1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
8 #define pr_fmt(fmt) "kasan test: %s " fmt, __func__
10 #include <linux/mman.h>
11 #include <linux/module.h>
12 #include <linux/printk.h>
13 #include <linux/slab.h>
14 #include <linux/uaccess.h>
16 #include "../mm/kasan/kasan.h"
18 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
20 static noinline
void __init
copy_user_test(void)
27 kmem
= kmalloc(size
, GFP_KERNEL
);
31 usermem
= (char __user
*)vm_mmap(NULL
, 0, PAGE_SIZE
,
32 PROT_READ
| PROT_WRITE
| PROT_EXEC
,
33 MAP_ANONYMOUS
| MAP_PRIVATE
, 0);
34 if (IS_ERR(usermem
)) {
35 pr_err("Failed to allocate user memory\n");
40 pr_info("out-of-bounds in copy_from_user()\n");
41 unused
= copy_from_user(kmem
, usermem
, size
+ 1 + OOB_TAG_OFF
);
43 pr_info("out-of-bounds in copy_to_user()\n");
44 unused
= copy_to_user(usermem
, kmem
, size
+ 1 + OOB_TAG_OFF
);
46 pr_info("out-of-bounds in __copy_from_user()\n");
47 unused
= __copy_from_user(kmem
, usermem
, size
+ 1 + OOB_TAG_OFF
);
49 pr_info("out-of-bounds in __copy_to_user()\n");
50 unused
= __copy_to_user(usermem
, kmem
, size
+ 1 + OOB_TAG_OFF
);
52 pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
53 unused
= __copy_from_user_inatomic(kmem
, usermem
, size
+ 1 + OOB_TAG_OFF
);
55 pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
56 unused
= __copy_to_user_inatomic(usermem
, kmem
, size
+ 1 + OOB_TAG_OFF
);
58 pr_info("out-of-bounds in strncpy_from_user()\n");
59 unused
= strncpy_from_user(kmem
, usermem
, size
+ 1 + OOB_TAG_OFF
);
61 vm_munmap((unsigned long)usermem
, PAGE_SIZE
);
65 static struct kasan_rcu_info
{
70 static noinline
void __init
kasan_rcu_reclaim(struct rcu_head
*rp
)
72 struct kasan_rcu_info
*fp
= container_of(rp
,
73 struct kasan_rcu_info
, rcu
);
79 static noinline
void __init
kasan_rcu_uaf(void)
81 struct kasan_rcu_info
*ptr
;
83 pr_info("use-after-free in kasan_rcu_reclaim\n");
84 ptr
= kmalloc(sizeof(struct kasan_rcu_info
), GFP_KERNEL
);
86 pr_err("Allocation failed\n");
90 global_rcu_ptr
= rcu_dereference_protected(ptr
, NULL
);
91 call_rcu(&global_rcu_ptr
->rcu
, kasan_rcu_reclaim
);
94 static noinline
void __init
kasan_workqueue_work(struct work_struct
*work
)
99 static noinline
void __init
kasan_workqueue_uaf(void)
101 struct workqueue_struct
*workqueue
;
102 struct work_struct
*work
;
104 workqueue
= create_workqueue("kasan_wq_test");
106 pr_err("Allocation failed\n");
109 work
= kmalloc(sizeof(struct work_struct
), GFP_KERNEL
);
111 pr_err("Allocation failed\n");
115 INIT_WORK(work
, kasan_workqueue_work
);
116 queue_work(workqueue
, work
);
117 destroy_workqueue(workqueue
);
119 pr_info("use-after-free on workqueue\n");
120 ((volatile struct work_struct
*)work
)->data
;
123 static int __init
test_kasan_module_init(void)
126 * Temporarily enable multi-shot mode. Otherwise, we'd only get a
127 * report for the first case.
129 bool multishot
= kasan_save_enable_multi_shot();
133 kasan_workqueue_uaf();
135 kasan_restore_multi_shot(multishot
);
139 module_init(test_kasan_module_init
);
140 MODULE_LICENSE("GPL");
