1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * 4 * Copyright (c) 2014 Samsung Electronics Co., Ltd. 5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com> 6 */ 7 8 #define pr_fmt(fmt) "kasan: test: " fmt 9 10 #include <kunit/test.h> 11 #include <linux/bitops.h> 12 #include <linux/delay.h> 13 #include <linux/io.h> 14 #include <linux/kasan.h> 15 #include <linux/kernel.h> 16 #include <linux/mempool.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/module.h> 20 #include <linux/printk.h> 21 #include <linux/random.h> 22 #include <linux/set_memory.h> 23 #include <linux/slab.h> 24 #include <linux/string.h> 25 #include <linux/tracepoint.h> 26 #include <linux/uaccess.h> 27 #include <linux/vmalloc.h> 28 #include <trace/events/printk.h> 29 30 #include <asm/page.h> 31 32 #include "kasan.h" 33 34 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE) 35 36 MODULE_IMPORT_NS("EXPORTED_FOR_KUNIT_TESTING"); 37 38 static bool multishot; 39 40 /* Fields set based on lines observed in the console. */ 41 static struct { 42 bool report_found; 43 bool async_fault; 44 } test_status; 45 46 /* 47 * Some tests use these global variables to store return values from function 48 * calls that could otherwise be eliminated by the compiler as dead code. 49 */ 50 static void *volatile kasan_ptr_result; 51 static volatile int kasan_int_result; 52 53 /* Probe for console output: obtains test_status lines of interest. */ 54 static void probe_console(void *ignore, const char *buf, size_t len) 55 { 56 if (strnstr(buf, "BUG: KASAN: ", len)) 57 WRITE_ONCE(test_status.report_found, true); 58 else if (strnstr(buf, "Asynchronous fault: ", len)) 59 WRITE_ONCE(test_status.async_fault, true); 60 } 61 62 static int kasan_suite_init(struct kunit_suite *suite) 63 { 64 if (!kasan_enabled()) { 65 pr_err("Can't run KASAN tests with KASAN disabled"); 66 return -1; 67 } 68 69 /* Stop failing KUnit tests on KASAN reports. */ 70 kasan_kunit_test_suite_start(); 71 72 /* 73 * Temporarily enable multi-shot mode. Otherwise, KASAN would only 74 * report the first detected bug and panic the kernel if panic_on_warn 75 * is enabled. 76 */ 77 multishot = kasan_save_enable_multi_shot(); 78 79 register_trace_console(probe_console, NULL); 80 return 0; 81 } 82 83 static void kasan_suite_exit(struct kunit_suite *suite) 84 { 85 kasan_kunit_test_suite_end(); 86 kasan_restore_multi_shot(multishot); 87 unregister_trace_console(probe_console, NULL); 88 tracepoint_synchronize_unregister(); 89 } 90 91 static void kasan_test_exit(struct kunit *test) 92 { 93 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); 94 } 95 96 /** 97 * KUNIT_EXPECT_KASAN_RESULT - checks whether the executed expression 98 * produces a KASAN report; causes a KUnit test failure when the result 99 * is different from @fail. 100 * 101 * @test: Currently executing KUnit test. 102 * @expr: Expression to be tested. 103 * @expr_str: Expression to be tested encoded as a string. 104 * @fail: Whether expression should produce a KASAN report. 105 * 106 * For hardware tag-based KASAN, when a synchronous tag fault happens, tag 107 * checking is auto-disabled. When this happens, this test handler reenables 108 * tag checking. As tag checking can be only disabled or enabled per CPU, 109 * this handler disables migration (preemption). 110 * 111 * Since the compiler doesn't see that the expression can change the test_status 112 * fields, it can reorder or optimize away the accesses to those fields. 113 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the 114 * expression to prevent that. 115 * 116 * In between KUNIT_EXPECT_KASAN_RESULT checks, test_status.report_found is kept 117 * as false. This allows detecting KASAN reports that happen outside of the 118 * checks by asserting !test_status.report_found at the start of 119 * KUNIT_EXPECT_KASAN_RESULT and in kasan_test_exit. 120 */ 121 #define KUNIT_EXPECT_KASAN_RESULT(test, expr, expr_str, fail) \ 122 do { \ 123 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \ 124 kasan_sync_fault_possible()) \ 125 migrate_disable(); \ 126 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); \ 127 barrier(); \ 128 expr; \ 129 barrier(); \ 130 if (kasan_async_fault_possible()) \ 131 kasan_force_async_fault(); \ 132 if (READ_ONCE(test_status.report_found) != fail) { \ 133 KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure" \ 134 "%sexpected in \"" expr_str \ 135 "\", but %soccurred", \ 136 (fail ? " " : " not "), \ 137 (test_status.report_found ? \ 138 "" : "none ")); \ 139 } \ 140 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \ 141 kasan_sync_fault_possible()) { \ 142 if (READ_ONCE(test_status.report_found) && \ 143 !READ_ONCE(test_status.async_fault)) \ 144 kasan_enable_hw_tags(); \ 145 migrate_enable(); \ 146 } \ 147 WRITE_ONCE(test_status.report_found, false); \ 148 WRITE_ONCE(test_status.async_fault, false); \ 149 } while (0) 150 151 /* 152 * KUNIT_EXPECT_KASAN_FAIL - check that the executed expression produces a 153 * KASAN report; causes a KUnit test failure otherwise. 154 * 155 * @test: Currently executing KUnit test. 156 * @expr: Expression that must produce a KASAN report. 157 */ 158 #define KUNIT_EXPECT_KASAN_FAIL(test, expr) \ 159 KUNIT_EXPECT_KASAN_RESULT(test, expr, #expr, true) 160 161 /* 162 * KUNIT_EXPECT_KASAN_FAIL_READ - check that the executed expression 163 * produces a KASAN report when the write-only mode is not enabled; 164 * causes a KUnit test failure otherwise. 165 * 166 * Note: At the moment, this macro does not check whether the produced 167 * KASAN report is a report about a bad read access. It is only intended 168 * for checking the write-only KASAN mode functionality without failing 169 * KASAN tests. 170 * 171 * @test: Currently executing KUnit test. 172 * @expr: Expression that must only produce a KASAN report 173 * when the write-only mode is not enabled. 174 */ 175 #define KUNIT_EXPECT_KASAN_FAIL_READ(test, expr) \ 176 KUNIT_EXPECT_KASAN_RESULT(test, expr, #expr, \ 177 !kasan_write_only_enabled()) \ 178 179 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \ 180 if (!IS_ENABLED(config)) \ 181 kunit_skip((test), "Test requires " #config "=y"); \ 182 } while (0) 183 184 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \ 185 if (IS_ENABLED(config)) \ 186 kunit_skip((test), "Test requires " #config "=n"); \ 187 } while (0) 188 189 #define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do { \ 190 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) \ 191 break; /* No compiler instrumentation. */ \ 192 if (IS_ENABLED(CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX)) \ 193 break; /* Should always be instrumented! */ \ 194 if (IS_ENABLED(CONFIG_GENERIC_ENTRY)) \ 195 kunit_skip((test), "Test requires checked mem*()"); \ 196 } while (0) 197 198 static void kmalloc_oob_right(struct kunit *test) 199 { 200 char *ptr; 201 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 202 203 ptr = kmalloc(size, GFP_KERNEL); 204 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 205 206 OPTIMIZER_HIDE_VAR(ptr); 207 /* 208 * An unaligned access past the requested kmalloc size. 209 * Only generic KASAN can precisely detect these. 210 */ 211 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 212 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); 213 214 /* 215 * An aligned access into the first out-of-bounds granule that falls 216 * within the aligned kmalloc object. 217 */ 218 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y'); 219 220 /* Out-of-bounds access past the aligned kmalloc object. */ 221 KUNIT_EXPECT_KASAN_FAIL_READ(test, ptr[0] = 222 ptr[size + KASAN_GRANULE_SIZE + 5]); 223 224 kfree(ptr); 225 } 226 227 static void kmalloc_oob_left(struct kunit *test) 228 { 229 char *ptr; 230 size_t size = 15; 231 232 ptr = kmalloc(size, GFP_KERNEL); 233 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 234 235 OPTIMIZER_HIDE_VAR(ptr); 236 KUNIT_EXPECT_KASAN_FAIL_READ(test, *ptr = *(ptr - 1)); 237 kfree(ptr); 238 } 239 240 static void kmalloc_node_oob_right(struct kunit *test) 241 { 242 char *ptr; 243 size_t size = 4096; 244 245 ptr = kmalloc_node(size, GFP_KERNEL, 0); 246 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 247 248 OPTIMIZER_HIDE_VAR(ptr); 249 KUNIT_EXPECT_KASAN_FAIL_READ(test, ptr[0] = ptr[size]); 250 kfree(ptr); 251 } 252 253 static void kmalloc_track_caller_oob_right(struct kunit *test) 254 { 255 char *ptr; 256 size_t size = 128 - KASAN_GRANULE_SIZE; 257 258 /* 259 * Check that KASAN detects out-of-bounds access for object allocated via 260 * kmalloc_track_caller(). 261 */ 262 ptr = kmalloc_track_caller(size, GFP_KERNEL); 263 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 264 265 OPTIMIZER_HIDE_VAR(ptr); 266 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'y'); 267 268 kfree(ptr); 269 270 /* 271 * Check that KASAN detects out-of-bounds access for object allocated via 272 * kmalloc_node_track_caller(). 273 */ 274 ptr = kmalloc_node_track_caller(size, GFP_KERNEL, 0); 275 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 276 277 OPTIMIZER_HIDE_VAR(ptr); 278 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'y'); 279 280 kfree(ptr); 281 } 282 283 /* 284 * Check that KASAN detects an out-of-bounds access for a big object allocated 285 * via kmalloc(). But not as big as to trigger the page_alloc fallback. 286 */ 287 static void kmalloc_big_oob_right(struct kunit *test) 288 { 289 char *ptr; 290 size_t size = KMALLOC_MAX_CACHE_SIZE - 256; 291 292 ptr = kmalloc(size, GFP_KERNEL); 293 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 294 295 OPTIMIZER_HIDE_VAR(ptr); 296 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); 297 kfree(ptr); 298 } 299 300 /* 301 * The kmalloc_large_* tests below use kmalloc() to allocate a memory chunk 302 * that does not fit into the largest slab cache and therefore is allocated via 303 * the page_alloc fallback. 304 */ 305 306 static void kmalloc_large_oob_right(struct kunit *test) 307 { 308 char *ptr; 309 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 310 311 ptr = kmalloc(size, GFP_KERNEL); 312 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 313 314 OPTIMIZER_HIDE_VAR(ptr); 315 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0); 316 317 kfree(ptr); 318 } 319 320 static void kmalloc_large_uaf(struct kunit *test) 321 { 322 char *ptr; 323 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 324 325 ptr = kmalloc(size, GFP_KERNEL); 326 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 327 kfree(ptr); 328 329 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[0]); 330 } 331 332 static void kmalloc_large_invalid_free(struct kunit *test) 333 { 334 char *ptr; 335 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 336 337 ptr = kmalloc(size, GFP_KERNEL); 338 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 339 340 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1)); 341 } 342 343 static void page_alloc_oob_right(struct kunit *test) 344 { 345 char *ptr; 346 struct page *pages; 347 size_t order = 4; 348 size_t size = (1UL << (PAGE_SHIFT + order)); 349 350 /* 351 * With generic KASAN page allocations have no redzones, thus 352 * out-of-bounds detection is not guaranteed. 353 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503. 354 */ 355 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 356 357 pages = alloc_pages(GFP_KERNEL, order); 358 ptr = page_address(pages); 359 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 360 361 KUNIT_EXPECT_KASAN_FAIL_READ(test, ptr[0] = ptr[size]); 362 free_pages((unsigned long)ptr, order); 363 } 364 365 static void page_alloc_uaf(struct kunit *test) 366 { 367 char *ptr; 368 struct page *pages; 369 size_t order = 4; 370 371 pages = alloc_pages(GFP_KERNEL, order); 372 ptr = page_address(pages); 373 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 374 free_pages((unsigned long)ptr, order); 375 376 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[0]); 377 } 378 379 static void krealloc_more_oob_helper(struct kunit *test, 380 size_t size1, size_t size2) 381 { 382 char *ptr1, *ptr2; 383 size_t middle; 384 385 KUNIT_ASSERT_LT(test, size1, size2); 386 middle = size1 + (size2 - size1) / 2; 387 388 ptr1 = kmalloc(size1, GFP_KERNEL); 389 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 390 391 ptr2 = krealloc(ptr1, size2, GFP_KERNEL); 392 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 393 394 /* Suppress -Warray-bounds warnings. */ 395 OPTIMIZER_HIDE_VAR(ptr2); 396 397 /* All offsets up to size2 must be accessible. */ 398 ptr2[size1 - 1] = 'x'; 399 ptr2[size1] = 'x'; 400 ptr2[middle] = 'x'; 401 ptr2[size2 - 1] = 'x'; 402 403 /* Generic mode is precise, so unaligned size2 must be inaccessible. */ 404 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 405 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); 406 407 /* For all modes first aligned offset after size2 must be inaccessible. */ 408 KUNIT_EXPECT_KASAN_FAIL(test, 409 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x'); 410 411 kfree(ptr2); 412 } 413 414 static void krealloc_less_oob_helper(struct kunit *test, 415 size_t size1, size_t size2) 416 { 417 char *ptr1, *ptr2; 418 size_t middle; 419 420 KUNIT_ASSERT_LT(test, size2, size1); 421 middle = size2 + (size1 - size2) / 2; 422 423 ptr1 = kmalloc(size1, GFP_KERNEL); 424 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 425 426 ptr2 = krealloc(ptr1, size2, GFP_KERNEL); 427 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 428 429 /* Suppress -Warray-bounds warnings. */ 430 OPTIMIZER_HIDE_VAR(ptr2); 431 432 /* Must be accessible for all modes. */ 433 ptr2[size2 - 1] = 'x'; 434 435 /* Generic mode is precise, so unaligned size2 must be inaccessible. */ 436 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 437 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); 438 439 /* For all modes first aligned offset after size2 must be inaccessible. */ 440 KUNIT_EXPECT_KASAN_FAIL(test, 441 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x'); 442 443 /* 444 * For all modes all size2, middle, and size1 should land in separate 445 * granules and thus the latter two offsets should be inaccessible. 446 */ 447 KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE), 448 round_down(middle, KASAN_GRANULE_SIZE)); 449 KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE), 450 round_down(size1, KASAN_GRANULE_SIZE)); 451 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x'); 452 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x'); 453 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x'); 454 455 kfree(ptr2); 456 } 457 458 static void krealloc_more_oob(struct kunit *test) 459 { 460 krealloc_more_oob_helper(test, 201, 235); 461 } 462 463 static void krealloc_less_oob(struct kunit *test) 464 { 465 krealloc_less_oob_helper(test, 235, 201); 466 } 467 468 static void krealloc_large_more_oob(struct kunit *test) 469 { 470 krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201, 471 KMALLOC_MAX_CACHE_SIZE + 235); 472 } 473 474 static void krealloc_large_less_oob(struct kunit *test) 475 { 476 krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235, 477 KMALLOC_MAX_CACHE_SIZE + 201); 478 } 479 480 /* 481 * Check that krealloc() detects a use-after-free, returns NULL, 482 * and doesn't unpoison the freed object. 483 */ 484 static void krealloc_uaf(struct kunit *test) 485 { 486 char *ptr1, *ptr2; 487 int size1 = 201; 488 int size2 = 235; 489 490 ptr1 = kmalloc(size1, GFP_KERNEL); 491 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 492 kfree(ptr1); 493 494 KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL)); 495 KUNIT_ASSERT_NULL(test, ptr2); 496 KUNIT_EXPECT_KASAN_FAIL_READ(test, *(volatile char *)ptr1); 497 } 498 499 static void kmalloc_oob_16(struct kunit *test) 500 { 501 struct { 502 u64 words[2]; 503 } *ptr1, *ptr2; 504 505 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 506 507 /* This test is specifically crafted for the generic mode. */ 508 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 509 510 /* RELOC_HIDE to prevent gcc from warning about short alloc */ 511 ptr1 = RELOC_HIDE(kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL), 0); 512 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 513 514 ptr2 = kmalloc_obj(*ptr2); 515 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 516 517 OPTIMIZER_HIDE_VAR(ptr1); 518 OPTIMIZER_HIDE_VAR(ptr2); 519 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); 520 kfree(ptr1); 521 kfree(ptr2); 522 } 523 524 static void kmalloc_uaf_16(struct kunit *test) 525 { 526 struct { 527 u64 words[2]; 528 } *ptr1, *ptr2; 529 530 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 531 532 ptr1 = kmalloc_obj(*ptr1); 533 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 534 535 ptr2 = kmalloc_obj(*ptr2); 536 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 537 kfree(ptr2); 538 539 KUNIT_EXPECT_KASAN_FAIL_READ(test, *ptr1 = *ptr2); 540 kfree(ptr1); 541 } 542 543 /* 544 * Note: in the memset tests below, the written range touches both valid and 545 * invalid memory. This makes sure that the instrumentation does not only check 546 * the starting address but the whole range. 547 */ 548 549 static void kmalloc_oob_memset_2(struct kunit *test) 550 { 551 char *ptr; 552 size_t size = 128 - KASAN_GRANULE_SIZE; 553 size_t memset_size = 2; 554 555 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 556 557 ptr = kmalloc(size, GFP_KERNEL); 558 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 559 560 OPTIMIZER_HIDE_VAR(ptr); 561 OPTIMIZER_HIDE_VAR(size); 562 OPTIMIZER_HIDE_VAR(memset_size); 563 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, memset_size)); 564 kfree(ptr); 565 } 566 567 static void kmalloc_oob_memset_4(struct kunit *test) 568 { 569 char *ptr; 570 size_t size = 128 - KASAN_GRANULE_SIZE; 571 size_t memset_size = 4; 572 573 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 574 575 ptr = kmalloc(size, GFP_KERNEL); 576 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 577 578 OPTIMIZER_HIDE_VAR(ptr); 579 OPTIMIZER_HIDE_VAR(size); 580 OPTIMIZER_HIDE_VAR(memset_size); 581 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, memset_size)); 582 kfree(ptr); 583 } 584 585 static void kmalloc_oob_memset_8(struct kunit *test) 586 { 587 char *ptr; 588 size_t size = 128 - KASAN_GRANULE_SIZE; 589 size_t memset_size = 8; 590 591 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 592 593 ptr = kmalloc(size, GFP_KERNEL); 594 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 595 596 OPTIMIZER_HIDE_VAR(ptr); 597 OPTIMIZER_HIDE_VAR(size); 598 OPTIMIZER_HIDE_VAR(memset_size); 599 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, memset_size)); 600 kfree(ptr); 601 } 602 603 static void kmalloc_oob_memset_16(struct kunit *test) 604 { 605 char *ptr; 606 size_t size = 128 - KASAN_GRANULE_SIZE; 607 size_t memset_size = 16; 608 609 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 610 611 ptr = kmalloc(size, GFP_KERNEL); 612 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 613 614 OPTIMIZER_HIDE_VAR(ptr); 615 OPTIMIZER_HIDE_VAR(size); 616 OPTIMIZER_HIDE_VAR(memset_size); 617 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, memset_size)); 618 kfree(ptr); 619 } 620 621 static void kmalloc_oob_in_memset(struct kunit *test) 622 { 623 char *ptr; 624 size_t size = 128 - KASAN_GRANULE_SIZE; 625 626 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 627 628 ptr = kmalloc(size, GFP_KERNEL); 629 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 630 631 OPTIMIZER_HIDE_VAR(ptr); 632 OPTIMIZER_HIDE_VAR(size); 633 KUNIT_EXPECT_KASAN_FAIL(test, 634 memset(ptr, 0, size + KASAN_GRANULE_SIZE)); 635 kfree(ptr); 636 } 637 638 static void kmalloc_memmove_negative_size(struct kunit *test) 639 { 640 char *ptr; 641 size_t size = 64; 642 size_t invalid_size = -2; 643 644 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 645 646 /* 647 * Hardware tag-based mode doesn't check memmove for negative size. 648 * As a result, this test introduces a side-effect memory corruption, 649 * which can result in a crash. 650 */ 651 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); 652 653 ptr = kmalloc(size, GFP_KERNEL); 654 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 655 656 memset((char *)ptr, 0, 64); 657 OPTIMIZER_HIDE_VAR(ptr); 658 OPTIMIZER_HIDE_VAR(invalid_size); 659 KUNIT_EXPECT_KASAN_FAIL(test, 660 memmove((char *)ptr, (char *)ptr + 4, invalid_size)); 661 kfree(ptr); 662 } 663 664 static void kmalloc_memmove_invalid_size(struct kunit *test) 665 { 666 char *ptr; 667 size_t size = 64; 668 size_t invalid_size = size; 669 670 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 671 672 ptr = kmalloc(size, GFP_KERNEL); 673 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 674 675 memset((char *)ptr, 0, 64); 676 OPTIMIZER_HIDE_VAR(ptr); 677 OPTIMIZER_HIDE_VAR(invalid_size); 678 KUNIT_EXPECT_KASAN_FAIL_READ(test, 679 memmove((char *)ptr, (char *)ptr + 4, invalid_size)); 680 kfree(ptr); 681 } 682 683 static void kmalloc_uaf(struct kunit *test) 684 { 685 char *ptr; 686 size_t size = 10; 687 688 ptr = kmalloc(size, GFP_KERNEL); 689 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 690 691 kfree(ptr); 692 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[8]); 693 } 694 695 static void kmalloc_uaf_memset(struct kunit *test) 696 { 697 char *ptr; 698 size_t size = 33; 699 700 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 701 702 /* 703 * Only generic KASAN uses quarantine, which is required to avoid a 704 * kernel memory corruption this test causes. 705 */ 706 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 707 708 ptr = kmalloc(size, GFP_KERNEL); 709 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 710 711 kfree(ptr); 712 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size)); 713 } 714 715 static void kmalloc_uaf2(struct kunit *test) 716 { 717 char *ptr1, *ptr2; 718 size_t size = 43; 719 int counter = 0; 720 721 again: 722 ptr1 = kmalloc(size, GFP_KERNEL); 723 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 724 725 kfree(ptr1); 726 727 ptr2 = kmalloc(size, GFP_KERNEL); 728 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 729 730 /* 731 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same. 732 * Allow up to 16 attempts at generating different tags. 733 */ 734 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) { 735 kfree(ptr2); 736 goto again; 737 } 738 739 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr1)[40]); 740 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2); 741 742 kfree(ptr2); 743 } 744 745 /* 746 * Check that KASAN detects use-after-free when another object was allocated in 747 * the same slot. Relevant for the tag-based modes, which do not use quarantine. 748 */ 749 static void kmalloc_uaf3(struct kunit *test) 750 { 751 char *ptr1, *ptr2; 752 size_t size = 100; 753 754 /* This test is specifically crafted for tag-based modes. */ 755 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 756 757 ptr1 = kmalloc(size, GFP_KERNEL); 758 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 759 kfree(ptr1); 760 761 ptr2 = kmalloc(size, GFP_KERNEL); 762 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 763 kfree(ptr2); 764 765 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr1)[8]); 766 } 767 768 static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe) 769 { 770 int *i_unsafe = unsafe; 771 772 KUNIT_EXPECT_KASAN_FAIL_READ(test, READ_ONCE(*i_unsafe)); 773 KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42)); 774 KUNIT_EXPECT_KASAN_FAIL_READ(test, smp_load_acquire(i_unsafe)); 775 KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42)); 776 777 KUNIT_EXPECT_KASAN_FAIL_READ(test, atomic_read(unsafe)); 778 KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42)); 779 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe)); 780 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe)); 781 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe)); 782 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe)); 783 KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe)); 784 KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe)); 785 KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe)); 786 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe)); 787 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42)); 788 KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42)); 789 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42)); 790 /* 791 * The result of the test below may vary due to garbage values of 792 * unsafe in write-only mode. 793 * Therefore, skip this test when KASAN is configured in write-only mode. 794 */ 795 if (!kasan_write_only_enabled()) 796 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42)); 797 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe)); 798 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe)); 799 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe)); 800 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe)); 801 /* 802 * The result of the test below may vary due to garbage values of 803 * unsafe in write-only mode. 804 * Therefore, skip this test when KASAN is configured in write-only mode. 805 */ 806 if (!kasan_write_only_enabled()) { 807 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42)); 808 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe)); 809 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe)); 810 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe)); 811 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe)); 812 } 813 814 KUNIT_EXPECT_KASAN_FAIL_READ(test, atomic_long_read(unsafe)); 815 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42)); 816 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe)); 817 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe)); 818 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe)); 819 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe)); 820 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe)); 821 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe)); 822 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe)); 823 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe)); 824 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42)); 825 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42)); 826 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42)); 827 /* 828 * The result of the test below may vary due to garbage values of 829 * unsafe in write-only mode. 830 * Therefore, skip this test when KASAN is configured in write-only mode. 831 */ 832 if (!kasan_write_only_enabled()) 833 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42)); 834 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe)); 835 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe)); 836 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe)); 837 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe)); 838 /* 839 * The result of the test below may vary due to garbage values of 840 * unsafe in write-only mode. 841 * Therefore, skip this test when KASAN is configured in write-only mode. 842 */ 843 if (!kasan_write_only_enabled()) { 844 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42)); 845 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe)); 846 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe)); 847 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe)); 848 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe)); 849 } 850 } 851 852 static void kasan_atomics(struct kunit *test) 853 { 854 void *a1, *a2; 855 856 /* 857 * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such 858 * that the following 16 bytes will make up the redzone. 859 */ 860 a1 = kzalloc(48, GFP_KERNEL); 861 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1); 862 a2 = kzalloc_obj(atomic_long_t); 863 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a2); 864 865 /* Use atomics to access the redzone. */ 866 kasan_atomics_helper(test, a1 + 48, a2); 867 868 kfree(a1); 869 kfree(a2); 870 } 871 872 static void kmalloc_double_kzfree(struct kunit *test) 873 { 874 char *ptr; 875 size_t size = 16; 876 877 /* 878 * With the tag-based KASAN modes, if the memory happens to be 879 * reallocated between the two frees and the new allocation tag happens 880 * to match the old one, the second free will cause a memory corruption. 881 * Resolving https://bugzilla.kernel.org/show_bug.cgi?id=212177 would 882 * help to deal with this. With Generic KASAN, it's effectively 883 * impossible for the memory to get reallocated due to the quarantine. 884 */ 885 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 886 887 ptr = kmalloc(size, GFP_KERNEL); 888 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 889 890 kfree_sensitive(ptr); 891 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr)); 892 } 893 894 /* Check that ksize() does NOT unpoison whole object. */ 895 static void ksize_unpoisons_memory(struct kunit *test) 896 { 897 char *ptr; 898 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 899 size_t real_size; 900 901 ptr = kmalloc(size, GFP_KERNEL); 902 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 903 904 real_size = ksize(ptr); 905 KUNIT_EXPECT_GT(test, real_size, size); 906 907 OPTIMIZER_HIDE_VAR(ptr); 908 909 /* These accesses shouldn't trigger a KASAN report. */ 910 ptr[0] = 'x'; 911 ptr[size - 1] = 'x'; 912 913 /* These must trigger a KASAN report. */ 914 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 915 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); 916 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[size + 5]); 917 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[real_size - 1]); 918 919 kfree(ptr); 920 } 921 922 /* 923 * Check that a use-after-free is detected by ksize() and via normal accesses 924 * after it. 925 */ 926 static void ksize_uaf(struct kunit *test) 927 { 928 char *ptr; 929 int size = 128 - KASAN_GRANULE_SIZE; 930 931 ptr = kmalloc(size, GFP_KERNEL); 932 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 933 kfree(ptr); 934 935 OPTIMIZER_HIDE_VAR(ptr); 936 KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr)); 937 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[0]); 938 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[size]); 939 } 940 941 /* 942 * The two tests below check that Generic KASAN prints auxiliary stack traces 943 * for RCU callbacks and workqueues. The reports need to be inspected manually. 944 * 945 * These tests are still enabled for other KASAN modes to make sure that all 946 * modes report bad accesses in tested scenarios. 947 */ 948 949 static struct kasan_rcu_info { 950 int i; 951 struct rcu_head rcu; 952 } *global_rcu_ptr; 953 954 static void rcu_uaf_reclaim(struct rcu_head *rp) 955 { 956 struct kasan_rcu_info *fp = 957 container_of(rp, struct kasan_rcu_info, rcu); 958 959 kfree(fp); 960 ((volatile struct kasan_rcu_info *)fp)->i; 961 } 962 963 static void rcu_uaf(struct kunit *test) 964 { 965 struct kasan_rcu_info *ptr; 966 967 ptr = kmalloc_obj(struct kasan_rcu_info); 968 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 969 970 global_rcu_ptr = rcu_dereference_protected( 971 (struct kasan_rcu_info __rcu *)ptr, NULL); 972 973 KUNIT_EXPECT_KASAN_FAIL_READ(test, 974 call_rcu(&global_rcu_ptr->rcu, rcu_uaf_reclaim); 975 rcu_barrier()); 976 } 977 978 static void workqueue_uaf_work(struct work_struct *work) 979 { 980 kfree(work); 981 } 982 983 static void workqueue_uaf(struct kunit *test) 984 { 985 struct workqueue_struct *workqueue; 986 struct work_struct *work; 987 988 workqueue = create_workqueue("kasan_workqueue_test"); 989 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue); 990 991 work = kmalloc_obj(struct work_struct); 992 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work); 993 994 INIT_WORK(work, workqueue_uaf_work); 995 queue_work(workqueue, work); 996 destroy_workqueue(workqueue); 997 998 KUNIT_EXPECT_KASAN_FAIL_READ(test, 999 ((volatile struct work_struct *)work)->data); 1000 } 1001 1002 static void kfree_via_page(struct kunit *test) 1003 { 1004 char *ptr; 1005 size_t size = 8; 1006 struct page *page; 1007 unsigned long offset; 1008 1009 ptr = kmalloc(size, GFP_KERNEL); 1010 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1011 1012 page = virt_to_page(ptr); 1013 offset = offset_in_page(ptr); 1014 kfree(page_address(page) + offset); 1015 } 1016 1017 static void kfree_via_phys(struct kunit *test) 1018 { 1019 char *ptr; 1020 size_t size = 8; 1021 phys_addr_t phys; 1022 1023 ptr = kmalloc(size, GFP_KERNEL); 1024 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1025 1026 phys = virt_to_phys(ptr); 1027 kfree(phys_to_virt(phys)); 1028 } 1029 1030 static void kmem_cache_oob(struct kunit *test) 1031 { 1032 char *p; 1033 size_t size = 200; 1034 struct kmem_cache *cache; 1035 1036 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1037 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1038 1039 p = kmem_cache_alloc(cache, GFP_KERNEL); 1040 if (!p) { 1041 kunit_err(test, "Allocation failed: %s\n", __func__); 1042 kmem_cache_destroy(cache); 1043 return; 1044 } 1045 1046 KUNIT_EXPECT_KASAN_FAIL_READ(test, *p = p[size + OOB_TAG_OFF]); 1047 1048 kmem_cache_free(cache, p); 1049 kmem_cache_destroy(cache); 1050 } 1051 1052 static void kmem_cache_double_free(struct kunit *test) 1053 { 1054 char *p; 1055 size_t size = 200; 1056 struct kmem_cache *cache; 1057 1058 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1059 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1060 1061 p = kmem_cache_alloc(cache, GFP_KERNEL); 1062 if (!p) { 1063 kunit_err(test, "Allocation failed: %s\n", __func__); 1064 kmem_cache_destroy(cache); 1065 return; 1066 } 1067 1068 kmem_cache_free(cache, p); 1069 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); 1070 kmem_cache_destroy(cache); 1071 } 1072 1073 static void kmem_cache_invalid_free(struct kunit *test) 1074 { 1075 char *p; 1076 size_t size = 200; 1077 struct kmem_cache *cache; 1078 1079 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, 1080 NULL); 1081 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1082 1083 p = kmem_cache_alloc(cache, GFP_KERNEL); 1084 if (!p) { 1085 kunit_err(test, "Allocation failed: %s\n", __func__); 1086 kmem_cache_destroy(cache); 1087 return; 1088 } 1089 1090 /* Trigger invalid free, the object doesn't get freed. */ 1091 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); 1092 1093 /* 1094 * Properly free the object to prevent the "Objects remaining in 1095 * test_cache on __kmem_cache_shutdown" BUG failure. 1096 */ 1097 kmem_cache_free(cache, p); 1098 1099 kmem_cache_destroy(cache); 1100 } 1101 1102 static void kmem_cache_rcu_uaf(struct kunit *test) 1103 { 1104 char *p; 1105 size_t size = 200; 1106 struct kmem_cache *cache; 1107 1108 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB_RCU_DEBUG); 1109 1110 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, 1111 NULL); 1112 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1113 1114 p = kmem_cache_alloc(cache, GFP_KERNEL); 1115 if (!p) { 1116 kunit_err(test, "Allocation failed: %s\n", __func__); 1117 kmem_cache_destroy(cache); 1118 return; 1119 } 1120 *p = 1; 1121 1122 rcu_read_lock(); 1123 1124 /* Free the object - this will internally schedule an RCU callback. */ 1125 kmem_cache_free(cache, p); 1126 1127 /* 1128 * We should still be allowed to access the object at this point because 1129 * the cache is SLAB_TYPESAFE_BY_RCU and we've been in an RCU read-side 1130 * critical section since before the kmem_cache_free(). 1131 */ 1132 READ_ONCE(*p); 1133 1134 rcu_read_unlock(); 1135 1136 /* 1137 * Wait for the RCU callback to execute; after this, the object should 1138 * have actually been freed from KASAN's perspective. 1139 */ 1140 rcu_barrier(); 1141 1142 KUNIT_EXPECT_KASAN_FAIL_READ(test, READ_ONCE(*p)); 1143 1144 kmem_cache_destroy(cache); 1145 } 1146 1147 /* 1148 * Check that SLAB_TYPESAFE_BY_RCU objects are immediately reused when 1149 * CONFIG_SLUB_RCU_DEBUG is off, and stay at the same address. 1150 * Without this, KASAN builds would be unable to trigger bugs caused by 1151 * SLAB_TYPESAFE_BY_RCU users handling reycled objects improperly. 1152 */ 1153 static void kmem_cache_rcu_reuse(struct kunit *test) 1154 { 1155 char *p, *p2; 1156 struct kmem_cache *cache; 1157 1158 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_SLUB_RCU_DEBUG); 1159 1160 cache = kmem_cache_create("test_cache", 16, 0, SLAB_TYPESAFE_BY_RCU, 1161 NULL); 1162 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1163 1164 migrate_disable(); 1165 p = kmem_cache_alloc(cache, GFP_KERNEL); 1166 if (!p) { 1167 kunit_err(test, "Allocation failed: %s\n", __func__); 1168 goto out; 1169 } 1170 1171 kmem_cache_free(cache, p); 1172 p2 = kmem_cache_alloc(cache, GFP_KERNEL); 1173 if (!p2) { 1174 kunit_err(test, "Allocation failed: %s\n", __func__); 1175 goto out; 1176 } 1177 KUNIT_EXPECT_PTR_EQ(test, p, p2); 1178 1179 kmem_cache_free(cache, p2); 1180 1181 out: 1182 migrate_enable(); 1183 kmem_cache_destroy(cache); 1184 } 1185 1186 static void kmem_cache_double_destroy(struct kunit *test) 1187 { 1188 struct kmem_cache *cache; 1189 1190 cache = kmem_cache_create("test_cache", 200, 0, SLAB_NO_MERGE, NULL); 1191 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1192 kmem_cache_destroy(cache); 1193 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache)); 1194 } 1195 1196 static void kmem_cache_accounted(struct kunit *test) 1197 { 1198 int i; 1199 char *p; 1200 size_t size = 200; 1201 struct kmem_cache *cache; 1202 1203 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL); 1204 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1205 1206 /* 1207 * Several allocations with a delay to allow for lazy per memcg kmem 1208 * cache creation. 1209 */ 1210 for (i = 0; i < 5; i++) { 1211 p = kmem_cache_alloc(cache, GFP_KERNEL); 1212 if (!p) 1213 goto free_cache; 1214 1215 kmem_cache_free(cache, p); 1216 msleep(100); 1217 } 1218 1219 free_cache: 1220 kmem_cache_destroy(cache); 1221 } 1222 1223 static void kmem_cache_bulk(struct kunit *test) 1224 { 1225 struct kmem_cache *cache; 1226 size_t size = 200; 1227 char *p[10]; 1228 int i; 1229 1230 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1231 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1232 1233 if (!kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), 1234 (void **)&p)) { 1235 kunit_err(test, "Allocation failed: %s\n", __func__); 1236 kmem_cache_destroy(cache); 1237 return; 1238 } 1239 1240 for (i = 0; i < ARRAY_SIZE(p); i++) 1241 p[i][0] = p[i][size - 1] = 42; 1242 1243 kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p); 1244 kmem_cache_destroy(cache); 1245 } 1246 1247 static void *mempool_prepare_kmalloc(struct kunit *test, mempool_t *pool, size_t size) 1248 { 1249 int pool_size = 4; 1250 int ret; 1251 void *elem; 1252 1253 memset(pool, 0, sizeof(*pool)); 1254 ret = mempool_init_kmalloc_pool(pool, pool_size, size); 1255 KUNIT_ASSERT_EQ(test, ret, 0); 1256 1257 /* 1258 * Allocate one element to prevent mempool from freeing elements to the 1259 * underlying allocator and instead make it add them to the element 1260 * list when the tests trigger double-free and invalid-free bugs. 1261 * This allows testing KASAN annotations in add_element(). 1262 */ 1263 elem = mempool_alloc_preallocated(pool); 1264 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1265 1266 return elem; 1267 } 1268 1269 static struct kmem_cache *mempool_prepare_slab(struct kunit *test, mempool_t *pool, size_t size) 1270 { 1271 struct kmem_cache *cache; 1272 int pool_size = 4; 1273 int ret; 1274 1275 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1276 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1277 1278 memset(pool, 0, sizeof(*pool)); 1279 ret = mempool_init_slab_pool(pool, pool_size, cache); 1280 KUNIT_ASSERT_EQ(test, ret, 0); 1281 1282 /* 1283 * Do not allocate one preallocated element, as we skip the double-free 1284 * and invalid-free tests for slab mempool for simplicity. 1285 */ 1286 1287 return cache; 1288 } 1289 1290 static void *mempool_prepare_page(struct kunit *test, mempool_t *pool, int order) 1291 { 1292 int pool_size = 4; 1293 int ret; 1294 void *elem; 1295 1296 memset(pool, 0, sizeof(*pool)); 1297 ret = mempool_init_page_pool(pool, pool_size, order); 1298 KUNIT_ASSERT_EQ(test, ret, 0); 1299 1300 elem = mempool_alloc_preallocated(pool); 1301 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1302 1303 return elem; 1304 } 1305 1306 static void mempool_oob_right_helper(struct kunit *test, mempool_t *pool, size_t size) 1307 { 1308 char *elem; 1309 1310 elem = mempool_alloc_preallocated(pool); 1311 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1312 1313 OPTIMIZER_HIDE_VAR(elem); 1314 1315 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 1316 KUNIT_EXPECT_KASAN_FAIL(test, 1317 ((volatile char *)&elem[size])[0]); 1318 else 1319 KUNIT_EXPECT_KASAN_FAIL_READ(test, 1320 ((volatile char *)&elem[round_up(size, KASAN_GRANULE_SIZE)])[0]); 1321 1322 mempool_free(elem, pool); 1323 } 1324 1325 static void mempool_kmalloc_oob_right(struct kunit *test) 1326 { 1327 mempool_t pool; 1328 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 1329 void *extra_elem; 1330 1331 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1332 1333 mempool_oob_right_helper(test, &pool, size); 1334 1335 mempool_free(extra_elem, &pool); 1336 mempool_exit(&pool); 1337 } 1338 1339 static void mempool_kmalloc_large_oob_right(struct kunit *test) 1340 { 1341 mempool_t pool; 1342 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1343 void *extra_elem; 1344 1345 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1346 1347 mempool_oob_right_helper(test, &pool, size); 1348 1349 mempool_free(extra_elem, &pool); 1350 mempool_exit(&pool); 1351 } 1352 1353 static void mempool_slab_oob_right(struct kunit *test) 1354 { 1355 mempool_t pool; 1356 size_t size = 123; 1357 struct kmem_cache *cache; 1358 1359 cache = mempool_prepare_slab(test, &pool, size); 1360 1361 mempool_oob_right_helper(test, &pool, size); 1362 1363 mempool_exit(&pool); 1364 kmem_cache_destroy(cache); 1365 } 1366 1367 /* 1368 * Skip the out-of-bounds test for page mempool. With Generic KASAN, page 1369 * allocations have no redzones, and thus the out-of-bounds detection is not 1370 * guaranteed; see https://bugzilla.kernel.org/show_bug.cgi?id=210503. With 1371 * the tag-based KASAN modes, the neighboring allocation might have the same 1372 * tag; see https://bugzilla.kernel.org/show_bug.cgi?id=203505. 1373 */ 1374 1375 static void mempool_uaf_helper(struct kunit *test, mempool_t *pool, bool page) 1376 { 1377 char *elem, *ptr; 1378 1379 elem = mempool_alloc_preallocated(pool); 1380 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1381 1382 mempool_free(elem, pool); 1383 1384 ptr = page ? page_address((struct page *)elem) : elem; 1385 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)ptr)[0]); 1386 } 1387 1388 static void mempool_kmalloc_uaf(struct kunit *test) 1389 { 1390 mempool_t pool; 1391 size_t size = 128; 1392 void *extra_elem; 1393 1394 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1395 1396 mempool_uaf_helper(test, &pool, false); 1397 1398 mempool_free(extra_elem, &pool); 1399 mempool_exit(&pool); 1400 } 1401 1402 static void mempool_kmalloc_large_uaf(struct kunit *test) 1403 { 1404 mempool_t pool; 1405 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1406 void *extra_elem; 1407 1408 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1409 1410 mempool_uaf_helper(test, &pool, false); 1411 1412 mempool_free(extra_elem, &pool); 1413 mempool_exit(&pool); 1414 } 1415 1416 static void mempool_slab_uaf(struct kunit *test) 1417 { 1418 mempool_t pool; 1419 size_t size = 123; 1420 struct kmem_cache *cache; 1421 1422 cache = mempool_prepare_slab(test, &pool, size); 1423 1424 mempool_uaf_helper(test, &pool, false); 1425 1426 mempool_exit(&pool); 1427 kmem_cache_destroy(cache); 1428 } 1429 1430 static void mempool_page_alloc_uaf(struct kunit *test) 1431 { 1432 mempool_t pool; 1433 int order = 2; 1434 void *extra_elem; 1435 1436 extra_elem = mempool_prepare_page(test, &pool, order); 1437 1438 mempool_uaf_helper(test, &pool, true); 1439 1440 mempool_free(extra_elem, &pool); 1441 mempool_exit(&pool); 1442 } 1443 1444 static void mempool_double_free_helper(struct kunit *test, mempool_t *pool) 1445 { 1446 char *elem; 1447 1448 elem = mempool_alloc_preallocated(pool); 1449 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1450 1451 mempool_free(elem, pool); 1452 1453 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem, pool)); 1454 } 1455 1456 static void mempool_kmalloc_double_free(struct kunit *test) 1457 { 1458 mempool_t pool; 1459 size_t size = 128; 1460 char *extra_elem; 1461 1462 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1463 1464 mempool_double_free_helper(test, &pool); 1465 1466 mempool_free(extra_elem, &pool); 1467 mempool_exit(&pool); 1468 } 1469 1470 static void mempool_kmalloc_large_double_free(struct kunit *test) 1471 { 1472 mempool_t pool; 1473 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1474 char *extra_elem; 1475 1476 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1477 1478 mempool_double_free_helper(test, &pool); 1479 1480 mempool_free(extra_elem, &pool); 1481 mempool_exit(&pool); 1482 } 1483 1484 static void mempool_page_alloc_double_free(struct kunit *test) 1485 { 1486 mempool_t pool; 1487 int order = 2; 1488 char *extra_elem; 1489 1490 extra_elem = mempool_prepare_page(test, &pool, order); 1491 1492 mempool_double_free_helper(test, &pool); 1493 1494 mempool_free(extra_elem, &pool); 1495 mempool_exit(&pool); 1496 } 1497 1498 static void mempool_kmalloc_invalid_free_helper(struct kunit *test, mempool_t *pool) 1499 { 1500 char *elem; 1501 1502 elem = mempool_alloc_preallocated(pool); 1503 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1504 1505 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem + 1, pool)); 1506 1507 mempool_free(elem, pool); 1508 } 1509 1510 static void mempool_kmalloc_invalid_free(struct kunit *test) 1511 { 1512 mempool_t pool; 1513 size_t size = 128; 1514 char *extra_elem; 1515 1516 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1517 1518 mempool_kmalloc_invalid_free_helper(test, &pool); 1519 1520 mempool_free(extra_elem, &pool); 1521 mempool_exit(&pool); 1522 } 1523 1524 static void mempool_kmalloc_large_invalid_free(struct kunit *test) 1525 { 1526 mempool_t pool; 1527 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1528 char *extra_elem; 1529 1530 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1531 1532 mempool_kmalloc_invalid_free_helper(test, &pool); 1533 1534 mempool_free(extra_elem, &pool); 1535 mempool_exit(&pool); 1536 } 1537 1538 /* 1539 * Skip the invalid-free test for page mempool. The invalid-free detection only 1540 * works for compound pages and mempool preallocates all page elements without 1541 * the __GFP_COMP flag. 1542 */ 1543 1544 static char global_array[10]; 1545 1546 static void kasan_global_oob_right(struct kunit *test) 1547 { 1548 /* 1549 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS 1550 * from failing here and panicking the kernel, access the array via a 1551 * volatile pointer, which will prevent the compiler from being able to 1552 * determine the array bounds. 1553 * 1554 * This access uses a volatile pointer to char (char *volatile) rather 1555 * than the more conventional pointer to volatile char (volatile char *) 1556 * because we want to prevent the compiler from making inferences about 1557 * the pointer itself (i.e. its array bounds), not the data that it 1558 * refers to. 1559 */ 1560 char *volatile array = global_array; 1561 char *p = &array[ARRAY_SIZE(global_array) + 3]; 1562 1563 /* Only generic mode instruments globals. */ 1564 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1565 1566 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1567 } 1568 1569 static void kasan_global_oob_left(struct kunit *test) 1570 { 1571 char *volatile array = global_array; 1572 char *p = array - 3; 1573 1574 /* 1575 * GCC is known to fail this test, skip it. 1576 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051. 1577 */ 1578 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG); 1579 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1580 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1581 } 1582 1583 static void kasan_stack_oob(struct kunit *test) 1584 { 1585 char stack_array[10]; 1586 /* See comment in kasan_global_oob_right. */ 1587 char *volatile array = stack_array; 1588 char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF]; 1589 1590 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1591 1592 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1593 } 1594 1595 static void kasan_alloca_oob_left(struct kunit *test) 1596 { 1597 volatile int i = 10; 1598 char alloca_array[i]; 1599 /* See comment in kasan_global_oob_right. */ 1600 char *volatile array = alloca_array; 1601 char *p = array - 1; 1602 1603 /* Only generic mode instruments dynamic allocas. */ 1604 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1605 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1606 1607 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1608 } 1609 1610 static void kasan_alloca_oob_right(struct kunit *test) 1611 { 1612 volatile int i = 10; 1613 char alloca_array[i]; 1614 /* See comment in kasan_global_oob_right. */ 1615 char *volatile array = alloca_array; 1616 char *p = array + i; 1617 1618 /* Only generic mode instruments dynamic allocas. */ 1619 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1620 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1621 1622 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1623 } 1624 1625 static void kasan_memchr(struct kunit *test) 1626 { 1627 char *ptr; 1628 size_t size = 24; 1629 1630 /* 1631 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1632 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1633 */ 1634 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1635 1636 if (OOB_TAG_OFF) 1637 size = round_up(size, OOB_TAG_OFF); 1638 1639 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1640 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1641 1642 OPTIMIZER_HIDE_VAR(ptr); 1643 OPTIMIZER_HIDE_VAR(size); 1644 KUNIT_EXPECT_KASAN_FAIL_READ(test, 1645 kasan_ptr_result = memchr(ptr, '1', size + 1)); 1646 1647 kfree(ptr); 1648 } 1649 1650 static void kasan_memcmp(struct kunit *test) 1651 { 1652 char *ptr; 1653 size_t size = 24; 1654 int arr[9]; 1655 1656 /* 1657 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1658 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1659 */ 1660 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1661 1662 if (OOB_TAG_OFF) 1663 size = round_up(size, OOB_TAG_OFF); 1664 1665 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1666 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1667 memset(arr, 0, sizeof(arr)); 1668 1669 OPTIMIZER_HIDE_VAR(ptr); 1670 OPTIMIZER_HIDE_VAR(size); 1671 KUNIT_EXPECT_KASAN_FAIL_READ(test, 1672 kasan_int_result = memcmp(ptr, arr, size+1)); 1673 kfree(ptr); 1674 } 1675 1676 static void kasan_strings(struct kunit *test) 1677 { 1678 char *ptr; 1679 char *src; 1680 size_t size = 24; 1681 1682 /* 1683 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1684 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1685 */ 1686 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1687 1688 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1689 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1690 OPTIMIZER_HIDE_VAR(ptr); 1691 1692 src = kmalloc(KASAN_GRANULE_SIZE, GFP_KERNEL | __GFP_ZERO); 1693 strscpy(src, "f0cacc1a0000000", KASAN_GRANULE_SIZE); 1694 OPTIMIZER_HIDE_VAR(src); 1695 1696 /* 1697 * Make sure that strscpy() does not trigger KASAN if it overreads into 1698 * poisoned memory. 1699 * 1700 * The expected size does not include the terminator '\0' 1701 * so it is (KASAN_GRANULE_SIZE - 2) == 1702 * KASAN_GRANULE_SIZE - ("initial removed character" + "\0"). 1703 */ 1704 KUNIT_EXPECT_EQ(test, KASAN_GRANULE_SIZE - 2, 1705 strscpy(ptr, src + 1, KASAN_GRANULE_SIZE)); 1706 1707 /* strscpy should fail if the first byte is unreadable. */ 1708 KUNIT_EXPECT_KASAN_FAIL_READ(test, strscpy(ptr, src + KASAN_GRANULE_SIZE, 1709 KASAN_GRANULE_SIZE)); 1710 1711 kfree(src); 1712 kfree(ptr); 1713 1714 /* 1715 * Try to cause only 1 invalid access (less spam in dmesg). 1716 * For that we need ptr to point to zeroed byte. 1717 * Skip metadata that could be stored in freed object so ptr 1718 * will likely point to zeroed byte. 1719 */ 1720 ptr += 16; 1721 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_ptr_result = strchr(ptr, '1')); 1722 1723 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_ptr_result = strrchr(ptr, '1')); 1724 1725 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_int_result = strcmp(ptr, "2")); 1726 1727 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_int_result = strncmp(ptr, "2", 1)); 1728 1729 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_int_result = strlen(ptr)); 1730 1731 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_int_result = strnlen(ptr, 1)); 1732 } 1733 1734 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr) 1735 { 1736 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr)); 1737 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr)); 1738 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr)); 1739 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr)); 1740 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr)); 1741 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr)); 1742 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr)); 1743 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr)); 1744 } 1745 1746 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr) 1747 { 1748 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr)); 1749 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr)); 1750 /* 1751 * When KASAN is running in write-only mode, 1752 * a fault won't occur when the bit is set. 1753 * Therefore, skip the test_and_set_bit_lock test in write-only mode. 1754 */ 1755 if (!kasan_write_only_enabled()) 1756 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr)); 1757 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr)); 1758 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr)); 1759 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr)); 1760 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr)); 1761 KUNIT_EXPECT_KASAN_FAIL_READ(test, kasan_int_result = test_bit(nr, addr)); 1762 if (nr < 7) 1763 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = 1764 xor_unlock_is_negative_byte(1 << nr, addr)); 1765 } 1766 1767 static void kasan_bitops_generic(struct kunit *test) 1768 { 1769 long *bits; 1770 1771 /* This test is specifically crafted for the generic mode. */ 1772 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1773 1774 /* 1775 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes; 1776 * this way we do not actually corrupt other memory. 1777 */ 1778 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL); 1779 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); 1780 1781 /* 1782 * Below calls try to access bit within allocated memory; however, the 1783 * below accesses are still out-of-bounds, since bitops are defined to 1784 * operate on the whole long the bit is in. 1785 */ 1786 kasan_bitops_modify(test, BITS_PER_LONG, bits); 1787 1788 /* 1789 * Below calls try to access bit beyond allocated memory. 1790 */ 1791 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits); 1792 1793 kfree(bits); 1794 } 1795 1796 static void kasan_bitops_tags(struct kunit *test) 1797 { 1798 long *bits; 1799 1800 /* This test is specifically crafted for tag-based modes. */ 1801 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1802 1803 /* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */ 1804 bits = kzalloc(48, GFP_KERNEL); 1805 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); 1806 1807 /* Do the accesses past the 48 allocated bytes, but within the redone. */ 1808 kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48); 1809 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48); 1810 1811 kfree(bits); 1812 } 1813 1814 static void vmalloc_helpers_tags(struct kunit *test) 1815 { 1816 void *ptr; 1817 1818 /* This test is intended for tag-based modes. */ 1819 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1820 1821 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1822 1823 if (!kasan_vmalloc_enabled()) 1824 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1825 1826 ptr = vmalloc(PAGE_SIZE); 1827 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1828 1829 /* Check that the returned pointer is tagged. */ 1830 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 1831 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1832 1833 /* Make sure exported vmalloc helpers handle tagged pointers. */ 1834 KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr)); 1835 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr)); 1836 1837 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST) 1838 { 1839 int rv; 1840 1841 /* Make sure vmalloc'ed memory permissions can be changed. */ 1842 rv = set_memory_ro((unsigned long)ptr, 1); 1843 KUNIT_ASSERT_GE(test, rv, 0); 1844 rv = set_memory_rw((unsigned long)ptr, 1); 1845 KUNIT_ASSERT_GE(test, rv, 0); 1846 } 1847 #endif 1848 1849 vfree(ptr); 1850 } 1851 1852 static void vmalloc_oob_helper(struct kunit *test, char *v_ptr, size_t size) 1853 { 1854 /* 1855 * We have to be careful not to hit the guard page in vmalloc tests. 1856 * The MMU will catch that and crash us. 1857 */ 1858 1859 /* Make sure in-bounds accesses are valid. */ 1860 v_ptr[0] = 0; 1861 v_ptr[size - 1] = 0; 1862 1863 /* 1864 * An unaligned access past the requested vmalloc size. 1865 * Only generic KASAN can precisely detect these. 1866 */ 1867 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 1868 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]); 1869 1870 /* An aligned access into the first out-of-bounds granule. */ 1871 size = round_up(size, KASAN_GRANULE_SIZE); 1872 KUNIT_EXPECT_KASAN_FAIL_READ(test, ((volatile char *)v_ptr)[size]); 1873 } 1874 1875 static void vmalloc_oob(struct kunit *test) 1876 { 1877 char *v_ptr, *p_ptr; 1878 struct page *page; 1879 size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5; 1880 1881 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1882 1883 if (!kasan_vmalloc_enabled()) 1884 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1885 1886 v_ptr = vmalloc(size); 1887 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1888 1889 OPTIMIZER_HIDE_VAR(v_ptr); 1890 1891 vmalloc_oob_helper(test, v_ptr, size); 1892 1893 size -= KASAN_GRANULE_SIZE + 1; 1894 v_ptr = vrealloc(v_ptr, size, GFP_KERNEL); 1895 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1896 1897 OPTIMIZER_HIDE_VAR(v_ptr); 1898 1899 vmalloc_oob_helper(test, v_ptr, size); 1900 1901 size += 2 * KASAN_GRANULE_SIZE + 2; 1902 v_ptr = vrealloc(v_ptr, size, GFP_KERNEL); 1903 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1904 1905 vmalloc_oob_helper(test, v_ptr, size); 1906 1907 /* Check that in-bounds accesses to the physical page are valid. */ 1908 page = vmalloc_to_page(v_ptr); 1909 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page); 1910 p_ptr = page_address(page); 1911 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1912 p_ptr[0] = 0; 1913 1914 vfree(v_ptr); 1915 1916 /* 1917 * We can't check for use-after-unmap bugs in this nor in the following 1918 * vmalloc tests, as the page might be fully unmapped and accessing it 1919 * will crash the kernel. 1920 */ 1921 } 1922 1923 static void vmap_tags(struct kunit *test) 1924 { 1925 char *p_ptr, *v_ptr; 1926 struct page *p_page, *v_page; 1927 1928 /* 1929 * This test is specifically crafted for the software tag-based mode, 1930 * the only tag-based mode that poisons vmap mappings. 1931 */ 1932 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); 1933 1934 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1935 1936 if (!kasan_vmalloc_enabled()) 1937 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1938 1939 p_page = alloc_pages(GFP_KERNEL, 1); 1940 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page); 1941 p_ptr = page_address(p_page); 1942 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1943 1944 v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL); 1945 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1946 1947 /* 1948 * We can't check for out-of-bounds bugs in this nor in the following 1949 * vmalloc tests, as allocations have page granularity and accessing 1950 * the guard page will crash the kernel. 1951 */ 1952 1953 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN); 1954 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL); 1955 1956 /* Make sure that in-bounds accesses through both pointers work. */ 1957 *p_ptr = 0; 1958 *v_ptr = 0; 1959 1960 /* Make sure vmalloc_to_page() correctly recovers the page pointer. */ 1961 v_page = vmalloc_to_page(v_ptr); 1962 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page); 1963 KUNIT_EXPECT_PTR_EQ(test, p_page, v_page); 1964 1965 vunmap(v_ptr); 1966 free_pages((unsigned long)p_ptr, 1); 1967 } 1968 1969 static void vm_map_ram_tags(struct kunit *test) 1970 { 1971 char *p_ptr, *v_ptr; 1972 struct page *page; 1973 1974 /* 1975 * This test is specifically crafted for the software tag-based mode, 1976 * the only tag-based mode that poisons vm_map_ram mappings. 1977 */ 1978 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); 1979 1980 page = alloc_pages(GFP_KERNEL, 1); 1981 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page); 1982 p_ptr = page_address(page); 1983 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1984 1985 v_ptr = vm_map_ram(&page, 1, -1); 1986 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1987 1988 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN); 1989 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL); 1990 1991 /* Make sure that in-bounds accesses through both pointers work. */ 1992 *p_ptr = 0; 1993 *v_ptr = 0; 1994 1995 vm_unmap_ram(v_ptr, 1); 1996 free_pages((unsigned long)p_ptr, 1); 1997 } 1998 1999 /* 2000 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN, 2001 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based 2002 * modes. 2003 */ 2004 static void match_all_not_assigned(struct kunit *test) 2005 { 2006 char *ptr; 2007 struct page *pages; 2008 int i, size, order; 2009 2010 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 2011 2012 for (i = 0; i < 256; i++) { 2013 size = get_random_u32_inclusive(1, 1024); 2014 ptr = kmalloc(size, GFP_KERNEL); 2015 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2016 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 2017 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 2018 kfree(ptr); 2019 } 2020 2021 for (i = 0; i < 256; i++) { 2022 order = get_random_u32_inclusive(1, 4); 2023 pages = alloc_pages(GFP_KERNEL, order); 2024 ptr = page_address(pages); 2025 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2026 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 2027 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 2028 free_pages((unsigned long)ptr, order); 2029 } 2030 2031 if (!kasan_vmalloc_enabled()) 2032 return; 2033 2034 for (i = 0; i < 256; i++) { 2035 size = get_random_u32_inclusive(1, 1024); 2036 ptr = vmalloc(size); 2037 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2038 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 2039 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 2040 vfree(ptr); 2041 } 2042 } 2043 2044 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */ 2045 static void match_all_ptr_tag(struct kunit *test) 2046 { 2047 char *ptr; 2048 u8 tag; 2049 2050 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 2051 2052 ptr = kmalloc(128, GFP_KERNEL); 2053 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2054 2055 /* Backup the assigned tag. */ 2056 tag = get_tag(ptr); 2057 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL); 2058 2059 /* Reset the tag to 0xff.*/ 2060 ptr = set_tag(ptr, KASAN_TAG_KERNEL); 2061 2062 /* This access shouldn't trigger a KASAN report. */ 2063 *ptr = 0; 2064 2065 /* Recover the pointer tag and free. */ 2066 ptr = set_tag(ptr, tag); 2067 kfree(ptr); 2068 } 2069 2070 /* Check that there are no match-all memory tags for tag-based modes. */ 2071 static void match_all_mem_tag(struct kunit *test) 2072 { 2073 char *ptr; 2074 int tag; 2075 2076 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 2077 2078 ptr = kmalloc(128, GFP_KERNEL); 2079 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2080 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 2081 2082 /* For each possible tag value not matching the pointer tag. */ 2083 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) { 2084 /* 2085 * For Software Tag-Based KASAN, skip the majority of tag 2086 * values to avoid the test printing too many reports. 2087 */ 2088 if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) && 2089 tag >= KASAN_TAG_MIN + 8 && tag <= KASAN_TAG_KERNEL - 8) 2090 continue; 2091 2092 if (tag == get_tag(ptr)) 2093 continue; 2094 2095 /* Mark the first memory granule with the chosen memory tag. */ 2096 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false); 2097 2098 /* This access must cause a KASAN report. */ 2099 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0); 2100 } 2101 2102 /* Recover the memory tag and free. */ 2103 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false); 2104 kfree(ptr); 2105 } 2106 2107 /* 2108 * Check that Rust performing a use-after-free using `unsafe` is detected. 2109 * This is a smoke test to make sure that Rust is being sanitized properly. 2110 */ 2111 static void rust_uaf(struct kunit *test) 2112 { 2113 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST); 2114 KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); 2115 } 2116 2117 /* 2118 * copy_to_kernel_nofault() is an internal helper available when 2119 * kasan_test is built-in, so it must not be visible to loadable modules. 2120 */ 2121 #ifndef MODULE 2122 static void copy_to_kernel_nofault_oob(struct kunit *test) 2123 { 2124 char *ptr; 2125 char buf[128]; 2126 size_t size = sizeof(buf); 2127 2128 /* 2129 * This test currently fails with the HW_TAGS mode. The reason is 2130 * unknown and needs to be investigated. 2131 */ 2132 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); 2133 2134 ptr = kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL); 2135 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 2136 OPTIMIZER_HIDE_VAR(ptr); 2137 2138 /* 2139 * We test copy_to_kernel_nofault() to detect corrupted memory that is 2140 * being written into the kernel. In contrast, 2141 * copy_from_kernel_nofault() is primarily used in kernel helper 2142 * functions where the source address might be random or uninitialized. 2143 * Applying KASAN instrumentation to copy_from_kernel_nofault() could 2144 * lead to false positives. By focusing KASAN checks only on 2145 * copy_to_kernel_nofault(), we ensure that only valid memory is 2146 * written to the kernel, minimizing the risk of kernel corruption 2147 * while avoiding false positives in the reverse case. 2148 */ 2149 KUNIT_EXPECT_KASAN_FAIL(test, 2150 copy_to_kernel_nofault(&buf[0], ptr, size)); 2151 KUNIT_EXPECT_KASAN_FAIL(test, 2152 copy_to_kernel_nofault(ptr, &buf[0], size)); 2153 2154 kfree(ptr); 2155 } 2156 #endif /* !MODULE */ 2157 2158 static void copy_user_test_oob(struct kunit *test) 2159 { 2160 char *kmem; 2161 char __user *usermem; 2162 unsigned long useraddr; 2163 size_t size = 128 - KASAN_GRANULE_SIZE; 2164 int __maybe_unused unused; 2165 2166 kmem = kunit_kmalloc(test, size, GFP_KERNEL); 2167 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, kmem); 2168 2169 useraddr = kunit_vm_mmap(test, NULL, 0, PAGE_SIZE, 2170 PROT_READ | PROT_WRITE | PROT_EXEC, 2171 MAP_ANONYMOUS | MAP_PRIVATE, 0); 2172 KUNIT_ASSERT_NE_MSG(test, useraddr, 0, 2173 "Could not create userspace mm"); 2174 KUNIT_ASSERT_LT_MSG(test, useraddr, (unsigned long)TASK_SIZE, 2175 "Failed to allocate user memory"); 2176 2177 OPTIMIZER_HIDE_VAR(size); 2178 usermem = (char __user *)useraddr; 2179 2180 KUNIT_EXPECT_KASAN_FAIL(test, 2181 unused = copy_from_user(kmem, usermem, size + 1)); 2182 KUNIT_EXPECT_KASAN_FAIL_READ(test, 2183 unused = copy_to_user(usermem, kmem, size + 1)); 2184 KUNIT_EXPECT_KASAN_FAIL(test, 2185 unused = __copy_from_user(kmem, usermem, size + 1)); 2186 KUNIT_EXPECT_KASAN_FAIL_READ(test, 2187 unused = __copy_to_user(usermem, kmem, size + 1)); 2188 KUNIT_EXPECT_KASAN_FAIL(test, 2189 unused = __copy_from_user_inatomic(kmem, usermem, size + 1)); 2190 KUNIT_EXPECT_KASAN_FAIL_READ(test, 2191 unused = __copy_to_user_inatomic(usermem, kmem, size + 1)); 2192 2193 /* 2194 * Prepare a long string in usermem to avoid the strncpy_from_user test 2195 * bailing out on '\0' before it reaches out-of-bounds. 2196 */ 2197 memset(kmem, 'a', size); 2198 KUNIT_EXPECT_EQ(test, copy_to_user(usermem, kmem, size), 0); 2199 2200 KUNIT_EXPECT_KASAN_FAIL(test, 2201 unused = strncpy_from_user(kmem, usermem, size + 1)); 2202 } 2203 2204 static struct kunit_case kasan_kunit_test_cases[] = { 2205 KUNIT_CASE(kmalloc_oob_right), 2206 KUNIT_CASE(kmalloc_oob_left), 2207 KUNIT_CASE(kmalloc_node_oob_right), 2208 KUNIT_CASE(kmalloc_track_caller_oob_right), 2209 KUNIT_CASE(kmalloc_big_oob_right), 2210 KUNIT_CASE(kmalloc_large_oob_right), 2211 KUNIT_CASE(kmalloc_large_uaf), 2212 KUNIT_CASE(kmalloc_large_invalid_free), 2213 KUNIT_CASE(page_alloc_oob_right), 2214 KUNIT_CASE(page_alloc_uaf), 2215 KUNIT_CASE(krealloc_more_oob), 2216 KUNIT_CASE(krealloc_less_oob), 2217 KUNIT_CASE(krealloc_large_more_oob), 2218 KUNIT_CASE(krealloc_large_less_oob), 2219 KUNIT_CASE(krealloc_uaf), 2220 KUNIT_CASE(kmalloc_oob_16), 2221 KUNIT_CASE(kmalloc_uaf_16), 2222 KUNIT_CASE(kmalloc_oob_in_memset), 2223 KUNIT_CASE(kmalloc_oob_memset_2), 2224 KUNIT_CASE(kmalloc_oob_memset_4), 2225 KUNIT_CASE(kmalloc_oob_memset_8), 2226 KUNIT_CASE(kmalloc_oob_memset_16), 2227 KUNIT_CASE(kmalloc_memmove_negative_size), 2228 KUNIT_CASE(kmalloc_memmove_invalid_size), 2229 KUNIT_CASE(kmalloc_uaf), 2230 KUNIT_CASE(kmalloc_uaf_memset), 2231 KUNIT_CASE(kmalloc_uaf2), 2232 KUNIT_CASE(kmalloc_uaf3), 2233 KUNIT_CASE(kmalloc_double_kzfree), 2234 KUNIT_CASE(ksize_unpoisons_memory), 2235 KUNIT_CASE(ksize_uaf), 2236 KUNIT_CASE(rcu_uaf), 2237 KUNIT_CASE(workqueue_uaf), 2238 KUNIT_CASE(kfree_via_page), 2239 KUNIT_CASE(kfree_via_phys), 2240 KUNIT_CASE(kmem_cache_oob), 2241 KUNIT_CASE(kmem_cache_double_free), 2242 KUNIT_CASE(kmem_cache_invalid_free), 2243 KUNIT_CASE(kmem_cache_rcu_uaf), 2244 KUNIT_CASE(kmem_cache_rcu_reuse), 2245 KUNIT_CASE(kmem_cache_double_destroy), 2246 KUNIT_CASE(kmem_cache_accounted), 2247 KUNIT_CASE(kmem_cache_bulk), 2248 KUNIT_CASE(mempool_kmalloc_oob_right), 2249 KUNIT_CASE(mempool_kmalloc_large_oob_right), 2250 KUNIT_CASE(mempool_slab_oob_right), 2251 KUNIT_CASE(mempool_kmalloc_uaf), 2252 KUNIT_CASE(mempool_kmalloc_large_uaf), 2253 KUNIT_CASE(mempool_slab_uaf), 2254 KUNIT_CASE(mempool_page_alloc_uaf), 2255 KUNIT_CASE(mempool_kmalloc_double_free), 2256 KUNIT_CASE(mempool_kmalloc_large_double_free), 2257 KUNIT_CASE(mempool_page_alloc_double_free), 2258 KUNIT_CASE(mempool_kmalloc_invalid_free), 2259 KUNIT_CASE(mempool_kmalloc_large_invalid_free), 2260 KUNIT_CASE(kasan_global_oob_right), 2261 KUNIT_CASE(kasan_global_oob_left), 2262 KUNIT_CASE(kasan_stack_oob), 2263 KUNIT_CASE(kasan_alloca_oob_left), 2264 KUNIT_CASE(kasan_alloca_oob_right), 2265 KUNIT_CASE(kasan_memchr), 2266 KUNIT_CASE(kasan_memcmp), 2267 KUNIT_CASE(kasan_strings), 2268 KUNIT_CASE(kasan_bitops_generic), 2269 KUNIT_CASE(kasan_bitops_tags), 2270 KUNIT_CASE_SLOW(kasan_atomics), 2271 KUNIT_CASE(vmalloc_helpers_tags), 2272 KUNIT_CASE(vmalloc_oob), 2273 KUNIT_CASE(vmap_tags), 2274 KUNIT_CASE(vm_map_ram_tags), 2275 KUNIT_CASE(match_all_not_assigned), 2276 KUNIT_CASE(match_all_ptr_tag), 2277 KUNIT_CASE(match_all_mem_tag), 2278 #ifndef MODULE 2279 KUNIT_CASE(copy_to_kernel_nofault_oob), 2280 #endif 2281 KUNIT_CASE(rust_uaf), 2282 KUNIT_CASE(copy_user_test_oob), 2283 {} 2284 }; 2285 2286 static struct kunit_suite kasan_kunit_test_suite = { 2287 .name = "kasan", 2288 .test_cases = kasan_kunit_test_cases, 2289 .exit = kasan_test_exit, 2290 .suite_init = kasan_suite_init, 2291 .suite_exit = kasan_suite_exit, 2292 }; 2293 2294 kunit_test_suite(kasan_kunit_test_suite); 2295 2296 MODULE_DESCRIPTION("KUnit tests for checking KASAN bug-detection capabilities"); 2297 MODULE_LICENSE("GPL"); 2298