lib/test_kasan.c at v5.11-rc2

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / lib / test_kasan.c
at v5.11-rc2 834 lines 20 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 *
  4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
  5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
  6 */
  7
  8#include <linux/bitops.h>
  9#include <linux/delay.h>
 10#include <linux/kasan.h>
 11#include <linux/kernel.h>
 12#include <linux/mm.h>
 13#include <linux/mman.h>
 14#include <linux/module.h>
 15#include <linux/printk.h>
 16#include <linux/slab.h>
 17#include <linux/string.h>
 18#include <linux/uaccess.h>
 19#include <linux/io.h>
 20#include <linux/vmalloc.h>
 21
 22#include <asm/page.h>
 23
 24#include <kunit/test.h>
 25
 26#include "../mm/kasan/kasan.h"
 27
 28#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
 29
 30/*
 31 * We assign some test results to these globals to make sure the tests
 32 * are not eliminated as dead code.
 33 */
 34
 35void *kasan_ptr_result;
 36int kasan_int_result;
 37
 38static struct kunit_resource resource;
 39static struct kunit_kasan_expectation fail_data;
 40static bool multishot;
 41
 42static int kasan_test_init(struct kunit *test)
 43{
 44	/*
 45	 * Temporarily enable multi-shot mode and set panic_on_warn=0.
 46	 * Otherwise, we'd only get a report for the first case.
 47	 */
 48	multishot = kasan_save_enable_multi_shot();
 49
 50	return 0;
 51}
 52
 53static void kasan_test_exit(struct kunit *test)
 54{
 55	kasan_restore_multi_shot(multishot);
 56}
 57
 58/**
 59 * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does
 60 * not cause a KASAN error. This uses a KUnit resource named "kasan_data." Do
 61 * Do not use this name for a KUnit resource outside here.
 62 *
 63 */
 64#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \
 65	fail_data.report_expected = true; \
 66	fail_data.report_found = false; \
 67	kunit_add_named_resource(test, \
 68				NULL, \
 69				NULL, \
 70				&resource, \
 71				"kasan_data", &fail_data); \
 72	condition; \
 73	KUNIT_EXPECT_EQ(test, \
 74			fail_data.report_expected, \
 75			fail_data.report_found); \
 76} while (0)
 77
 78static void kmalloc_oob_right(struct kunit *test)
 79{
 80	char *ptr;
 81	size_t size = 123;
 82
 83	ptr = kmalloc(size, GFP_KERNEL);
 84	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 85
 86	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
 87	kfree(ptr);
 88}
 89
 90static void kmalloc_oob_left(struct kunit *test)
 91{
 92	char *ptr;
 93	size_t size = 15;
 94
 95	ptr = kmalloc(size, GFP_KERNEL);
 96	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 97
 98	KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
 99	kfree(ptr);
100}
101
102static void kmalloc_node_oob_right(struct kunit *test)
103{
104	char *ptr;
105	size_t size = 4096;
106
107	ptr = kmalloc_node(size, GFP_KERNEL, 0);
108	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
109
110	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
111	kfree(ptr);
112}
113
114static void kmalloc_pagealloc_oob_right(struct kunit *test)
115{
116	char *ptr;
117	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
118
119	if (!IS_ENABLED(CONFIG_SLUB)) {
120		kunit_info(test, "CONFIG_SLUB is not enabled.");
121		return;
122	}
123
124	/* Allocate a chunk that does not fit into a SLUB cache to trigger
125	 * the page allocator fallback.
126	 */
127	ptr = kmalloc(size, GFP_KERNEL);
128	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
129
130	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
131	kfree(ptr);
132}
133
134static void kmalloc_pagealloc_uaf(struct kunit *test)
135{
136	char *ptr;
137	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
138
139	if (!IS_ENABLED(CONFIG_SLUB)) {
140		kunit_info(test, "CONFIG_SLUB is not enabled.");
141		return;
142	}
143
144	ptr = kmalloc(size, GFP_KERNEL);
145	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
146
147	kfree(ptr);
148	KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
149}
150
151static void kmalloc_pagealloc_invalid_free(struct kunit *test)
152{
153	char *ptr;
154	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
155
156	if (!IS_ENABLED(CONFIG_SLUB)) {
157		kunit_info(test, "CONFIG_SLUB is not enabled.");
158		return;
159	}
160
161	ptr = kmalloc(size, GFP_KERNEL);
162	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
163
164	KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
165}
166
167static void kmalloc_large_oob_right(struct kunit *test)
168{
169	char *ptr;
170	size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
171	/* Allocate a chunk that is large enough, but still fits into a slab
172	 * and does not trigger the page allocator fallback in SLUB.
173	 */
174	ptr = kmalloc(size, GFP_KERNEL);
175	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
176
177	KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
178	kfree(ptr);
179}
180
181static void kmalloc_oob_krealloc_more(struct kunit *test)
182{
183	char *ptr1, *ptr2;
184	size_t size1 = 17;
185	size_t size2 = 19;
186
187	ptr1 = kmalloc(size1, GFP_KERNEL);
188	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
189
190	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
191	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
192
193	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
194	kfree(ptr2);
195}
196
197static void kmalloc_oob_krealloc_less(struct kunit *test)
198{
199	char *ptr1, *ptr2;
200	size_t size1 = 17;
201	size_t size2 = 15;
202
203	ptr1 = kmalloc(size1, GFP_KERNEL);
204	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
205
206	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
207	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
208
209	KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
210	kfree(ptr2);
211}
212
213static void kmalloc_oob_16(struct kunit *test)
214{
215	struct {
216		u64 words[2];
217	} *ptr1, *ptr2;
218
219	/* This test is specifically crafted for the generic mode. */
220	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
221		kunit_info(test, "CONFIG_KASAN_GENERIC required\n");
222		return;
223	}
224
225	ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
226	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
227
228	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
229	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
230
231	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
232	kfree(ptr1);
233	kfree(ptr2);
234}
235
236static void kmalloc_uaf_16(struct kunit *test)
237{
238	struct {
239		u64 words[2];
240	} *ptr1, *ptr2;
241
242	ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
243	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
244
245	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
246	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
247	kfree(ptr2);
248
249	KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
250	kfree(ptr1);
251}
252
253static void kmalloc_oob_memset_2(struct kunit *test)
254{
255	char *ptr;
256	size_t size = 8;
257
258	ptr = kmalloc(size, GFP_KERNEL);
259	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
260
261	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
262	kfree(ptr);
263}
264
265static void kmalloc_oob_memset_4(struct kunit *test)
266{
267	char *ptr;
268	size_t size = 8;
269
270	ptr = kmalloc(size, GFP_KERNEL);
271	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
272
273	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
274	kfree(ptr);
275}
276
277
278static void kmalloc_oob_memset_8(struct kunit *test)
279{
280	char *ptr;
281	size_t size = 8;
282
283	ptr = kmalloc(size, GFP_KERNEL);
284	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
285
286	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
287	kfree(ptr);
288}
289
290static void kmalloc_oob_memset_16(struct kunit *test)
291{
292	char *ptr;
293	size_t size = 16;
294
295	ptr = kmalloc(size, GFP_KERNEL);
296	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
297
298	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
299	kfree(ptr);
300}
301
302static void kmalloc_oob_in_memset(struct kunit *test)
303{
304	char *ptr;
305	size_t size = 666;
306
307	ptr = kmalloc(size, GFP_KERNEL);
308	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
309
310	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
311	kfree(ptr);
312}
313
314static void kmalloc_memmove_invalid_size(struct kunit *test)
315{
316	char *ptr;
317	size_t size = 64;
318	volatile size_t invalid_size = -2;
319
320	ptr = kmalloc(size, GFP_KERNEL);
321	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
322
323	memset((char *)ptr, 0, 64);
324
325	KUNIT_EXPECT_KASAN_FAIL(test,
326		memmove((char *)ptr, (char *)ptr + 4, invalid_size));
327	kfree(ptr);
328}
329
330static void kmalloc_uaf(struct kunit *test)
331{
332	char *ptr;
333	size_t size = 10;
334
335	ptr = kmalloc(size, GFP_KERNEL);
336	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
337
338	kfree(ptr);
339	KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
340}
341
342static void kmalloc_uaf_memset(struct kunit *test)
343{
344	char *ptr;
345	size_t size = 33;
346
347	ptr = kmalloc(size, GFP_KERNEL);
348	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
349
350	kfree(ptr);
351	KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
352}
353
354static void kmalloc_uaf2(struct kunit *test)
355{
356	char *ptr1, *ptr2;
357	size_t size = 43;
358
359	ptr1 = kmalloc(size, GFP_KERNEL);
360	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
361
362	kfree(ptr1);
363
364	ptr2 = kmalloc(size, GFP_KERNEL);
365	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
366
367	KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
368	KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
369
370	kfree(ptr2);
371}
372
373static void kfree_via_page(struct kunit *test)
374{
375	char *ptr;
376	size_t size = 8;
377	struct page *page;
378	unsigned long offset;
379
380	ptr = kmalloc(size, GFP_KERNEL);
381	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
382
383	page = virt_to_page(ptr);
384	offset = offset_in_page(ptr);
385	kfree(page_address(page) + offset);
386}
387
388static void kfree_via_phys(struct kunit *test)
389{
390	char *ptr;
391	size_t size = 8;
392	phys_addr_t phys;
393
394	ptr = kmalloc(size, GFP_KERNEL);
395	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
396
397	phys = virt_to_phys(ptr);
398	kfree(phys_to_virt(phys));
399}
400
401static void kmem_cache_oob(struct kunit *test)
402{
403	char *p;
404	size_t size = 200;
405	struct kmem_cache *cache = kmem_cache_create("test_cache",
406						size, 0,
407						0, NULL);
408	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
409	p = kmem_cache_alloc(cache, GFP_KERNEL);
410	if (!p) {
411		kunit_err(test, "Allocation failed: %s\n", __func__);
412		kmem_cache_destroy(cache);
413		return;
414	}
415
416	KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
417	kmem_cache_free(cache, p);
418	kmem_cache_destroy(cache);
419}
420
421static void memcg_accounted_kmem_cache(struct kunit *test)
422{
423	int i;
424	char *p;
425	size_t size = 200;
426	struct kmem_cache *cache;
427
428	cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
429	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
430
431	/*
432	 * Several allocations with a delay to allow for lazy per memcg kmem
433	 * cache creation.
434	 */
435	for (i = 0; i < 5; i++) {
436		p = kmem_cache_alloc(cache, GFP_KERNEL);
437		if (!p)
438			goto free_cache;
439
440		kmem_cache_free(cache, p);
441		msleep(100);
442	}
443
444free_cache:
445	kmem_cache_destroy(cache);
446}
447
448static char global_array[10];
449
450static void kasan_global_oob(struct kunit *test)
451{
452	volatile int i = 3;
453	char *p = &global_array[ARRAY_SIZE(global_array) + i];
454
455	/* Only generic mode instruments globals. */
456	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
457		kunit_info(test, "CONFIG_KASAN_GENERIC required");
458		return;
459	}
460
461	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
462}
463
464static void ksize_unpoisons_memory(struct kunit *test)
465{
466	char *ptr;
467	size_t size = 123, real_size;
468
469	ptr = kmalloc(size, GFP_KERNEL);
470	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
471	real_size = ksize(ptr);
472	/* This access doesn't trigger an error. */
473	ptr[size] = 'x';
474	/* This one does. */
475	KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y');
476	kfree(ptr);
477}
478
479static void kasan_stack_oob(struct kunit *test)
480{
481	char stack_array[10];
482	volatile int i = OOB_TAG_OFF;
483	char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
484
485	if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
486		kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
487		return;
488	}
489
490	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
491}
492
493static void kasan_alloca_oob_left(struct kunit *test)
494{
495	volatile int i = 10;
496	char alloca_array[i];
497	char *p = alloca_array - 1;
498
499	/* Only generic mode instruments dynamic allocas. */
500	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
501		kunit_info(test, "CONFIG_KASAN_GENERIC required");
502		return;
503	}
504
505	if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
506		kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
507		return;
508	}
509
510	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
511}
512
513static void kasan_alloca_oob_right(struct kunit *test)
514{
515	volatile int i = 10;
516	char alloca_array[i];
517	char *p = alloca_array + i;
518
519	/* Only generic mode instruments dynamic allocas. */
520	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
521		kunit_info(test, "CONFIG_KASAN_GENERIC required");
522		return;
523	}
524
525	if (!IS_ENABLED(CONFIG_KASAN_STACK)) {
526		kunit_info(test, "CONFIG_KASAN_STACK is not enabled");
527		return;
528	}
529
530	KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
531}
532
533static void kmem_cache_double_free(struct kunit *test)
534{
535	char *p;
536	size_t size = 200;
537	struct kmem_cache *cache;
538
539	cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
540	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
541
542	p = kmem_cache_alloc(cache, GFP_KERNEL);
543	if (!p) {
544		kunit_err(test, "Allocation failed: %s\n", __func__);
545		kmem_cache_destroy(cache);
546		return;
547	}
548
549	kmem_cache_free(cache, p);
550	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
551	kmem_cache_destroy(cache);
552}
553
554static void kmem_cache_invalid_free(struct kunit *test)
555{
556	char *p;
557	size_t size = 200;
558	struct kmem_cache *cache;
559
560	cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
561				  NULL);
562	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
563
564	p = kmem_cache_alloc(cache, GFP_KERNEL);
565	if (!p) {
566		kunit_err(test, "Allocation failed: %s\n", __func__);
567		kmem_cache_destroy(cache);
568		return;
569	}
570
571	/* Trigger invalid free, the object doesn't get freed */
572	KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
573
574	/*
575	 * Properly free the object to prevent the "Objects remaining in
576	 * test_cache on __kmem_cache_shutdown" BUG failure.
577	 */
578	kmem_cache_free(cache, p);
579
580	kmem_cache_destroy(cache);
581}
582
583static void kasan_memchr(struct kunit *test)
584{
585	char *ptr;
586	size_t size = 24;
587
588	/* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
589	if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
590		kunit_info(test,
591			"str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
592		return;
593	}
594
595	if (OOB_TAG_OFF)
596		size = round_up(size, OOB_TAG_OFF);
597
598	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
599	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
600
601	KUNIT_EXPECT_KASAN_FAIL(test,
602		kasan_ptr_result = memchr(ptr, '1', size + 1));
603
604	kfree(ptr);
605}
606
607static void kasan_memcmp(struct kunit *test)
608{
609	char *ptr;
610	size_t size = 24;
611	int arr[9];
612
613	/* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
614	if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
615		kunit_info(test,
616			"str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
617		return;
618	}
619
620	if (OOB_TAG_OFF)
621		size = round_up(size, OOB_TAG_OFF);
622
623	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
624	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
625	memset(arr, 0, sizeof(arr));
626
627	KUNIT_EXPECT_KASAN_FAIL(test,
628		kasan_int_result = memcmp(ptr, arr, size+1));
629	kfree(ptr);
630}
631
632static void kasan_strings(struct kunit *test)
633{
634	char *ptr;
635	size_t size = 24;
636
637	/* See https://bugzilla.kernel.org/show_bug.cgi?id=206337 */
638	if (IS_ENABLED(CONFIG_AMD_MEM_ENCRYPT)) {
639		kunit_info(test,
640			"str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT");
641		return;
642	}
643
644	ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
645	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
646
647	kfree(ptr);
648
649	/*
650	 * Try to cause only 1 invalid access (less spam in dmesg).
651	 * For that we need ptr to point to zeroed byte.
652	 * Skip metadata that could be stored in freed object so ptr
653	 * will likely point to zeroed byte.
654	 */
655	ptr += 16;
656	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
657
658	KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
659
660	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
661
662	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
663
664	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
665
666	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
667}
668
669static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
670{
671	KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
672	KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
673	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
674	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
675	KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
676	KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
677	KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
678	KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
679}
680
681static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
682{
683	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
684	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
685	KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
686	KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
687	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
688	KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
689	KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
690	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
691
692#if defined(clear_bit_unlock_is_negative_byte)
693	KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
694				clear_bit_unlock_is_negative_byte(nr, addr));
695#endif
696}
697
698static void kasan_bitops_generic(struct kunit *test)
699{
700	long *bits;
701
702	/* This test is specifically crafted for the generic mode. */
703	if (!IS_ENABLED(CONFIG_KASAN_GENERIC)) {
704		kunit_info(test, "CONFIG_KASAN_GENERIC required\n");
705		return;
706	}
707
708	/*
709	 * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes;
710	 * this way we do not actually corrupt other memory.
711	 */
712	bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
713	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
714
715	/*
716	 * Below calls try to access bit within allocated memory; however, the
717	 * below accesses are still out-of-bounds, since bitops are defined to
718	 * operate on the whole long the bit is in.
719	 */
720	kasan_bitops_modify(test, BITS_PER_LONG, bits);
721
722	/*
723	 * Below calls try to access bit beyond allocated memory.
724	 */
725	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
726
727	kfree(bits);
728}
729
730static void kasan_bitops_tags(struct kunit *test)
731{
732	long *bits;
733
734	/* This test is specifically crafted for the tag-based mode. */
735	if (IS_ENABLED(CONFIG_KASAN_GENERIC)) {
736		kunit_info(test, "CONFIG_KASAN_SW_TAGS required\n");
737		return;
738	}
739
740	/* Allocation size will be rounded to up granule size, which is 16. */
741	bits = kzalloc(sizeof(*bits), GFP_KERNEL);
742	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
743
744	/* Do the accesses past the 16 allocated bytes. */
745	kasan_bitops_modify(test, BITS_PER_LONG, &bits[1]);
746	kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, &bits[1]);
747
748	kfree(bits);
749}
750
751static void kmalloc_double_kzfree(struct kunit *test)
752{
753	char *ptr;
754	size_t size = 16;
755
756	ptr = kmalloc(size, GFP_KERNEL);
757	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
758
759	kfree_sensitive(ptr);
760	KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
761}
762
763static void vmalloc_oob(struct kunit *test)
764{
765	void *area;
766
767	if (!IS_ENABLED(CONFIG_KASAN_VMALLOC)) {
768		kunit_info(test, "CONFIG_KASAN_VMALLOC is not enabled.");
769		return;
770	}
771
772	/*
773	 * We have to be careful not to hit the guard page.
774	 * The MMU will catch that and crash us.
775	 */
776	area = vmalloc(3000);
777	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
778
779	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
780	vfree(area);
781}
782
783static struct kunit_case kasan_kunit_test_cases[] = {
784	KUNIT_CASE(kmalloc_oob_right),
785	KUNIT_CASE(kmalloc_oob_left),
786	KUNIT_CASE(kmalloc_node_oob_right),
787	KUNIT_CASE(kmalloc_pagealloc_oob_right),
788	KUNIT_CASE(kmalloc_pagealloc_uaf),
789	KUNIT_CASE(kmalloc_pagealloc_invalid_free),
790	KUNIT_CASE(kmalloc_large_oob_right),
791	KUNIT_CASE(kmalloc_oob_krealloc_more),
792	KUNIT_CASE(kmalloc_oob_krealloc_less),
793	KUNIT_CASE(kmalloc_oob_16),
794	KUNIT_CASE(kmalloc_uaf_16),
795	KUNIT_CASE(kmalloc_oob_in_memset),
796	KUNIT_CASE(kmalloc_oob_memset_2),
797	KUNIT_CASE(kmalloc_oob_memset_4),
798	KUNIT_CASE(kmalloc_oob_memset_8),
799	KUNIT_CASE(kmalloc_oob_memset_16),
800	KUNIT_CASE(kmalloc_memmove_invalid_size),
801	KUNIT_CASE(kmalloc_uaf),
802	KUNIT_CASE(kmalloc_uaf_memset),
803	KUNIT_CASE(kmalloc_uaf2),
804	KUNIT_CASE(kfree_via_page),
805	KUNIT_CASE(kfree_via_phys),
806	KUNIT_CASE(kmem_cache_oob),
807	KUNIT_CASE(memcg_accounted_kmem_cache),
808	KUNIT_CASE(kasan_global_oob),
809	KUNIT_CASE(kasan_stack_oob),
810	KUNIT_CASE(kasan_alloca_oob_left),
811	KUNIT_CASE(kasan_alloca_oob_right),
812	KUNIT_CASE(ksize_unpoisons_memory),
813	KUNIT_CASE(kmem_cache_double_free),
814	KUNIT_CASE(kmem_cache_invalid_free),
815	KUNIT_CASE(kasan_memchr),
816	KUNIT_CASE(kasan_memcmp),
817	KUNIT_CASE(kasan_strings),
818	KUNIT_CASE(kasan_bitops_generic),
819	KUNIT_CASE(kasan_bitops_tags),
820	KUNIT_CASE(kmalloc_double_kzfree),
821	KUNIT_CASE(vmalloc_oob),
822	{}
823};
824
825static struct kunit_suite kasan_kunit_test_suite = {
826	.name = "kasan",
827	.init = kasan_test_init,
828	.test_cases = kasan_kunit_test_cases,
829	.exit = kasan_test_exit,
830};
831
832kunit_test_suite(kasan_kunit_test_suite);
833
834MODULE_LICENSE("GPL");
Configure Feed

Configure Feed
