++++++++++++++++++++++++++ mm/kasan/report.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h index 70ee581b19cd..2ab265f4f76c 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -19,9 +19,19 @@
struct kunit_resource;
+#ifdef CONFIG_KASAN +/* kasan_data struct is used in KUnit tests for KASAN expected failures */ +struct kunit_kasan_expectation {
bool report_expected;bool report_found;+}; +#endif /* CONFIG_KASAN */
Above should be moved to mm/kasan/kasan.h I think.
typedef int (*kunit_resource_init_t)(struct kunit_resource *, void *); typedef void (*kunit_resource_free_t)(struct kunit_resource *);
+void kunit_set_failure(struct kunit *test);
Can you explain a bit more about why we need this exported? I see where it's used but I'd just like to make sure I understand what you're trying to do. Thanks!
I need the ability to set a KUnit test failure from outside the KUnit code so that a test that does not expect a KASAN failure, but reaches the point in the KASAN code where a report is printed will properly fail due to this found KASAN failure.
/**
- struct kunit_resource - represents a *test managed resource*
- @data: for the user to store arbitrary data.
diff --git a/lib/kunit/test.c b/lib/kunit/test.c index 86a4d9ca0a45..3f927ef45827 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -10,11 +10,12 @@ #include <linux/kernel.h> #include <linux/kref.h> #include <linux/sched/debug.h> +#include <linux/sched.h>
#include "string-stream.h" #include "try-catch-impl.h"
-static void kunit_set_failure(struct kunit *test) +void kunit_set_failure(struct kunit *test) { WRITE_ONCE(test->success, false); } @@ -237,6 +238,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case;
+#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT))
current->kunit_test = test;+#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT) */
/* * kunit_run_case_internal may encounter a fatal error; if it does, * abort will be called, this thread will exit, and finally the parent@@ -590,6 +595,9 @@ void kunit_cleanup(struct kunit *test) spin_unlock(&test->lock); kunit_remove_resource(test, res); } +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT))
current->kunit_test = NULL;As per patch 1, I'd suggest changing here and elsewhere to "IS_ENABLED(CONFIG_KUNIT)".
"IS_ENABLED(CONFIG_KUNIT)" does not work because KASAN is built-in so it can't rely on modules so this patchset relies on KUnit being built-in.
+#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)*/ } EXPORT_SYMBOL_GPL(kunit_cleanup);
diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 3872d250ed2c..cf73c6bee81b 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,6 +23,43 @@
#include <asm/page.h>
+#include <kunit/test.h>
+struct kunit_resource resource; +struct kunit_kasan_expectation fail_data;
+#define KUNIT_SET_KASAN_DATA(test) do { \
fail_data.report_expected = true; \fail_data.report_found = false; \kunit_add_named_resource(test, \NULL, \NULL, \&resource, \"kasan_data", &fail_data); \+} while (0)
+#define KUNIT_DO_EXPECT_KASAN_FAIL(test, condition) do { \
struct kunit_resource *resource; \struct kunit_kasan_expectation *kasan_data; \condition; \resource = kunit_find_named_resource(test, "kasan_data"); \kasan_data = resource->data; \KUNIT_EXPECT_EQ(test, \kasan_data->report_expected, \kasan_data->report_found); \kunit_put_resource(resource); \+} while (0)
+/**
- KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does
- not cause a KASAN error.
- */
+#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \
KUNIT_SET_KASAN_DATA(test); \KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \+} while (0)
/*
- Note: test functions are marked noinline so that their names appear in
- reports.
diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 5ef9f24f566b..ef3d0f54097e 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -32,6 +32,8 @@
#include <asm/sections.h>
+#include <kunit/test.h>
#include "kasan.h" #include "../slab.h"
@@ -455,12 +457,38 @@ static bool report_enabled(void) return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags); }
+#if IS_BUILTIN(CONFIG_KUNIT)
again we could tweak this to IS_ENABLED(CONFIG_KUNIT); BTW the reason we can compile kunit as a module for these tests is the KASAN tests are tristate themselves. If they were builtin only it wouldn't be possible to build kunit as a module.
+void kasan_update_kunit_status(struct kunit *cur_test) +{
struct kunit_resource *resource;struct kunit_kasan_expectation *kasan_data;if (kunit_find_named_resource(cur_test, "kasan_data")) {resource = kunit_find_named_resource(cur_test, "kasan_data");kasan_data = resource->data;kasan_data->report_found = true;if (!kasan_data->report_expected)kunit_set_failure(current->kunit_test);elsereturn;} elsekunit_set_failure(current->kunit_test);+} +#endif /* IS_BUILTIN(CONFIG_KUNIT) */
void kasan_report_invalid_free(void *object, unsigned long ip) { unsigned long flags; u8 tag = get_tag(object);
object = reset_tag(object);
+#if IS_BUILTIN(CONFIG_KUNIT)
same comment as above.
if (current->kunit_test)kasan_update_kunit_status(current->kunit_test);+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object);@@ -481,6 +509,11 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon if (likely(!report_enabled())) return;
+#if IS_BUILTIN(CONFIG_KUNIT)
here too.
if (current->kunit_test)kasan_update_kunit_status(current->kunit_test);+#endif /* IS_BUILTIN(CONFIG_KUNIT) */
disable_trace_on_warning(); tagged_addr = (void *)addr;-- 2.25.1.696.g5e7596f4ac-goog
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Signed-off-by: Patricia Alfonso trishalfonso@google.com --- lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage.
config TEST_KASAN - tristate "Module for testing KASAN for bug detection" - depends on m && KASAN + tristate "KUnit testing KASAN for bug detection" + depends on KASAN && KUNIT=y help - This is a test module doing various nasty things like + This is a test suite doing various nasty things like out of bounds accesses, use after free. It is useful for testing kernel debugging features like KASAN. + +config TEST_KASAN_USER + tristate "Module testing KASAN for bug detection on copy user tests" + depends on m && KASAN + help + This is a test module for copy_user_tests because these functions + cannot be tested by KUnit so they must be their own module. diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@ * Author: Andrey Ryabinin a.ryabinin@samsung.com */
-#define pr_fmt(fmt) "kasan test: %s " fmt, __func__ - #include <linux/bitops.h> #include <linux/delay.h> #include <linux/kasan.h> @@ -25,8 +23,26 @@
#include <kunit/test.h>
+#if IS_BUILTIN(CONFIG_KUNIT) + struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot; + +int kasan_multi_shot_init(struct kunit *test) +{ + /* + * Temporarily enable multi-shot mode. Otherwise, we'd only get a + * report for the first case. + */ + multishot = kasan_save_enable_multi_shot(); + return 0; +} + +void kasan_multi_shot_exit(struct kunit *test) +{ + kasan_restore_multi_shot(multishot); +}
#define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0)
-/* - * Note: test functions are marked noinline so that their names appear in - * reports. - */ - -static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123;
- pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr); }
-static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15;
- pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- *ptr = *(ptr - 1); + KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr); }
-static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096;
- pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); }
#ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */ - pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); }
-static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr); - ptr[0] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0); }
-static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- kfree(ptr + 1); + KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1)); } -#endif +#endif /* CONFIG_SLUB */
-static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */ - pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); }
-static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19;
- pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
- ptr2[size2] = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2); }
-static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15;
- pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - return; - } - ptr2[size2] = 'x'; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2); }
-static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2;
- pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } - *ptr1 = *ptr2; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2); }
-static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+7, 0, 2); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr); }
-static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+5, 0, 4); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr); }
-static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+1, 0, 8); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr); }
-static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16;
- pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+1, 0, 16); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr); }
-static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666;
- pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr, 0, size+5); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr); }
-static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10;
- pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr); - *(ptr + 8) = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x'); }
-static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33;
- pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr); - memset(ptr, 0, size); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size)); }
-static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43;
- pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL); - if (!ptr1) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
kfree(ptr1); + ptr2 = kmalloc(size, GFP_KERNEL); - if (!ptr2) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x'); + KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
- ptr1[40] = 'x'; - if (ptr1 == ptr2) - pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); kfree(ptr2); }
-static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset;
- pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); }
-static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys;
- pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
phys = virt_to_phys(ptr); kfree(phys_to_virt(phys)); }
-static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("out-of-bounds in kmem_cache_alloc\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
- *p = p[size]; + KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache); }
-static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
- pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation. @@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void)
static char global_array[10];
-static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i];
- pr_info("out-of-bounds global variable\n"); - *(volatile char *)p; -} - -static noinline void __init kasan_stack_oob(void) -{ - char stack_array[10]; - volatile int i = 0; - char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - - pr_info("out-of-bounds on stack\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); }
-static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size;
- pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */ - ptr[real_size] = 'y'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr); }
-static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK)) +static void kasan_stack_oob(struct kunit *test) { - char *kmem; - char __user *usermem; - size_t size = 10; - int unused; - - kmem = kmalloc(size, GFP_KERNEL); - if (!kmem) - return; - - usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, - PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANONYMOUS | MAP_PRIVATE, 0); - if (IS_ERR(usermem)) { - pr_err("Failed to allocate user memory\n"); - kfree(kmem); - return; - } - - pr_info("out-of-bounds in copy_from_user()\n"); - unused = copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in copy_to_user()\n"); - unused = copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user()\n"); - unused = __copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user()\n"); - unused = __copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); - unused = __copy_from_user_inatomic(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); - unused = __copy_to_user_inatomic(usermem, kmem, size + 1); - - pr_info("out-of-bounds in strncpy_from_user()\n"); - unused = strncpy_from_user(kmem, usermem, size + 1); + char stack_array[10]; + volatile int i = 0; + char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
- vm_munmap((unsigned long)usermem, PAGE_SIZE); - kfree(kmem); + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); }
-static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1;
- pr_info("out-of-bounds to left on alloca\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); }
-static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i;
- pr_info("out-of-bounds to right on alloca\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); } +#endif /* CONFIG_KASAN_STACK */
-static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("double-free on heap object\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); + p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
kmem_cache_free(cache, p); - kmem_cache_free(cache, p); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache); }
-static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void)
cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("invalid-free of heap object\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); + p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
/* Trigger invalid free, the object doesn't get freed */ - kmem_cache_free(cache, p + 1); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
/* * Properly free the object to prevent the "Objects remaining in @@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); }
-static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24;
- pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memchr(ptr, '1', size + 1); + KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr); }
-static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9];
- pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(arr, 0, sizeof(arr)); - memcmp(ptr, arr, size+1); + KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr); }
-static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24;
- pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr);
@@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16; - strchr(ptr, '1'); + KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1'));
- pr_info("use-after-free in strrchr\n"); - strrchr(ptr, '1'); + KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1'));
- pr_info("use-after-free in strcmp\n"); - strcmp(ptr, "2"); + KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2"));
- pr_info("use-after-free in strncmp\n"); - strncmp(ptr, "2", 1); + KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1));
- pr_info("use-after-free in strlen\n"); - strlen(ptr); + KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr));
- pr_info("use-after-free in strnlen\n"); - strnlen(ptr, 1); + KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1)); }
-static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL); - if (!bits) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
/* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */ - pr_info("out-of-bounds in set_bit\n"); - set_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __set_bit\n"); - __set_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in clear_bit\n"); - clear_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __clear_bit\n"); - __clear_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in clear_bit_unlock\n"); - clear_bit_unlock(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __clear_bit_unlock\n"); - __clear_bit_unlock(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in change_bit\n"); - change_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __change_bit\n"); - __change_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits));
/* * Below calls try to access bit beyond allocated memory. */ - pr_info("out-of-bounds in test_and_set_bit\n"); - test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_set_bit\n"); - __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_set_bit_lock\n"); - test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_clear_bit\n"); - test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_clear_bit\n"); - __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_change_bit\n"); - test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_change_bit\n"); - __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_bit\n"); - (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
#if defined(clear_bit_unlock_is_negative_byte) - pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n"); - clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, + bits)); #endif kfree(bits); }
-static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16;
- pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kzfree(ptr); - kzfree(ptr); + KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr)); }
#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area;
- pr_info("vmalloc out-of-bounds\n"); - /* * We have to be careful not to hit the guard page. * The MMU will catch that and crash us. */ area = vmalloc(3000); - if (!area) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
- ((volatile char *)area)[3100]; + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area); } #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif
-static int __init kmalloc_tests_init(void) -{ - /* - * Temporarily enable multi-shot mode. Otherwise, we'd only get a - * report for the first case. - */ - bool multishot = kasan_save_enable_multi_shot(); - - kmalloc_oob_right(); - kmalloc_oob_left(); - kmalloc_node_oob_right(); +static struct kunit_case kasan_kunit_test_cases[] = { + KUNIT_CASE(kmalloc_oob_right), + KUNIT_CASE(kmalloc_oob_left), + KUNIT_CASE(kmalloc_node_oob_right), #ifdef CONFIG_SLUB - kmalloc_pagealloc_oob_right(); - kmalloc_pagealloc_uaf(); - kmalloc_pagealloc_invalid_free(); -#endif - kmalloc_large_oob_right(); - kmalloc_oob_krealloc_more(); - kmalloc_oob_krealloc_less(); - kmalloc_oob_16(); - kmalloc_oob_in_memset(); - kmalloc_oob_memset_2(); - kmalloc_oob_memset_4(); - kmalloc_oob_memset_8(); - kmalloc_oob_memset_16(); - kmalloc_uaf(); - kmalloc_uaf_memset(); - kmalloc_uaf2(); - kfree_via_page(); - kfree_via_phys(); - kmem_cache_oob(); - memcg_accounted_kmem_cache(); - kasan_stack_oob(); - kasan_global_oob(); - kasan_alloca_oob_left(); - kasan_alloca_oob_right(); - ksize_unpoisons_memory(); - copy_user_test(); - kmem_cache_double_free(); - kmem_cache_invalid_free(); - kasan_memchr(); - kasan_memcmp(); - kasan_strings(); - kasan_bitops(); - kmalloc_double_kzfree(); - vmalloc_oob(); - - kasan_restore_multi_shot(multishot); - - return -EAGAIN; -} + KUNIT_CASE(kmalloc_pagealloc_oob_right), + KUNIT_CASE(kmalloc_pagealloc_uaf), + KUNIT_CASE(kmalloc_pagealloc_invalid_free), +#endif /* CONFIG_SLUB */ + KUNIT_CASE(kmalloc_large_oob_right), + KUNIT_CASE(kmalloc_oob_krealloc_more), + KUNIT_CASE(kmalloc_oob_krealloc_less), + KUNIT_CASE(kmalloc_oob_16), + KUNIT_CASE(kmalloc_oob_in_memset), + KUNIT_CASE(kmalloc_oob_memset_2), + KUNIT_CASE(kmalloc_oob_memset_4), + KUNIT_CASE(kmalloc_oob_memset_8), + KUNIT_CASE(kmalloc_oob_memset_16), + KUNIT_CASE(kmalloc_uaf), + KUNIT_CASE(kmalloc_uaf_memset), + KUNIT_CASE(kmalloc_uaf2), + KUNIT_CASE(kfree_via_page), + KUNIT_CASE(kfree_via_phys), + KUNIT_CASE(kmem_cache_oob), + KUNIT_CASE(memcg_accounted_kmem_cache), + KUNIT_CASE(kasan_global_oob), +#if (IS_ENABLED(CONFIG_KASAN_STACK)) + KUNIT_CASE(kasan_stack_oob), // need stack protection + KUNIT_CASE(kasan_alloca_oob_left), + KUNIT_CASE(kasan_alloca_oob_right), +#endif /*CONFIG_KASAN_STACK*/ + KUNIT_CASE(ksize_unpoisons_memory), + KUNIT_CASE(kmem_cache_double_free), + KUNIT_CASE(kmem_cache_invalid_free), + KUNIT_CASE(kasan_memchr), + KUNIT_CASE(kasan_memcmp), + KUNIT_CASE(kasan_strings), + KUNIT_CASE(kasan_bitops), + KUNIT_CASE(kmalloc_double_kzfree), + KUNIT_CASE(vmalloc_oob), + {} +}; + +static struct kunit_suite kasan_kunit_test_suite = { + .name = "kasan_kunit_test", + .init = kasan_multi_shot_init, + .test_cases = kasan_kunit_test_cases, + .exit = kasan_multi_shot_exit, +}; + +kunit_test_suite(kasan_kunit_test_suite); + +#endif /* BUILTIN(CONFIG_KUNIT) */
-module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * + * Copyright (c) 2014 Samsung Electronics Co., Ltd. + * Author: Andrey Ryabinin a.ryabinin@samsung.com + */ + +#define pr_fmt(fmt) "kasan test: %s " fmt, __func__ + +#include <linux/mman.h> +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/slab.h> +#include <linux/uaccess.h> + +static noinline void __init copy_user_test(void) +{ + char *kmem; + char __user *usermem; + size_t size = 10; + int unused; + + kmem = kmalloc(size, GFP_KERNEL); + if (!kmem) + return; + + usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_ANONYMOUS | MAP_PRIVATE, 0); + if (IS_ERR(usermem)) { + pr_err("Failed to allocate user memory\n"); + kfree(kmem); + return; + } + + pr_info("out-of-bounds in copy_from_user()\n"); + unused = copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in copy_to_user()\n"); + unused = copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user()\n"); + unused = __copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user()\n"); + unused = __copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); + unused = __copy_from_user_inatomic(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); + unused = __copy_to_user_inatomic(usermem, kmem, size + 1); + + pr_info("out-of-bounds in strncpy_from_user()\n"); + unused = strncpy_from_user(kmem, usermem, size + 1); + + vm_munmap((unsigned long)usermem, PAGE_SIZE); + kfree(kmem); +} + +static int __init copy_user_tests_init(void) +{ + /* + * Temporarily enable multi-shot mode. Otherwise, we'd only get a + * report for the first case. + */ + bool multishot = kasan_save_enable_multi_shot(); + + copy_user_test(); + kasan_restore_multi_shot(multishot); + return -EAGAIN; +} + +module_init(copy_user_tests_init); +MODULE_LICENSE("GPL");
On Thu, Mar 19, 2020 at 5:42 PM 'Patricia Alfonso' via kasan-dev kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Why the copy_from_user tests can't be converted? It would be very nice to get rid of the modules entirely, rather than having 2 different test procedures because of 2 tests. Or, alternatively can there be other tests in future that can't be converted? Naming it "KASAN_USER" looks somewhat overspecialized. Say tomorrow we have another test that can't run under Kunit, but is not related to copt_from_user, should we create yet another module for it? I think the crux of that is that's a module, so a better name may be "KASAN_TEST_MODULE". Currently all tests that need to run as module are related to copy_from_user, but that's just an implementation detail.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage.
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"depends on m && KASAN
tristate "KUnit testing KASAN for bug detection"depends on KASAN && KUNIT=y help
This is a test module doing various nasty things like
This is a test suite doing various nasty things like out of bounds accesses, use after free. It is useful for testing kernel debugging features like KASAN.+config TEST_KASAN_USER
tristate "Module testing KASAN for bug detection on copy user tests"depends on m && KASANhelpThis is a test module for copy_user_tests because these functionscannot be tested by KUnit so they must be their own module.diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@
- Author: Andrey Ryabinin a.ryabinin@samsung.com
*/
-#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
#include <linux/bitops.h> #include <linux/delay.h> #include <linux/kasan.h> @@ -25,8 +23,26 @@
#include <kunit/test.h>
+#if IS_BUILTIN(CONFIG_KUNIT)
struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot;
+int kasan_multi_shot_init(struct kunit *test) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/multishot = kasan_save_enable_multi_shot();return 0;+}
+void kasan_multi_shot_exit(struct kunit *test) +{
kasan_restore_multi_shot(multishot);+}
#define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0)
-/*
- Note: test functions are marked noinline so that their names appear in
- reports.
- */
-static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123;
pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr);}
-static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15;
pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
*ptr = *(ptr - 1);
KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr);}
-static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096;
pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
#ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */
pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
ptr[0] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);}
-static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));} -#endif +#endif /* CONFIG_SLUB */
-static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */
pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19;
pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
ptr2[size2] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15;
pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);return;}ptr2[size2] = 'x';
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2;
pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}*ptr1 = *ptr2;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2);}
-static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+7, 0, 2);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+5, 0, 4);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 8);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 16);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr);}
-static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666;
pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr, 0, size+5);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr);}
-static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10;
pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
*(ptr + 8) = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');}
-static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33;
pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
memset(ptr, 0, size);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));}
-static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43;
pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL);if (!ptr1) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); kfree(ptr1);ptr2 = kmalloc(size, GFP_KERNEL);
if (!ptr2) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
ptr1[40] = 'x';if (ptr1 == ptr2)pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); kfree(ptr2);}
-static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset;
pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset);}
-static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys;
pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); phys = virt_to_phys(ptr); kfree(phys_to_virt(phys));}
-static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("out-of-bounds in kmem_cache_alloc\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
*p = p[size];
KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache);}
-static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation.@@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void)
static char global_array[10];
-static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i];
pr_info("out-of-bounds global variable\n");*(volatile char *)p;-}
-static noinline void __init kasan_stack_oob(void) -{
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];pr_info("out-of-bounds on stack\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size;
pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */
ptr[real_size] = 'y';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr);}
-static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK)) +static void kasan_stack_oob(struct kunit *test) {
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1;
pr_info("out-of-bounds to left on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i;
pr_info("out-of-bounds to right on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);} +#endif /* CONFIG_KASAN_STACK */
-static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("double-free on heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } kmem_cache_free(cache, p);
kmem_cache_free(cache, p);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache);}
-static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void)
cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("invalid-free of heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } /* Trigger invalid free, the object doesn't get freed */
kmem_cache_free(cache, p + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); /* * Properly free the object to prevent the "Objects remaining in@@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); }
-static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memchr(ptr, '1', size + 1);
KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr);}
-static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9];
pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); memset(arr, 0, sizeof(arr));
memcmp(ptr, arr, size+1);
KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr);}
-static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);@@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16;
strchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1'));
pr_info("use-after-free in strrchr\n");strrchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1'));
pr_info("use-after-free in strcmp\n");strcmp(ptr, "2");
KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2"));
pr_info("use-after-free in strncmp\n");strncmp(ptr, "2", 1);
KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1));
pr_info("use-after-free in strlen\n");strlen(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr));
pr_info("use-after-free in strnlen\n");strnlen(ptr, 1);
KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1));}
-static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
if (!bits)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); /* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */
pr_info("out-of-bounds in set_bit\n");set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __set_bit\n");__set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit\n");clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit\n");__clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit_unlock\n");clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit_unlock\n");__clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in change_bit\n");change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __change_bit\n");__change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits)); /* * Below calls try to access bit beyond allocated memory. */
pr_info("out-of-bounds in test_and_set_bit\n");test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_set_bit\n");__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_set_bit_lock\n");test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_clear_bit\n");test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_clear_bit\n");__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_change_bit\n");test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_change_bit\n");__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_bit\n");(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));#if defined(clear_bit_unlock_is_negative_byte)
pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE,bits));#endif kfree(bits); }
-static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kzfree(ptr);
kzfree(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr));}
#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area;
pr_info("vmalloc out-of-bounds\n");/* * We have to be careful not to hit the guard page. * The MMU will catch that and crash us. */ area = vmalloc(3000);if (!area) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
((volatile char *)area)[3100];
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area);} #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif
-static int __init kmalloc_tests_init(void) -{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();kmalloc_oob_right();kmalloc_oob_left();kmalloc_node_oob_right();+static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(kmalloc_oob_right),KUNIT_CASE(kmalloc_oob_left),KUNIT_CASE(kmalloc_node_oob_right),#ifdef CONFIG_SLUB
kmalloc_pagealloc_oob_right();kmalloc_pagealloc_uaf();kmalloc_pagealloc_invalid_free();-#endif
kmalloc_large_oob_right();kmalloc_oob_krealloc_more();kmalloc_oob_krealloc_less();kmalloc_oob_16();kmalloc_oob_in_memset();kmalloc_oob_memset_2();kmalloc_oob_memset_4();kmalloc_oob_memset_8();kmalloc_oob_memset_16();kmalloc_uaf();kmalloc_uaf_memset();kmalloc_uaf2();kfree_via_page();kfree_via_phys();kmem_cache_oob();memcg_accounted_kmem_cache();kasan_stack_oob();kasan_global_oob();kasan_alloca_oob_left();kasan_alloca_oob_right();ksize_unpoisons_memory();copy_user_test();kmem_cache_double_free();kmem_cache_invalid_free();kasan_memchr();kasan_memcmp();kasan_strings();kasan_bitops();kmalloc_double_kzfree();vmalloc_oob();kasan_restore_multi_shot(multishot);return -EAGAIN;-}
KUNIT_CASE(kmalloc_pagealloc_oob_right),KUNIT_CASE(kmalloc_pagealloc_uaf),KUNIT_CASE(kmalloc_pagealloc_invalid_free),+#endif /* CONFIG_SLUB */
KUNIT_CASE(kmalloc_large_oob_right),KUNIT_CASE(kmalloc_oob_krealloc_more),KUNIT_CASE(kmalloc_oob_krealloc_less),KUNIT_CASE(kmalloc_oob_16),KUNIT_CASE(kmalloc_oob_in_memset),KUNIT_CASE(kmalloc_oob_memset_2),KUNIT_CASE(kmalloc_oob_memset_4),KUNIT_CASE(kmalloc_oob_memset_8),KUNIT_CASE(kmalloc_oob_memset_16),KUNIT_CASE(kmalloc_uaf),KUNIT_CASE(kmalloc_uaf_memset),KUNIT_CASE(kmalloc_uaf2),KUNIT_CASE(kfree_via_page),KUNIT_CASE(kfree_via_phys),KUNIT_CASE(kmem_cache_oob),KUNIT_CASE(memcg_accounted_kmem_cache),KUNIT_CASE(kasan_global_oob),+#if (IS_ENABLED(CONFIG_KASAN_STACK))
KUNIT_CASE(kasan_stack_oob), // need stack protectionKUNIT_CASE(kasan_alloca_oob_left),KUNIT_CASE(kasan_alloca_oob_right),+#endif /*CONFIG_KASAN_STACK*/
KUNIT_CASE(ksize_unpoisons_memory),KUNIT_CASE(kmem_cache_double_free),KUNIT_CASE(kmem_cache_invalid_free),KUNIT_CASE(kasan_memchr),KUNIT_CASE(kasan_memcmp),KUNIT_CASE(kasan_strings),KUNIT_CASE(kasan_bitops),KUNIT_CASE(kmalloc_double_kzfree),KUNIT_CASE(vmalloc_oob),{}+};
+static struct kunit_suite kasan_kunit_test_suite = {
.name = "kasan_kunit_test",.init = kasan_multi_shot_init,.test_cases = kasan_kunit_test_cases,.exit = kasan_multi_shot_exit,+};
+kunit_test_suite(kasan_kunit_test_suite);
+#endif /* BUILTIN(CONFIG_KUNIT) */
-module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/*
- Copyright (c) 2014 Samsung Electronics Co., Ltd.
- Author: Andrey Ryabinin a.ryabinin@samsung.com
- */
+#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
+#include <linux/mman.h> +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/slab.h> +#include <linux/uaccess.h>
+static noinline void __init copy_user_test(void) +{
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);+}
+static int __init copy_user_tests_init(void) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();copy_user_test();kasan_restore_multi_shot(multishot);return -EAGAIN;+}
+module_init(copy_user_tests_init);
+MODULE_LICENSE("GPL");
2.25.1.696.g5e7596f4ac-goog
-- You received this message because you are subscribed to the Google Groups "kasan-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200319164227.87419-4-trishalfo....
On Tue, Mar 24, 2020 at 4:25 AM Dmitry Vyukov dvyukov@google.com wrote:
On Thu, Mar 19, 2020 at 5:42 PM 'Patricia Alfonso' via kasan-dev kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
Why the copy_from_user tests can't be converted? It would be very nice to get rid of the modules entirely, rather than having 2 different test procedures because of 2 tests. Or, alternatively can there be other tests in future that can't be converted? Naming it "KASAN_USER" looks somewhat overspecialized. Say tomorrow we have another test that can't run under Kunit, but is not related to copt_from_user, should we create yet another module for it? I think the crux of that is that's a module, so a better name may be "KASAN_TEST_MODULE". Currently all tests that need to run as module are related to copy_from_user, but that's just an implementation detail.
When I converted the copy_user_tests into KUnit, I was getting a kernel panic with a "Segfault with no mm." According to Brendan, since KUnit starts a new kthread and is not invoked via a syscall, things like copy_to_user won't work in the KUnit framework.
I agree that the naming is too specific, but is KASAN_TEST_MODULE too generic since the current KASAN_TEST can be built as a module? Maybe TEST_KASAN can be KUNIT_TEST_KASAN and TEST_KASAN_USER can be TEST_KASAN_MODULE...
On Tue, Mar 24, 2020 at 4:05 PM Patricia Alfonso trishalfonso@google.com wrote:
On Tue, Mar 24, 2020 at 4:25 AM Dmitry Vyukov dvyukov@google.com wrote:
On Thu, Mar 19, 2020 at 5:42 PM 'Patricia Alfonso' via kasan-dev kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
I've checked out:
commit 0476e69f39377192d638c459d11400c6e9a6ffb0 (HEAD, kselftest/kunit) Date: Mon Mar 23 12:04:59 2020 -0700
But the build still fails for me:
mm/kasan/report.c: In function ‘kasan_update_kunit_status’: mm/kasan/report.c:466:6: error: implicit declaration of function ‘kunit_find_named_resource’ [-Werror=implicit-function-declar] 466 | if (kunit_find_named_resource(cur_test, "kasan_data")) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:467:12: warning: assignment to ‘struct kunit_resource *’ from ‘int’ makes pointer from integer without a cas] 467 | resource = kunit_find_named_resource(cur_test, "kasan_data"); | ^ mm/kasan/report.c:468:24: error: ‘struct kunit_resource’ has no member named ‘data’ 468 | kasan_data = resource->data; | ^~
What am I doing wrong?
On Thu, Mar 26, 2020 at 2:12 AM Dmitry Vyukov dvyukov@google.com wrote:
On Tue, Mar 24, 2020 at 4:05 PM Patricia Alfonso trishalfonso@google.com wrote:
On Tue, Mar 24, 2020 at 4:25 AM Dmitry Vyukov dvyukov@google.com wrote:
On Thu, Mar 19, 2020 at 5:42 PM 'Patricia Alfonso' via kasan-dev kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
I've checked out:
commit 0476e69f39377192d638c459d11400c6e9a6ffb0 (HEAD, kselftest/kunit) Date: Mon Mar 23 12:04:59 2020 -0700
But the build still fails for me:
mm/kasan/report.c: In function ‘kasan_update_kunit_status’: mm/kasan/report.c:466:6: error: implicit declaration of function ‘kunit_find_named_resource’ [-Werror=implicit-function-declar] 466 | if (kunit_find_named_resource(cur_test, "kasan_data")) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:467:12: warning: assignment to ‘struct kunit_resource *’ from ‘int’ makes pointer from integer without a cas] 467 | resource = kunit_find_named_resource(cur_test, "kasan_data"); | ^ mm/kasan/report.c:468:24: error: ‘struct kunit_resource’ has no member named ‘data’ 468 | kasan_data = resource->data; | ^~
What am I doing wrong?
This patchset relies on another RFC patchset from Alan: https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...
I thought I linked it in the commit message but it may only be in the commit message for part 2/3. It should work with Alan's patchset, but let me know if you have any trouble.
-- Best, Patricia
On Thu, Mar 26, 2020 at 4:15 PM Patricia Alfonso trishalfonso@google.com wrote:
kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
I've checked out:
commit 0476e69f39377192d638c459d11400c6e9a6ffb0 (HEAD, kselftest/kunit) Date: Mon Mar 23 12:04:59 2020 -0700
But the build still fails for me:
mm/kasan/report.c: In function ‘kasan_update_kunit_status’: mm/kasan/report.c:466:6: error: implicit declaration of function ‘kunit_find_named_resource’ [-Werror=implicit-function-declar] 466 | if (kunit_find_named_resource(cur_test, "kasan_data")) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:467:12: warning: assignment to ‘struct kunit_resource *’ from ‘int’ makes pointer from integer without a cas] 467 | resource = kunit_find_named_resource(cur_test, "kasan_data"); | ^ mm/kasan/report.c:468:24: error: ‘struct kunit_resource’ has no member named ‘data’ 468 | kasan_data = resource->data; | ^~
What am I doing wrong?
This patchset relies on another RFC patchset from Alan: https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...
I thought I linked it in the commit message but it may only be in the commit message for part 2/3. It should work with Alan's patchset, but let me know if you have any trouble.
Please push your state of code to some git repository, so that I can pull it. Github or gerrit or whatever.
On Thu, Mar 26, 2020 at 10:31 PM Dmitry Vyukov dvyukov@google.com wrote:
On Thu, Mar 26, 2020 at 4:15 PM Patricia Alfonso trishalfonso@google.com wrote:
kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
I've checked out:
commit 0476e69f39377192d638c459d11400c6e9a6ffb0 (HEAD, kselftest/kunit) Date: Mon Mar 23 12:04:59 2020 -0700
But the build still fails for me:
mm/kasan/report.c: In function ‘kasan_update_kunit_status’: mm/kasan/report.c:466:6: error: implicit declaration of function ‘kunit_find_named_resource’ [-Werror=implicit-function-declar] 466 | if (kunit_find_named_resource(cur_test, "kasan_data")) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:467:12: warning: assignment to ‘struct kunit_resource *’ from ‘int’ makes pointer from integer without a cas] 467 | resource = kunit_find_named_resource(cur_test, "kasan_data"); | ^ mm/kasan/report.c:468:24: error: ‘struct kunit_resource’ has no member named ‘data’ 468 | kasan_data = resource->data; | ^~
What am I doing wrong?
This patchset relies on another RFC patchset from Alan: https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...
I thought I linked it in the commit message but it may only be in the commit message for part 2/3. It should work with Alan's patchset, but let me know if you have any trouble.
Please push your state of code to some git repository, so that I can pull it. Github or gerrit or whatever.
Here's a Gerrit link: https://kunit-review.googlesource.com/c/linux/+/3513
On Mon, Mar 30, 2020 at 8:57 PM Patricia Alfonso trishalfonso@google.com wrote:
On Thu, Mar 26, 2020 at 4:15 PM Patricia Alfonso trishalfonso@google.com wrote:
kasan-dev@googlegroups.com wrote: > > Transfer all previous tests for KASAN to KUnit so they can be run > more easily. Using kunit_tool, developers can run these tests with their > other KUnit tests and see "pass" or "fail" with the appropriate KASAN > report instead of needing to parse each KASAN report to test KASAN > functionalities. All KASAN reports are still printed to dmesg. > > Stack tests do not work in UML so those tests are protected inside an > "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack > instrumentation is enabled. > > copy_user_test cannot be run in KUnit so there is a separate test file > for those tests, which can be run as before as a module.
Hi Patricia,
FWIW I've got some conflicts applying this patch on latest linux-next next-20200324. There are some changes to the tests in mm tree I think.
Which tree will this go through? I would be nice to resolve these conflicts somehow, but I am not sure how. Maybe the kasan tests changes are merged upstream next windows, and then rebase this?
Also, how can I apply this for testing? I assume this is based on some kunit branch? which one?
Hmm... okay, that sounds like a problem. I will have to look into the conflicts. I'm not sure which tree this will go through upstream; I expect someone will tell me which is best when the time comes. This is based on the kunit branch in the kunit documentation here: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/lo...
I've checked out:
commit 0476e69f39377192d638c459d11400c6e9a6ffb0 (HEAD, kselftest/kunit) Date: Mon Mar 23 12:04:59 2020 -0700
But the build still fails for me:
mm/kasan/report.c: In function ‘kasan_update_kunit_status’: mm/kasan/report.c:466:6: error: implicit declaration of function ‘kunit_find_named_resource’ [-Werror=implicit-function-declar] 466 | if (kunit_find_named_resource(cur_test, "kasan_data")) { | ^~~~~~~~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:467:12: warning: assignment to ‘struct kunit_resource *’ from ‘int’ makes pointer from integer without a cas] 467 | resource = kunit_find_named_resource(cur_test, "kasan_data"); | ^ mm/kasan/report.c:468:24: error: ‘struct kunit_resource’ has no member named ‘data’ 468 | kasan_data = resource->data; | ^~
What am I doing wrong?
This patchset relies on another RFC patchset from Alan: https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-al...
I thought I linked it in the commit message but it may only be in the commit message for part 2/3. It should work with Alan's patchset, but let me know if you have any trouble.
Please push your state of code to some git repository, so that I can pull it. Github or gerrit or whatever.
Here's a Gerrit link: https://kunit-review.googlesource.com/c/linux/+/3513
This worked well for me! Thanks!
The first thing I hit is that my default config has panic_on_warn=1 set, which has the same effect as the "multi shot" setting. I think we need to save/restore panic_on_warn the same way we do for multi shot (+rename kasan_multi_shot_init/exit to something more generic).
After removing panic_on_warn=1 I was able to run the tests successfully on x86_64.
And after injecting some simple bugs, I got expected test failures:
[ 3.191793] # kasan_memchr: EXPECTATION FAILED at lib/test_kasan.c:509 [ 3.191793] Expected kasan_data->report_expected == kasan_data->report_found, but [ 3.191793] kasan_data->report_expected == 1 [ 3.191793] kasan_data->report_found == 0 [ 3.191852] not ok 30 - kasan_memchr [ 3.195588] # kasan_memcmp: EXPECTATION FAILED at lib/test_kasan.c:523 [ 3.195588] Expected kasan_data->report_expected == kasan_data->report_found, but [ 3.195588] kasan_data->report_expected == 1 [ 3.195588] kasan_data->report_found == 0 [ 3.195659] not ok 31 - kasan_memcmp
All of these should be static:
struct kunit_resource resource; struct kunit_kasan_expectation fail_data; bool multishot; int kasan_multi_shot_init(struct kunit *test) void kasan_multi_shot_exit(struct kunit *test)
With the comments in the previous emails, this looks good to me.
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage. config TEST_KASAN
- tristate "Module for testing KASAN for bug detection"
- depends on m && KASAN
- tristate "KUnit testing KASAN for bug detection"
- depends on KASAN && KUNIT=y
could just be depends on KASAN && KUNIT I think.
help
This is a test module doing various nasty things like
This is a test suite doing various nasty things like+config TEST_KASAN_USER
- tristate "Module testing KASAN for bug detection on copy user tests"
- depends on m && KASAN
- help
This is a test module for copy_user_tests because these functionscannot be tested by KUnit so they must be their own module.diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@
- Author: Andrey Ryabinin a.ryabinin@samsung.com
*/ -#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
#include <linux/bitops.h> #include <linux/delay.h> #include <linux/kasan.h> @@ -25,8 +23,26 @@ #include <kunit/test.h> +#if IS_BUILTIN(CONFIG_KUNIT)
fix here to be IS_ENABLED(CONFIG_KUNIT)
struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot;
+int kasan_multi_shot_init(struct kunit *test) +{
- /*
* Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/- multishot = kasan_save_enable_multi_shot();
- return 0;
+}
+void kasan_multi_shot_exit(struct kunit *test) +{
- kasan_restore_multi_shot(multishot);
+} #define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0) -/*
- Note: test functions are marked noinline so that their names appear in
- reports.
- */
-static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123;
- pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 'x';
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr);
} -static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15;
- pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- *ptr = *(ptr - 1);
- KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr);
} -static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096;
- pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0;
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);
} #ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */
- pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0;
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);
} -static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr);
- ptr[0] = 0;
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
} -static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
- pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- kfree(ptr + 1);
- KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
} -#endif +#endif /* CONFIG_SLUB */ -static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */
- pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- ptr[size] = 0;
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);
} -static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19;
- pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
- ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
- if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
- ptr2[size2] = 'x';
- KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);
} -static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15;
- pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
- ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
- if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");kfree(ptr1);return;- }
- ptr2[size2] = 'x';
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
- KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);
} -static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2;
- pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
- ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
- if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;- }
- *ptr1 = *ptr2;
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
- KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2);
} -static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+7, 0, 2);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr);
} -static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+5, 0, 4);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr);
} -static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8;
- pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+1, 0, 8);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr);
} -static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16;
- pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr+1, 0, 16);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr);
} -static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666;
- pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memset(ptr, 0, size+5);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr);
} -static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10;
- pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr);
- *(ptr + 8) = 'x';
- KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
} -static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33;
- pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr);
- memset(ptr, 0, size);
- KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
} -static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43;
- pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL);
- if (!ptr1) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
kfree(ptr1);
- ptr2 = kmalloc(size, GFP_KERNEL);
- if (!ptr2) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
- KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
- KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
- ptr1[40] = 'x';
- if (ptr1 == ptr2)
pr_err("Could not detect use-after-free: ptr1 == ptr2\n");} -static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset;
- pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); } -static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys;
- pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
phys = virt_to_phys(ptr); kfree(phys_to_virt(phys)); } -static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
- if (!cache) {
pr_err("Cache allocation failed\n");return;- }
- pr_info("out-of-bounds in kmem_cache_alloc\n");
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__);
- *p = p[size];
- KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache);
} -static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache; cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
- if (!cache) {
pr_err("Cache allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
- pr_info("allocate memcg accounted object\n"); /*
- Several allocations with a delay to allow for lazy per memcg kmem
- cache creation.
@@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void) static char global_array[10]; -static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i];
- pr_info("out-of-bounds global variable\n");
- *(volatile char *)p;
-}
-static noinline void __init kasan_stack_oob(void) -{
- char stack_array[10];
- volatile int i = 0;
- char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
- pr_info("out-of-bounds on stack\n");
- *(volatile char *)p;
- KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
} -static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size;
- pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */
- ptr[real_size] = 'y';
- KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr);
} -static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK)) +static void kasan_stack_oob(struct kunit *test) {
- char *kmem;
- char __user *usermem;
- size_t size = 10;
- int unused;
- kmem = kmalloc(size, GFP_KERNEL);
- if (!kmem)
return;- usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);- if (IS_ERR(usermem)) {
pr_err("Failed to allocate user memory\n");kfree(kmem);return;- }
- pr_info("out-of-bounds in copy_from_user()\n");
- unused = copy_from_user(kmem, usermem, size + 1);
- pr_info("out-of-bounds in copy_to_user()\n");
- unused = copy_to_user(usermem, kmem, size + 1);
- pr_info("out-of-bounds in __copy_from_user()\n");
- unused = __copy_from_user(kmem, usermem, size + 1);
- pr_info("out-of-bounds in __copy_to_user()\n");
- unused = __copy_to_user(usermem, kmem, size + 1);
- pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
- unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
- pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
- unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
- pr_info("out-of-bounds in strncpy_from_user()\n");
- unused = strncpy_from_user(kmem, usermem, size + 1);
- char stack_array[10];
- volatile int i = 0;
- char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
- vm_munmap((unsigned long)usermem, PAGE_SIZE);
- kfree(kmem);
- KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
} -static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1;
- pr_info("out-of-bounds to left on alloca\n");
- *(volatile char *)p;
- KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
} -static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i;
- pr_info("out-of-bounds to right on alloca\n");
- *(volatile char *)p;
- KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
} +#endif /* CONFIG_KASAN_STACK */ -static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache; cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
- if (!cache) {
pr_err("Cache allocation failed\n");return;- }
- pr_info("double-free on heap object\n");
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
- p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__);kmem_cache_free(cache, p);
- kmem_cache_free(cache, p);
- KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache);
} -static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void) cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL);
- if (!cache) {
pr_err("Cache allocation failed\n");return;- }
- pr_info("invalid-free of heap object\n");
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
- p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__);/* Trigger invalid free, the object doesn't get freed */
- kmem_cache_free(cache, p + 1);
- KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
/* * Properly free the object to prevent the "Objects remaining in @@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); } -static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24;
- pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
- if (!ptr)
return;
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
- memchr(ptr, '1', size + 1);
- KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr);
} -static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9];
- pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
- if (!ptr)
return;
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(arr, 0, sizeof(arr));
- memcmp(ptr, arr, size+1);
- KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr);
} -static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24;
- pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
- if (!ptr)
return;
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr); @@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16;
- strchr(ptr, '1');
- KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1'));
- pr_info("use-after-free in strrchr\n");
- strrchr(ptr, '1');
- KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1'));
- pr_info("use-after-free in strcmp\n");
- strcmp(ptr, "2");
- KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2"));
- pr_info("use-after-free in strncmp\n");
- strncmp(ptr, "2", 1);
- KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1));
- pr_info("use-after-free in strlen\n");
- strlen(ptr);
- KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr));
- pr_info("use-after-free in strnlen\n");
- strnlen(ptr, 1);
- KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1));
} -static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
- if (!bits)
return;
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
/* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */
- pr_info("out-of-bounds in set_bit\n");
- set_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __set_bit\n");
- __set_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in clear_bit\n");
- clear_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __clear_bit\n");
- __clear_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in clear_bit_unlock\n");
- clear_bit_unlock(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __clear_bit_unlock\n");
- __clear_bit_unlock(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in change_bit\n");
- change_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits));
- pr_info("out-of-bounds in __change_bit\n");
- __change_bit(BITS_PER_LONG, bits);
- KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits));
/* * Below calls try to access bit beyond allocated memory. */
- pr_info("out-of-bounds in test_and_set_bit\n");
- test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_set_bit\n");
- __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_set_bit_lock\n");
- test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_clear_bit\n");
- test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_clear_bit\n");
- __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_and_change_bit\n");
- test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in __test_and_change_bit\n");
- __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
- pr_info("out-of-bounds in test_bit\n");
- (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));#if defined(clear_bit_unlock_is_negative_byte)
- pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
- clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
- KUNIT_EXPECT_KASAN_FAIL(test,
clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE,bits));#endif kfree(bits); } -static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16;
- pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL);
- if (!ptr) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kzfree(ptr);
- kzfree(ptr);
- KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr));
} #ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area;
- pr_info("vmalloc out-of-bounds\n");
- /*
*/ area = vmalloc(3000);
- We have to be careful not to hit the guard page.
- The MMU will catch that and crash us.
- if (!area) {
pr_err("Allocation failed\n");return;- }
- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
- ((volatile char *)area)[3100];
- KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area);
} #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif -static int __init kmalloc_tests_init(void) -{
- /*
* Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/- bool multishot = kasan_save_enable_multi_shot();
- kmalloc_oob_right();
- kmalloc_oob_left();
- kmalloc_node_oob_right();
+static struct kunit_case kasan_kunit_test_cases[] = {
- KUNIT_CASE(kmalloc_oob_right),
- KUNIT_CASE(kmalloc_oob_left),
- KUNIT_CASE(kmalloc_node_oob_right),
#ifdef CONFIG_SLUB
- kmalloc_pagealloc_oob_right();
- kmalloc_pagealloc_uaf();
- kmalloc_pagealloc_invalid_free();
-#endif
- kmalloc_large_oob_right();
- kmalloc_oob_krealloc_more();
- kmalloc_oob_krealloc_less();
- kmalloc_oob_16();
- kmalloc_oob_in_memset();
- kmalloc_oob_memset_2();
- kmalloc_oob_memset_4();
- kmalloc_oob_memset_8();
- kmalloc_oob_memset_16();
- kmalloc_uaf();
- kmalloc_uaf_memset();
- kmalloc_uaf2();
- kfree_via_page();
- kfree_via_phys();
- kmem_cache_oob();
- memcg_accounted_kmem_cache();
- kasan_stack_oob();
- kasan_global_oob();
- kasan_alloca_oob_left();
- kasan_alloca_oob_right();
- ksize_unpoisons_memory();
- copy_user_test();
- kmem_cache_double_free();
- kmem_cache_invalid_free();
- kasan_memchr();
- kasan_memcmp();
- kasan_strings();
- kasan_bitops();
- kmalloc_double_kzfree();
- vmalloc_oob();
- kasan_restore_multi_shot(multishot);
- return -EAGAIN;
-}
- KUNIT_CASE(kmalloc_pagealloc_oob_right),
- KUNIT_CASE(kmalloc_pagealloc_uaf),
- KUNIT_CASE(kmalloc_pagealloc_invalid_free),
+#endif /* CONFIG_SLUB */
- KUNIT_CASE(kmalloc_large_oob_right),
- KUNIT_CASE(kmalloc_oob_krealloc_more),
- KUNIT_CASE(kmalloc_oob_krealloc_less),
- KUNIT_CASE(kmalloc_oob_16),
- KUNIT_CASE(kmalloc_oob_in_memset),
- KUNIT_CASE(kmalloc_oob_memset_2),
- KUNIT_CASE(kmalloc_oob_memset_4),
- KUNIT_CASE(kmalloc_oob_memset_8),
- KUNIT_CASE(kmalloc_oob_memset_16),
- KUNIT_CASE(kmalloc_uaf),
- KUNIT_CASE(kmalloc_uaf_memset),
- KUNIT_CASE(kmalloc_uaf2),
- KUNIT_CASE(kfree_via_page),
- KUNIT_CASE(kfree_via_phys),
- KUNIT_CASE(kmem_cache_oob),
- KUNIT_CASE(memcg_accounted_kmem_cache),
- KUNIT_CASE(kasan_global_oob),
+#if (IS_ENABLED(CONFIG_KASAN_STACK))
- KUNIT_CASE(kasan_stack_oob), // need stack protection
- KUNIT_CASE(kasan_alloca_oob_left),
- KUNIT_CASE(kasan_alloca_oob_right),
+#endif /*CONFIG_KASAN_STACK*/
- KUNIT_CASE(ksize_unpoisons_memory),
- KUNIT_CASE(kmem_cache_double_free),
- KUNIT_CASE(kmem_cache_invalid_free),
- KUNIT_CASE(kasan_memchr),
- KUNIT_CASE(kasan_memcmp),
- KUNIT_CASE(kasan_strings),
- KUNIT_CASE(kasan_bitops),
- KUNIT_CASE(kmalloc_double_kzfree),
- KUNIT_CASE(vmalloc_oob),
- {}
+};
+static struct kunit_suite kasan_kunit_test_suite = {
- .name = "kasan_kunit_test",
- .init = kasan_multi_shot_init,
- .test_cases = kasan_kunit_test_cases,
- .exit = kasan_multi_shot_exit,
+};
+kunit_test_suite(kasan_kunit_test_suite);
+#endif /* BUILTIN(CONFIG_KUNIT) */ -module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/*
- Copyright (c) 2014 Samsung Electronics Co., Ltd.
- Author: Andrey Ryabinin a.ryabinin@samsung.com
- */
+#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
+#include <linux/mman.h> +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/slab.h> +#include <linux/uaccess.h>
+static noinline void __init copy_user_test(void) +{
- char *kmem;
- char __user *usermem;
- size_t size = 10;
- int unused;
- kmem = kmalloc(size, GFP_KERNEL);
- if (!kmem)
return;- usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);- if (IS_ERR(usermem)) {
pr_err("Failed to allocate user memory\n");kfree(kmem);return;- }
- pr_info("out-of-bounds in copy_from_user()\n");
- unused = copy_from_user(kmem, usermem, size + 1);
- pr_info("out-of-bounds in copy_to_user()\n");
- unused = copy_to_user(usermem, kmem, size + 1);
- pr_info("out-of-bounds in __copy_from_user()\n");
- unused = __copy_from_user(kmem, usermem, size + 1);
- pr_info("out-of-bounds in __copy_to_user()\n");
- unused = __copy_to_user(usermem, kmem, size + 1);
- pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
- unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
- pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
- unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
- pr_info("out-of-bounds in strncpy_from_user()\n");
- unused = strncpy_from_user(kmem, usermem, size + 1);
- vm_munmap((unsigned long)usermem, PAGE_SIZE);
- kfree(kmem);
+}
+static int __init copy_user_tests_init(void) +{
- /*
* Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/- bool multishot = kasan_save_enable_multi_shot();
- copy_user_test();
- kasan_restore_multi_shot(multishot);
- return -EAGAIN;
+}
+module_init(copy_user_tests_init);
+MODULE_LICENSE("GPL");
2.25.1.696.g5e7596f4ac-goog
On Tue, Mar 24, 2020 at 9:48 AM Alan Maguire alan.maguire@oracle.com wrote:
On Thu, 19 Mar 2020, Patricia Alfonso wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage.
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"depends on m && KASAN
tristate "KUnit testing KASAN for bug detection"depends on KASAN && KUNIT=ycould just be depends on KASAN && KUNIT I think.
This depends on KUNIT=y because KASAN is built-in and therefore cannot use code from KUnit if it is built as a module.
help
This is a test module doing various nasty things like
This is a test suite doing various nasty things like out of bounds accesses, use after free. It is useful for testing kernel debugging features like KASAN.+config TEST_KASAN_USER
tristate "Module testing KASAN for bug detection on copy user tests"depends on m && KASANhelpThis is a test module for copy_user_tests because these functionscannot be tested by KUnit so they must be their own module.diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@
- Author: Andrey Ryabinin a.ryabinin@samsung.com
*/
-#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
#include <linux/bitops.h> #include <linux/delay.h> #include <linux/kasan.h> @@ -25,8 +23,26 @@
#include <kunit/test.h>
+#if IS_BUILTIN(CONFIG_KUNIT)
fix here to be IS_ENABLED(CONFIG_KUNIT)
Same comment as above. This relies on KUnit being built-in.
struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot;
+int kasan_multi_shot_init(struct kunit *test) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/multishot = kasan_save_enable_multi_shot();return 0;+}
+void kasan_multi_shot_exit(struct kunit *test) +{
kasan_restore_multi_shot(multishot);+}
#define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0)
-/*
- Note: test functions are marked noinline so that their names appear in
- reports.
- */
-static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123;
pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr);}
-static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15;
pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
*ptr = *(ptr - 1);
KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr);}
-static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096;
pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
#ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */
pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
ptr[0] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);}
-static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));} -#endif +#endif /* CONFIG_SLUB */
-static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */
pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19;
pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
ptr2[size2] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15;
pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);return;}ptr2[size2] = 'x';
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2;
pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}*ptr1 = *ptr2;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2);}
-static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+7, 0, 2);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+5, 0, 4);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 8);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 16);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr);}
-static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666;
pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr, 0, size+5);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr);}
-static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10;
pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
*(ptr + 8) = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');}
-static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33;
pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
memset(ptr, 0, size);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));}
-static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43;
pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL);if (!ptr1) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); kfree(ptr1);ptr2 = kmalloc(size, GFP_KERNEL);
if (!ptr2) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
ptr1[40] = 'x';if (ptr1 == ptr2)pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); kfree(ptr2);}
-static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset;
pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset);}
-static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys;
pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); phys = virt_to_phys(ptr); kfree(phys_to_virt(phys));}
-static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("out-of-bounds in kmem_cache_alloc\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
*p = p[size];
KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache);}
-static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation.@@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void)
static char global_array[10];
-static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i];
pr_info("out-of-bounds global variable\n");*(volatile char *)p;-}
-static noinline void __init kasan_stack_oob(void) -{
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];pr_info("out-of-bounds on stack\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size;
pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */
ptr[real_size] = 'y';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr);}
-static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK)) +static void kasan_stack_oob(struct kunit *test) {
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1;
pr_info("out-of-bounds to left on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i;
pr_info("out-of-bounds to right on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);} +#endif /* CONFIG_KASAN_STACK */
-static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("double-free on heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } kmem_cache_free(cache, p);
kmem_cache_free(cache, p);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache);}
-static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void)
cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("invalid-free of heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } /* Trigger invalid free, the object doesn't get freed */
kmem_cache_free(cache, p + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); /* * Properly free the object to prevent the "Objects remaining in@@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); }
-static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memchr(ptr, '1', size + 1);
KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr);}
-static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9];
pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); memset(arr, 0, sizeof(arr));
memcmp(ptr, arr, size+1);
KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr);}
-static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);@@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16;
strchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1'));
pr_info("use-after-free in strrchr\n");strrchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1'));
pr_info("use-after-free in strcmp\n");strcmp(ptr, "2");
KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2"));
pr_info("use-after-free in strncmp\n");strncmp(ptr, "2", 1);
KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1));
pr_info("use-after-free in strlen\n");strlen(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr));
pr_info("use-after-free in strnlen\n");strnlen(ptr, 1);
KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1));}
-static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
if (!bits)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); /* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */
pr_info("out-of-bounds in set_bit\n");set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __set_bit\n");__set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit\n");clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit\n");__clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit_unlock\n");clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit_unlock\n");__clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in change_bit\n");change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __change_bit\n");__change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits)); /* * Below calls try to access bit beyond allocated memory. */
pr_info("out-of-bounds in test_and_set_bit\n");test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_set_bit\n");__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_set_bit_lock\n");test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_clear_bit\n");test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_clear_bit\n");__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_change_bit\n");test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_change_bit\n");__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_bit\n");(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));#if defined(clear_bit_unlock_is_negative_byte)
pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE,bits));#endif kfree(bits); }
-static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kzfree(ptr);
kzfree(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr));}
#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area;
pr_info("vmalloc out-of-bounds\n");/* * We have to be careful not to hit the guard page. * The MMU will catch that and crash us. */ area = vmalloc(3000);if (!area) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
((volatile char *)area)[3100];
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area);} #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif
-static int __init kmalloc_tests_init(void) -{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();kmalloc_oob_right();kmalloc_oob_left();kmalloc_node_oob_right();+static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(kmalloc_oob_right),KUNIT_CASE(kmalloc_oob_left),KUNIT_CASE(kmalloc_node_oob_right),#ifdef CONFIG_SLUB
kmalloc_pagealloc_oob_right();kmalloc_pagealloc_uaf();kmalloc_pagealloc_invalid_free();-#endif
kmalloc_large_oob_right();kmalloc_oob_krealloc_more();kmalloc_oob_krealloc_less();kmalloc_oob_16();kmalloc_oob_in_memset();kmalloc_oob_memset_2();kmalloc_oob_memset_4();kmalloc_oob_memset_8();kmalloc_oob_memset_16();kmalloc_uaf();kmalloc_uaf_memset();kmalloc_uaf2();kfree_via_page();kfree_via_phys();kmem_cache_oob();memcg_accounted_kmem_cache();kasan_stack_oob();kasan_global_oob();kasan_alloca_oob_left();kasan_alloca_oob_right();ksize_unpoisons_memory();copy_user_test();kmem_cache_double_free();kmem_cache_invalid_free();kasan_memchr();kasan_memcmp();kasan_strings();kasan_bitops();kmalloc_double_kzfree();vmalloc_oob();kasan_restore_multi_shot(multishot);return -EAGAIN;-}
KUNIT_CASE(kmalloc_pagealloc_oob_right),KUNIT_CASE(kmalloc_pagealloc_uaf),KUNIT_CASE(kmalloc_pagealloc_invalid_free),+#endif /* CONFIG_SLUB */
KUNIT_CASE(kmalloc_large_oob_right),KUNIT_CASE(kmalloc_oob_krealloc_more),KUNIT_CASE(kmalloc_oob_krealloc_less),KUNIT_CASE(kmalloc_oob_16),KUNIT_CASE(kmalloc_oob_in_memset),KUNIT_CASE(kmalloc_oob_memset_2),KUNIT_CASE(kmalloc_oob_memset_4),KUNIT_CASE(kmalloc_oob_memset_8),KUNIT_CASE(kmalloc_oob_memset_16),KUNIT_CASE(kmalloc_uaf),KUNIT_CASE(kmalloc_uaf_memset),KUNIT_CASE(kmalloc_uaf2),KUNIT_CASE(kfree_via_page),KUNIT_CASE(kfree_via_phys),KUNIT_CASE(kmem_cache_oob),KUNIT_CASE(memcg_accounted_kmem_cache),KUNIT_CASE(kasan_global_oob),+#if (IS_ENABLED(CONFIG_KASAN_STACK))
KUNIT_CASE(kasan_stack_oob), // need stack protectionKUNIT_CASE(kasan_alloca_oob_left),KUNIT_CASE(kasan_alloca_oob_right),+#endif /*CONFIG_KASAN_STACK*/
KUNIT_CASE(ksize_unpoisons_memory),KUNIT_CASE(kmem_cache_double_free),KUNIT_CASE(kmem_cache_invalid_free),KUNIT_CASE(kasan_memchr),KUNIT_CASE(kasan_memcmp),KUNIT_CASE(kasan_strings),KUNIT_CASE(kasan_bitops),KUNIT_CASE(kmalloc_double_kzfree),KUNIT_CASE(vmalloc_oob),{}+};
+static struct kunit_suite kasan_kunit_test_suite = {
.name = "kasan_kunit_test",.init = kasan_multi_shot_init,.test_cases = kasan_kunit_test_cases,.exit = kasan_multi_shot_exit,+};
+kunit_test_suite(kasan_kunit_test_suite);
+#endif /* BUILTIN(CONFIG_KUNIT) */
-module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/*
- Copyright (c) 2014 Samsung Electronics Co., Ltd.
- Author: Andrey Ryabinin a.ryabinin@samsung.com
- */
+#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
+#include <linux/mman.h> +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/slab.h> +#include <linux/uaccess.h>
+static noinline void __init copy_user_test(void) +{
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);+}
+static int __init copy_user_tests_init(void) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();copy_user_test();kasan_restore_multi_shot(multishot);return -EAGAIN;+}
+module_init(copy_user_tests_init);
+MODULE_LICENSE("GPL");
2.25.1.696.g5e7596f4ac-goog
On Thu, Mar 19, 2020 at 9:42 AM Patricia Alfonso trishalfonso@google.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
Reviewed-by: Brendan Higgins brendanhiggins@google.com
On Thu, Mar 19, 2020 at 5:42 PM 'Patricia Alfonso' via kasan-dev kasan-dev@googlegroups.com wrote:
Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg.
Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled.
copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module.
Signed-off-by: Patricia Alfonso trishalfonso@google.com
lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c
diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage.
config TEST_KASAN
tristate "Module for testing KASAN for bug detection"depends on m && KASAN
tristate "KUnit testing KASAN for bug detection"depends on KASAN && KUNIT=y help
This is a test module doing various nasty things like
This is a test suite doing various nasty things like out of bounds accesses, use after free. It is useful for testing kernel debugging features like KASAN.+config TEST_KASAN_USER
tristate "Module testing KASAN for bug detection on copy user tests"depends on m && KASANhelpThis is a test module for copy_user_tests because these functionscannot be tested by KUnit so they must be their own module.diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@
- Author: Andrey Ryabinin a.ryabinin@samsung.com
*/
-#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
#include <linux/bitops.h> #include <linux/delay.h> #include <linux/kasan.h> @@ -25,8 +23,26 @@
#include <kunit/test.h>
+#if IS_BUILTIN(CONFIG_KUNIT)
This file is not compiled if KUNIT is not builtin, right? In such this is not necessary.
struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot;
+int kasan_multi_shot_init(struct kunit *test) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/multishot = kasan_save_enable_multi_shot();return 0;+}
+void kasan_multi_shot_exit(struct kunit *test) +{
kasan_restore_multi_shot(multishot);+}
#define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0)
-/*
- Note: test functions are marked noinline so that their names appear in
- reports.
- */
-static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123;
pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr);}
-static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15;
pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
*ptr = *(ptr - 1);
KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr);}
-static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096;
pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
#ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */
pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
ptr[0] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);}
-static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
kfree(ptr + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));} -#endif +#endif /* CONFIG_SLUB */
-static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */
pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
ptr[size] = 0;
KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr);}
-static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19;
pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
ptr2[size2] = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15;
pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);return;}ptr2[size2] = 'x';
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2);}
-static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2;
pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
if (!ptr1 || !ptr2) {pr_err("Allocation failed\n");kfree(ptr1);kfree(ptr2);return;}*ptr1 = *ptr2;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2);}
-static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+7, 0, 2);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+5, 0, 4);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8;
pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 8);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr);}
-static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr+1, 0, 16);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr);}
-static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666;
pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset(ptr, 0, size+5);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr);}
-static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10;
pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
*(ptr + 8) = 'x';
KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');}
-static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33;
pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);
memset(ptr, 0, size);
KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));}
-static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43;
pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL);if (!ptr1) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); kfree(ptr1);ptr2 = kmalloc(size, GFP_KERNEL);
if (!ptr2) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
ptr1[40] = 'x';if (ptr1 == ptr2)pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); kfree(ptr2);}
-static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset;
pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset);}
-static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys;
pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); phys = virt_to_phys(ptr); kfree(phys_to_virt(phys));}
-static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("out-of-bounds in kmem_cache_alloc\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; }
*p = p[size];
KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache);}
-static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation.@@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void)
static char global_array[10];
-static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i];
pr_info("out-of-bounds global variable\n");*(volatile char *)p;-}
-static noinline void __init kasan_stack_oob(void) -{
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];pr_info("out-of-bounds on stack\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size;
pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */
ptr[real_size] = 'y';
KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr);}
-static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK))
C checks are generally preferable to preprocessor checks. I.e.
if (IS_ENABLED(CONFIG_KASAN_STACK)) return; // I don't know if there is a KUNIT feature of "skipping" a test.
This way this code will be at least compiled in UML builds.
Since UML will be the simplest way to test KASAN after this change, some people may run just these tests and then this may end up not just failing but even build broken.
+static void kasan_stack_oob(struct kunit *test) {
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);
char stack_array[10];volatile int i = 0;char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1;
pr_info("out-of-bounds to left on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);}
-static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i;
pr_info("out-of-bounds to right on alloca\n");*(volatile char *)p;
KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);} +#endif /* CONFIG_KASAN_STACK */
-static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache;
cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("double-free on heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } kmem_cache_free(cache, p);
kmem_cache_free(cache, p);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache);}
-static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void)
cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL);
if (!cache) {pr_err("Cache allocation failed\n");return;}pr_info("invalid-free of heap object\n");
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) {
pr_err("Allocation failed\n");
kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } /* Trigger invalid free, the object doesn't get freed */
kmem_cache_free(cache, p + 1);
KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); /* * Properly free the object to prevent the "Objects remaining in@@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); }
-static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memchr(ptr, '1', size + 1);
KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr);}
-static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9];
pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); memset(arr, 0, sizeof(arr));
memcmp(ptr, arr, size+1);
KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr);}
-static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24;
pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);if (!ptr)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr);@@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16;
strchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1'));
pr_info("use-after-free in strrchr\n");strrchr(ptr, '1');
KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1'));
pr_info("use-after-free in strcmp\n");strcmp(ptr, "2");
KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2"));
pr_info("use-after-free in strncmp\n");strncmp(ptr, "2", 1);
KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1));
pr_info("use-after-free in strlen\n");strlen(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr));
pr_info("use-after-free in strnlen\n");strnlen(ptr, 1);
KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1));}
-static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
if (!bits)return;
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); /* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */
pr_info("out-of-bounds in set_bit\n");set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __set_bit\n");__set_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit\n");clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit\n");__clear_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in clear_bit_unlock\n");clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __clear_bit_unlock\n");__clear_bit_unlock(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits));
pr_info("out-of-bounds in change_bit\n");change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits));
pr_info("out-of-bounds in __change_bit\n");__change_bit(BITS_PER_LONG, bits);
KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits)); /* * Below calls try to access bit beyond allocated memory. */
pr_info("out-of-bounds in test_and_set_bit\n");test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_set_bit\n");__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_set_bit_lock\n");test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_clear_bit\n");test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_clear_bit\n");__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_and_change_bit\n");test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in __test_and_change_bit\n");__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,__test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));
pr_info("out-of-bounds in test_bit\n");(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,(void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits));#if defined(clear_bit_unlock_is_negative_byte)
pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
KUNIT_EXPECT_KASAN_FAIL(test,clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE,bits));#endif kfree(bits); }
-static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16;
pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL);if (!ptr) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kzfree(ptr);
kzfree(ptr);
KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr));}
#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area;
pr_info("vmalloc out-of-bounds\n");/* * We have to be careful not to hit the guard page. * The MMU will catch that and crash us. */ area = vmalloc(3000);if (!area) {pr_err("Allocation failed\n");return;}
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
((volatile char *)area)[3100];
KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area);} #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif
-static int __init kmalloc_tests_init(void) -{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();kmalloc_oob_right();kmalloc_oob_left();kmalloc_node_oob_right();+static struct kunit_case kasan_kunit_test_cases[] = {
KUNIT_CASE(kmalloc_oob_right),KUNIT_CASE(kmalloc_oob_left),KUNIT_CASE(kmalloc_node_oob_right),#ifdef CONFIG_SLUB
kmalloc_pagealloc_oob_right();kmalloc_pagealloc_uaf();kmalloc_pagealloc_invalid_free();-#endif
kmalloc_large_oob_right();kmalloc_oob_krealloc_more();kmalloc_oob_krealloc_less();kmalloc_oob_16();kmalloc_oob_in_memset();kmalloc_oob_memset_2();kmalloc_oob_memset_4();kmalloc_oob_memset_8();kmalloc_oob_memset_16();kmalloc_uaf();kmalloc_uaf_memset();kmalloc_uaf2();kfree_via_page();kfree_via_phys();kmem_cache_oob();memcg_accounted_kmem_cache();kasan_stack_oob();kasan_global_oob();kasan_alloca_oob_left();kasan_alloca_oob_right();ksize_unpoisons_memory();copy_user_test();kmem_cache_double_free();kmem_cache_invalid_free();kasan_memchr();kasan_memcmp();kasan_strings();kasan_bitops();kmalloc_double_kzfree();vmalloc_oob();kasan_restore_multi_shot(multishot);return -EAGAIN;-}
KUNIT_CASE(kmalloc_pagealloc_oob_right),KUNIT_CASE(kmalloc_pagealloc_uaf),KUNIT_CASE(kmalloc_pagealloc_invalid_free),+#endif /* CONFIG_SLUB */
KUNIT_CASE(kmalloc_large_oob_right),KUNIT_CASE(kmalloc_oob_krealloc_more),KUNIT_CASE(kmalloc_oob_krealloc_less),KUNIT_CASE(kmalloc_oob_16),KUNIT_CASE(kmalloc_oob_in_memset),KUNIT_CASE(kmalloc_oob_memset_2),KUNIT_CASE(kmalloc_oob_memset_4),KUNIT_CASE(kmalloc_oob_memset_8),KUNIT_CASE(kmalloc_oob_memset_16),KUNIT_CASE(kmalloc_uaf),KUNIT_CASE(kmalloc_uaf_memset),KUNIT_CASE(kmalloc_uaf2),KUNIT_CASE(kfree_via_page),KUNIT_CASE(kfree_via_phys),KUNIT_CASE(kmem_cache_oob),KUNIT_CASE(memcg_accounted_kmem_cache),KUNIT_CASE(kasan_global_oob),+#if (IS_ENABLED(CONFIG_KASAN_STACK))
KUNIT_CASE(kasan_stack_oob), // need stack protectionKUNIT_CASE(kasan_alloca_oob_left),KUNIT_CASE(kasan_alloca_oob_right),+#endif /*CONFIG_KASAN_STACK*/
KUNIT_CASE(ksize_unpoisons_memory),KUNIT_CASE(kmem_cache_double_free),KUNIT_CASE(kmem_cache_invalid_free),KUNIT_CASE(kasan_memchr),KUNIT_CASE(kasan_memcmp),KUNIT_CASE(kasan_strings),KUNIT_CASE(kasan_bitops),KUNIT_CASE(kmalloc_double_kzfree),KUNIT_CASE(vmalloc_oob),{}+};
+static struct kunit_suite kasan_kunit_test_suite = {
.name = "kasan_kunit_test",.init = kasan_multi_shot_init,.test_cases = kasan_kunit_test_cases,.exit = kasan_multi_shot_exit,+};
+kunit_test_suite(kasan_kunit_test_suite);
+#endif /* BUILTIN(CONFIG_KUNIT) */
-module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/*
- Copyright (c) 2014 Samsung Electronics Co., Ltd.
- Author: Andrey Ryabinin a.ryabinin@samsung.com
- */
+#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
+#include <linux/mman.h> +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/slab.h> +#include <linux/uaccess.h>
+static noinline void __init copy_user_test(void) +{
char *kmem;char __user *usermem;size_t size = 10;int unused;kmem = kmalloc(size, GFP_KERNEL);if (!kmem)return;usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_ANONYMOUS | MAP_PRIVATE, 0);if (IS_ERR(usermem)) {pr_err("Failed to allocate user memory\n");kfree(kmem);return;}pr_info("out-of-bounds in copy_from_user()\n");unused = copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in copy_to_user()\n");unused = copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user()\n");unused = __copy_from_user(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user()\n");unused = __copy_to_user(usermem, kmem, size + 1);pr_info("out-of-bounds in __copy_from_user_inatomic()\n");unused = __copy_from_user_inatomic(kmem, usermem, size + 1);pr_info("out-of-bounds in __copy_to_user_inatomic()\n");unused = __copy_to_user_inatomic(usermem, kmem, size + 1);pr_info("out-of-bounds in strncpy_from_user()\n");unused = strncpy_from_user(kmem, usermem, size + 1);vm_munmap((unsigned long)usermem, PAGE_SIZE);kfree(kmem);+}
+static int __init copy_user_tests_init(void) +{
/** Temporarily enable multi-shot mode. Otherwise, we'd only get a* report for the first case.*/bool multishot = kasan_save_enable_multi_shot();copy_user_test();kasan_restore_multi_shot(multishot);return -EAGAIN;+}
+module_init(copy_user_tests_init);
+MODULE_LICENSE("GPL");
2.25.1.696.g5e7596f4ac-goog
-- You received this message because you are subscribed to the Google Groups "kasan-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200319164227.87419-4-trishalfo....
linux-kselftest-mirror@lists.linaro.org
-
Alan Maguire -
Brendan Higgins -
Dmitry Vyukov -
Patricia Alfonso