search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'block-5.11-2021-01-16' of git://git.kernel.dk/linux-block
[linux/fpc-iii.git] / lib / test_kasan.c
blob2947274cc2d30be0911ae91a671bc9140da5a5ff
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 *
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
6 */
7
8 #include <linux/bitops.h>
9 #include <linux/delay.h>
10 #include <linux/kasan.h>
11 #include <linux/kernel.h>
12 #include <linux/mm.h>
13 #include <linux/mman.h>
14 #include <linux/module.h>
15 #include <linux/printk.h>
16 #include <linux/slab.h>
17 #include <linux/string.h>
18 #include <linux/uaccess.h>
19 #include <linux/io.h>
20 #include <linux/vmalloc.h>
21
22 #include <asm/page.h>
23
24 #include <kunit/test.h>
25
26 #include "../mm/kasan/kasan.h"
27
28 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
29
30 /*
31 * We assign some test results to these globals to make sure the tests
32 * are not eliminated as dead code.
33 */
34
35 void *kasan_ptr_result;
36 int kasan_int_result;
37
38 static struct kunit_resource resource;
39 static struct kunit_kasan_expectation fail_data;
40 static bool multishot;
41
42 static int kasan_test_init(struct kunit *test)
43 {
44 /*
45 * Temporarily enable multi-shot mode and set panic_on_warn=0.
46 * Otherwise, we'd only get a report for the first case.
47 */
48 multishot = kasan_save_enable_multi_shot();
49
50 return 0;
51 }
52
53 static void kasan_test_exit(struct kunit *test)
54 {
55 kasan_restore_multi_shot(multishot);
56 }
57
58 /**
59 * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does
60 * not cause a KASAN error. This uses a KUnit resource named "kasan_data." Do
61 * Do not use this name for a KUnit resource outside here.
62 *
63 */
64 #define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \
65 fail_data.report_expected = true; \
66 fail_data.report_found = false; \
67 kunit_add_named_resource(test, \
68 NULL, \
69 NULL, \
70 &resource, \
71 "kasan_data", &fail_data); \
72 condition; \
73 KUNIT_EXPECT_EQ(test, \
74 fail_data.report_expected, \
75 fail_data.report_found); \
76 } while (0)
77
78 static void kmalloc_oob_right(struct kunit *test)
79 {
80 char *ptr;
81 size_t size = 123;
82
83 ptr = kmalloc(size, GFP_KERNEL);
84 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
85
86 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
87 kfree(ptr);
88 }
89
90 static void kmalloc_oob_left(struct kunit *test)
91 {
92 char *ptr;
93 size_t size = 15;
94
95 ptr = kmalloc(size, GFP_KERNEL);
96 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
97
98 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
99 kfree(ptr);
100 }
101
102 static void kmalloc_node_oob_right(struct kunit *test)
103 {
104 char *ptr;
105 size_t size = 4096;
106
107 ptr = kmalloc_node(size, GFP_KERNEL, 0);
108 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
109
110 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
111 kfree(ptr);
112 }
113
114 static void kmalloc_pagealloc_oob_right(struct kunit *test)
115 {
116 char *ptr;
117 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
118
119 if (!IS_ENABLED(CONFIG_SLUB)) {
120 kunit_info(test, "CONFIG_SLUB is not enabled.");
121 return;
122 }
123
124 /* Allocate a chunk that does not fit into a SLUB cache to trigger
125 * the page allocator fallback.
126 */
127 ptr = kmalloc(size, GFP_KERNEL);
128 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
129
130 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
131 kfree(ptr);
132 }
133
134 static void kmalloc_pagealloc_uaf(struct kunit *test)
135 {
136 char *ptr;
137 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
138
139 if (!IS_ENABLED(CONFIG_SLUB)) {
140 kunit_info(test, "CONFIG_SLUB is not enabled.");
141 return;
142 }
143
144 ptr = kmalloc(size, GFP_KERNEL);
145 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
146
147 kfree(ptr);
148 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
149 }
150
151 static void kmalloc_pagealloc_invalid_free(struct kunit *test)
152 {
153 char *ptr;
154 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
155
156 if (!IS_ENABLED(CONFIG_SLUB)) {
157 kunit_info(test, "CONFIG_SLUB is not enabled.");
158 return;
159 }
160
161 ptr = kmalloc(size, GFP_KERNEL);
162 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
163
164 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
165 }
166
167 static void kmalloc_large_oob_right(struct kunit *test)
168 {
169 char *ptr;
170 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
171 /* Allocate a chunk that is large enough, but still fits into a slab
172 * and does not trigger the page allocator fallback in SLUB.
173 */
174 ptr = kmalloc(size, GFP_KERNEL);
175 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
176
177 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
178 kfree(ptr);
179 }
180
181 static void kmalloc_oob_krealloc_more(struct kunit *test)
182 {
183 char *ptr1, *ptr2;
184 size_t size1 = 17;
185 size_t size2 = 19;
186
187 ptr1 = kmalloc(size1, GFP_KERNEL);
188 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
189
190 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
191 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
192
193 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
194 kfree(ptr2);
195 }
196
197 static void kmalloc_oob_krealloc_less(struct kunit *test)
198 {
199 char *ptr1, *ptr2;
200 size_t size1 = 17;
201 size_t size2 = 15;
202
203 ptr1 = kmalloc(size1, GFP_KERNEL);
204 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
205
206 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
207 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
208
209 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
210 kfree(ptr2);
211 }
212
213 static void kmalloc_oob_16(struct kunit *test)
214 {
215 struct {
216 u64 words[2];
217 } *ptr1, *ptr2;
218
219 /* This test is specifically crafted for the generic mode. */
220 if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
221 kunit_info(test, "CONFIG_KASAN_GENERIC required\n");
222 return;
223 }
224
225 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
226 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
227
228 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
229 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
230
231 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
232 kfree(ptr1);
233 kfree(ptr2);
234 }
235
236 static void kmalloc_uaf_16(struct kunit *test)
237 {
238 struct {
239 u64 words[2];
240 } *ptr1, *ptr2;
241
242 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
243 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
244
245 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
246 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
247 kfree(ptr2);
248
249 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
250 kfree(ptr1);
251 }
252
253 static void kmalloc_oob_memset_2(struct kunit *test)
254 {
255 char *ptr;
256 size_t size = 8;
257
258 ptr = kmalloc(size, GFP_KERNEL);
259 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
260
261 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
262 kfree(ptr);
263 }
264
265 static void kmalloc_oob_memset_4(struct kunit *test)
266 {
267 char *ptr;
268 size_t size = 8;
269
270 ptr = kmalloc(size, GFP_KERNEL);
271 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
272
273 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
274 kfree(ptr);
275 }
276
277
278 static void kmalloc_oob_memset_8(struct kunit *test)
279 {
280 char *ptr;
281 size_t size = 8;
282
283 ptr = kmalloc(size, GFP_KERNEL);
284 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
285
286 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
287 kfree(ptr);
288 }
289
290 static void kmalloc_oob_memset_16(struct kunit *test)
291 {
292 char *ptr;
293 size_t size = 16;
294
295 ptr = kmalloc(size, GFP_KERNEL);
296 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
297
298 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
299 kfree(ptr);
300 }
301
302 static void kmalloc_oob_in_memset(struct kunit *test)
303 {
304 char *ptr;
305 size_t size = 666;
306
307 ptr = kmalloc(size, GFP_KERNEL);
308 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
309
310 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
311 kfree(ptr);
312 }
313
314 static void kmalloc_memmove_invalid_size(struct kunit *test)
315 {
316 char *ptr;
317 size_t size = 64;
318 volatile size_t invalid_size = -2;
319
320 ptr = kmalloc(size, GFP_KERNEL);
321 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
322
323 memset((char *)ptr, 0, 64);
324
325 KUNIT_EXPECT_KASAN_FAIL(test,
326 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
327 kfree(ptr);
328 }
329
330 static void kmalloc_uaf(struct kunit *test)
331 {
332 char *ptr;
333 size_t size = 10;
334
335 ptr = kmalloc(size, GFP_KERNEL);
336 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
337
338 kfree(ptr);
339 KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
340 }
341
342 static void kmalloc_uaf_memset(struct kunit *test)
343 {
344 char *ptr;
345 size_t size = 33;
346
347 ptr = kmalloc(size, GFP_KERNEL);
348 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
349
350 kfree(ptr);
351 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
352 }
353
354 static void kmalloc_uaf2(struct kunit *test)
355 {
356 char *ptr1, *ptr2;
357 size_t size = 43;
358
359 ptr1 = kmalloc(size, GFP_KERNEL);
360 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
361
362 kfree(ptr1);
363
364 ptr2 = kmalloc(size, GFP_KERNEL);
365 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
366
367 KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
368 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
369
370 kfree(ptr2);
371 }
372
373 static void kfree_via_page(struct kunit *test)
374 {
375 char *ptr;
376 size_t size = 8;
377 struct page *page;
378 unsigned long offset;
379
380 ptr = kmalloc(size, GFP_KERNEL);
381 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
382
383 page = virt_to_page(ptr);
384 offset = offset_in_page(ptr);
385 kfree(page_address(page) + offset);
386 }
387
388 static void kfree_via_phys(struct kunit *test)
389 {
390 char *ptr;
391 size_t size = 8;
392 phys_addr_t phys;
393
394 ptr = kmalloc(size, GFP_KERNEL);
395 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
396
397 phys = virt_to_phys(ptr);
398 kfree(phys_to_virt(phys));
399 }
400
401 static void kmem_cache_oob(struct kunit *test)
402 {
403 char *p;
404 size_t size = 200;
405 struct kmem_cache *cache = kmem_cache_create("test_cache",
406 size, 0,
407 0, NULL);
408 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
409 p = kmem_cache_alloc(cache, GFP_KERNEL);
410 if (!p) {
411 kunit_err(test, "Allocation failed: %s\n", __func__);
412 kmem_cache_destroy(cache);
413 return;
414 }
415
416 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
417 kmem_cache_free(cache, p);
418 kmem_cache_destroy(cache);
419 }
420
421 static void memcg_accounted_kmem_cache(struct kunit *test)
422 {
423 int i;
424 char *p;
425 size_t size = 200;
426 struct kmem_cache *cache;
427
428 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
429 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
430
431 /*
432 * Several allocations with a delay to allow for lazy per memcg kmem
433 * cache creation.
434 */
435 for (i = 0; i < 5; i++) {
436 p = kmem_cache_alloc(cache, GFP_KERNEL);
437 if (!p)
438 goto free_cache;
439
440 kmem_cache_free(cache, p);
441 msleep(100);
442 }
443
444 free_cache:
445 kmem_cache_destroy(cache);
446 }
447
448 static char global_array[10];
449
450 static void kasan_global_oob(struct kunit *test)
451 {
452 volatile int i = 3;
453 char *p = &global_array[ARRAY_SIZE(global_array) + i];
454
455 /* Only generic mode instruments globals. */
456 if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
457 kunit_info(test, "CONFIG_KASAN_GENERIC required");
458 return;
459 }
460
461 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
462 }
463
464 static void ksize_unpoisons_memory(struct kunit *test)
465 {
466 char *ptr;
467 size_t size = 123, real_size;
468
469 ptr = kmalloc(size, GFP_KERNEL);
470 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
471 real_size = ksize(ptr);
472 /* This access doesn't trigger an error. */
473 ptr[size] = 'x';
474 /* This one does. */
475 KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y');
476 kfree(ptr);
477 }
478
479 static void kasan_stack_oob(struct kunit *test)
480 {
481 char stack_array[10];
482 volatile int i = OOB_TAG_OFF;
483 char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
484
485 if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
486 kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
487 return;
488 }
489
490 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
491 }
492
493 static void kasan_alloca_oob_left(struct kunit *test)
494 {
495 volatile int i = 10;
496 char alloca_array[i];
497 char *p = alloca_array - 1;
498
499 /* Only generic mode instruments dynamic allocas. */
500 if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
501 kunit_info(test, "CONFIG_KASAN_GENERIC required");
502 return;
503 }
504
505 if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
506 kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
507 return;
508 }
509
510 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
511 }
512
513 static void kasan_alloca_oob_right(struct kunit *test)
514 {
515 volatile int i = 10;
516 char alloca_array[i];
517 char *p = alloca_array + i;
518
519 /* Only generic mode instruments dynamic allocas. */
520 if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
521 kunit_info(test, "CONFIG_KASAN_GENERIC required");
522 return;
523 }
524
525 if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
526 kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
527 return;
528 }
529
530 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
531 }
532
533 static void kmem_cache_double_free(struct kunit *test)
534 {
535 char *p;
536 size_t size = 200;
537 struct kmem_cache *cache;
538
539 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
540 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
541
542 p = kmem_cache_alloc(cache, GFP_KERNEL);
543 if (!p) {
544 kunit_err(test, "Allocation failed: %s\n", __func__);
545 kmem_cache_destroy(cache);
546 return;
547 }
548
549 kmem_cache_free(cache, p);
550 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
551 kmem_cache_destroy(cache);
552 }
553
554 static void kmem_cache_invalid_free(struct kunit *test)
555 {
556 char *p;
557 size_t size = 200;
558 struct kmem_cache *cache;
559
560 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
561 NULL);
562 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
563
564 p = kmem_cache_alloc(cache, GFP_KERNEL);
565 if (!p) {
566 kunit_err(test, "Allocation failed: %s\n", __func__);
567 kmem_cache_destroy(cache);
568 return;
569 }
570
571 /* Trigger invalid free, the object doesn't get freed */
572 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
573
574 /*
575 * Properly free the object to prevent the "Objects remaining in
576 * test_cache on __kmem_cache_shutdown" BUG failure.
577 */
578 kmem_cache_free(cache, p);
579
580 kmem_cache_destroy(cache);
581 }
582
583 static void kasan_memchr(struct kunit *test)
584 {
585 char *ptr;
586 size_t size = 24;
587
588 /* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
589 if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
590 kunit_info(test,
591 "str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
592 return;
593 }
594
595 if (OOB_TAG_OFF)
596 size = round_up(size, OOB_TAG_OFF);
597
598 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
599 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
600
601 KUNIT_EXPECT_KASAN_FAIL(test,
602 kasan_ptr_result = memchr(ptr, '1', size + 1));
603
604 kfree(ptr);
605 }
606
607 static void kasan_memcmp(struct kunit *test)
608 {
609 char *ptr;
610 size_t size = 24;
611 int arr[9];
612
613 /* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
614 if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
615 kunit_info(test,
616 "str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
617 return;
618 }
619
620 if (OOB_TAG_OFF)
621 size = round_up(size, OOB_TAG_OFF);
622
623 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
624 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
625 memset(arr, 0, sizeof(arr));
626
627 KUNIT_EXPECT_KASAN_FAIL(test,
628 kasan_int_result = memcmp(ptr, arr, size+1));
629 kfree(ptr);
630 }
631
632 static void kasan_strings(struct kunit *test)
633 {
634 char *ptr;
635 size_t size = 24;
636
637 /* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
638 if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
639 kunit_info(test,
640 "str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
641 return;
642 }
643
644 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
645 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
646
647 kfree(ptr);
648
649 /*
650 * Try to cause only 1 invalid access (less spam in dmesg).
651 * For that we need ptr to point to zeroed byte.
652 * Skip metadata that could be stored in freed object so ptr
653 * will likely point to zeroed byte.
654 */
655 ptr += 16;
656 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
657
658 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
659
660 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
661
662 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
663
664 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
665
666 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
667 }
668
669 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
670 {
671 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
672 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
673 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
674 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
675 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
676 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
677 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
678 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
679 }
680
681 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
682 {
683 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
684 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
685 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
686 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
687 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
688 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
689 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
690 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
691
692 #if defined(clear_bit_unlock_is_negative_byte)
693 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
694 clear_bit_unlock_is_negative_byte(nr, addr));
695 #endif
696 }
697
698 static void kasan_bitops_generic(struct kunit *test)
699 {
700 long *bits;
701
702 /* This test is specifically crafted for the generic mode. */
703 if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
704 kunit_info(test, "CONFIG_KASAN_GENERIC required\n");
705 return;
706 }
707
708 /*
709 * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes;
710 * this way we do not actually corrupt other memory.
711 */
712 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
713 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
714
715 /*
716 * Below calls try to access bit within allocated memory; however, the
717 * below accesses are still out-of-bounds, since bitops are defined to
718 * operate on the whole long the bit is in.
719 */
720 kasan_bitops_modify(test, BITS_PER_LONG, bits);
721
722 /*
723 * Below calls try to access bit beyond allocated memory.
724 */
725 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
726
727 kfree(bits);
728 }
729
730 static void kasan_bitops_tags(struct kunit *test)
731 {
732 long *bits;
733
734 /* This test is specifically crafted for the tag-based mode. */
735 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
736 kunit_info(test, "CONFIG_KASAN_SW_TAGS required\n");
737 return;
738 }
739
740 /* Allocation size will be rounded to up granule size, which is 16. */
741 bits = kzalloc(sizeof(*bits), GFP_KERNEL);
742 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
743
744 /* Do the accesses past the 16 allocated bytes. */
745 kasan_bitops_modify(test, BITS_PER_LONG, &bits[1]);
746 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, &bits[1]);
747
748 kfree(bits);
749 }
750
751 static void kmalloc_double_kzfree(struct kunit *test)
752 {
753 char *ptr;
754 size_t size = 16;
755
756 ptr = kmalloc(size, GFP_KERNEL);
757 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
758
759 kfree_sensitive(ptr);
760 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
761 }
762
763 static void vmalloc_oob(struct kunit *test)
764 {
765 void *area;
766
767 if (!IS_ENABLED(CONFIG_KASAN_VMALLOC)) {
768 kunit_info(test, "CONFIG_KASAN_VMALLOC is not enabled.");
769 return;
770 }
771
772 /*
773 * We have to be careful not to hit the guard page.
774 * The MMU will catch that and crash us.
775 */
776 area = vmalloc(3000);
777 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
778
779 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
780 vfree(area);
781 }
782
783 static struct kunit_case kasan_kunit_test_cases[] = {
784 KUNIT_CASE(kmalloc_oob_right),
785 KUNIT_CASE(kmalloc_oob_left),
786 KUNIT_CASE(kmalloc_node_oob_right),
787 KUNIT_CASE(kmalloc_pagealloc_oob_right),
788 KUNIT_CASE(kmalloc_pagealloc_uaf),
789 KUNIT_CASE(kmalloc_pagealloc_invalid_free),
790 KUNIT_CASE(kmalloc_large_oob_right),
791 KUNIT_CASE(kmalloc_oob_krealloc_more),
792 KUNIT_CASE(kmalloc_oob_krealloc_less),
793 KUNIT_CASE(kmalloc_oob_16),
794 KUNIT_CASE(kmalloc_uaf_16),
795 KUNIT_CASE(kmalloc_oob_in_memset),
796 KUNIT_CASE(kmalloc_oob_memset_2),
797 KUNIT_CASE(kmalloc_oob_memset_4),
798 KUNIT_CASE(kmalloc_oob_memset_8),
799 KUNIT_CASE(kmalloc_oob_memset_16),
800 KUNIT_CASE(kmalloc_memmove_invalid_size),
801 KUNIT_CASE(kmalloc_uaf),
802 KUNIT_CASE(kmalloc_uaf_memset),
803 KUNIT_CASE(kmalloc_uaf2),
804 KUNIT_CASE(kfree_via_page),
805 KUNIT_CASE(kfree_via_phys),
806 KUNIT_CASE(kmem_cache_oob),
807 KUNIT_CASE(memcg_accounted_kmem_cache),
808 KUNIT_CASE(kasan_global_oob),
809 KUNIT_CASE(kasan_stack_oob),
810 KUNIT_CASE(kasan_alloca_oob_left),
811 KUNIT_CASE(kasan_alloca_oob_right),
812 KUNIT_CASE(ksize_unpoisons_memory),
813 KUNIT_CASE(kmem_cache_double_free),
814 KUNIT_CASE(kmem_cache_invalid_free),
815 KUNIT_CASE(kasan_memchr),
816 KUNIT_CASE(kasan_memcmp),
817 KUNIT_CASE(kasan_strings),
818 KUNIT_CASE(kasan_bitops_generic),
819 KUNIT_CASE(kasan_bitops_tags),
820 KUNIT_CASE(kmalloc_double_kzfree),
821 KUNIT_CASE(vmalloc_oob),
822 {}
823 };
824
825 static struct kunit_suite kasan_kunit_test_suite = {
826 .name = "kasan",
827 .init = kasan_test_init,
828 .test_cases = kasan_kunit_test_cases,
829 .exit = kasan_test_exit,
830 };
831
832 kunit_test_suite(kasan_kunit_test_suite);
833
834 MODULE_LICENSE("GPL");
Linux with added FPC-III support