1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * 4 * Copyright (c) 2014 Samsung Electronics Co., Ltd. 5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com> 6 */ 7 8 #define pr_fmt(fmt) "kasan: test: " fmt 9 10 #include <kunit/test.h> 11 #include <linux/bitops.h> 12 #include <linux/delay.h> 13 #include <linux/io.h> 14 #include <linux/kasan.h> 15 #include <linux/kernel.h> 16 #include <linux/mempool.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/module.h> 20 #include <linux/printk.h> 21 #include <linux/random.h> 22 #include <linux/set_memory.h> 23 #include <linux/slab.h> 24 #include <linux/string.h> 25 #include <linux/tracepoint.h> 26 #include <linux/uaccess.h> 27 #include <linux/vmalloc.h> 28 #include <trace/events/printk.h> 29 30 #include <asm/page.h> 31 32 #include "kasan.h" 33 34 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE) 35 36 static bool multishot; 37 38 /* Fields set based on lines observed in the console. */ 39 static struct { 40 bool report_found; 41 bool async_fault; 42 } test_status; 43 44 /* 45 * Some tests use these global variables to store return values from function 46 * calls that could otherwise be eliminated by the compiler as dead code. 47 */ 48 void *kasan_ptr_result; 49 int kasan_int_result; 50 51 /* Probe for console output: obtains test_status lines of interest. */ 52 static void probe_console(void *ignore, const char *buf, size_t len) 53 { 54 if (strnstr(buf, "BUG: KASAN: ", len)) 55 WRITE_ONCE(test_status.report_found, true); 56 else if (strnstr(buf, "Asynchronous fault: ", len)) 57 WRITE_ONCE(test_status.async_fault, true); 58 } 59 60 static int kasan_suite_init(struct kunit_suite *suite) 61 { 62 if (!kasan_enabled()) { 63 pr_err("Can't run KASAN tests with KASAN disabled"); 64 return -1; 65 } 66 67 /* Stop failing KUnit tests on KASAN reports. */ 68 kasan_kunit_test_suite_start(); 69 70 /* 71 * Temporarily enable multi-shot mode. Otherwise, KASAN would only 72 * report the first detected bug and panic the kernel if panic_on_warn 73 * is enabled. 74 */ 75 multishot = kasan_save_enable_multi_shot(); 76 77 register_trace_console(probe_console, NULL); 78 return 0; 79 } 80 81 static void kasan_suite_exit(struct kunit_suite *suite) 82 { 83 kasan_kunit_test_suite_end(); 84 kasan_restore_multi_shot(multishot); 85 unregister_trace_console(probe_console, NULL); 86 tracepoint_synchronize_unregister(); 87 } 88 89 static void kasan_test_exit(struct kunit *test) 90 { 91 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); 92 } 93 94 /** 95 * KUNIT_EXPECT_KASAN_FAIL - check that the executed expression produces a 96 * KASAN report; causes a KUnit test failure otherwise. 97 * 98 * @test: Currently executing KUnit test. 99 * @expression: Expression that must produce a KASAN report. 100 * 101 * For hardware tag-based KASAN, when a synchronous tag fault happens, tag 102 * checking is auto-disabled. When this happens, this test handler reenables 103 * tag checking. As tag checking can be only disabled or enabled per CPU, 104 * this handler disables migration (preemption). 105 * 106 * Since the compiler doesn't see that the expression can change the test_status 107 * fields, it can reorder or optimize away the accesses to those fields. 108 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the 109 * expression to prevent that. 110 * 111 * In between KUNIT_EXPECT_KASAN_FAIL checks, test_status.report_found is kept 112 * as false. This allows detecting KASAN reports that happen outside of the 113 * checks by asserting !test_status.report_found at the start of 114 * KUNIT_EXPECT_KASAN_FAIL and in kasan_test_exit. 115 */ 116 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \ 117 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \ 118 kasan_sync_fault_possible()) \ 119 migrate_disable(); \ 120 KUNIT_EXPECT_FALSE(test, READ_ONCE(test_status.report_found)); \ 121 barrier(); \ 122 expression; \ 123 barrier(); \ 124 if (kasan_async_fault_possible()) \ 125 kasan_force_async_fault(); \ 126 if (!READ_ONCE(test_status.report_found)) { \ 127 KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure " \ 128 "expected in \"" #expression \ 129 "\", but none occurred"); \ 130 } \ 131 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \ 132 kasan_sync_fault_possible()) { \ 133 if (READ_ONCE(test_status.report_found) && \ 134 !READ_ONCE(test_status.async_fault)) \ 135 kasan_enable_hw_tags(); \ 136 migrate_enable(); \ 137 } \ 138 WRITE_ONCE(test_status.report_found, false); \ 139 WRITE_ONCE(test_status.async_fault, false); \ 140 } while (0) 141 142 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \ 143 if (!IS_ENABLED(config)) \ 144 kunit_skip((test), "Test requires " #config "=y"); \ 145 } while (0) 146 147 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \ 148 if (IS_ENABLED(config)) \ 149 kunit_skip((test), "Test requires " #config "=n"); \ 150 } while (0) 151 152 #define KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test) do { \ 153 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) \ 154 break; /* No compiler instrumentation. */ \ 155 if (IS_ENABLED(CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX)) \ 156 break; /* Should always be instrumented! */ \ 157 if (IS_ENABLED(CONFIG_GENERIC_ENTRY)) \ 158 kunit_skip((test), "Test requires checked mem*()"); \ 159 } while (0) 160 161 static void kmalloc_oob_right(struct kunit *test) 162 { 163 char *ptr; 164 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 165 166 ptr = kmalloc(size, GFP_KERNEL); 167 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 168 169 OPTIMIZER_HIDE_VAR(ptr); 170 /* 171 * An unaligned access past the requested kmalloc size. 172 * Only generic KASAN can precisely detect these. 173 */ 174 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 175 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); 176 177 /* 178 * An aligned access into the first out-of-bounds granule that falls 179 * within the aligned kmalloc object. 180 */ 181 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y'); 182 183 /* Out-of-bounds access past the aligned kmalloc object. */ 184 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 185 ptr[size + KASAN_GRANULE_SIZE + 5]); 186 187 kfree(ptr); 188 } 189 190 static void kmalloc_oob_left(struct kunit *test) 191 { 192 char *ptr; 193 size_t size = 15; 194 195 ptr = kmalloc(size, GFP_KERNEL); 196 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 197 198 OPTIMIZER_HIDE_VAR(ptr); 199 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); 200 kfree(ptr); 201 } 202 203 static void kmalloc_node_oob_right(struct kunit *test) 204 { 205 char *ptr; 206 size_t size = 4096; 207 208 ptr = kmalloc_node(size, GFP_KERNEL, 0); 209 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 210 211 OPTIMIZER_HIDE_VAR(ptr); 212 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]); 213 kfree(ptr); 214 } 215 216 /* 217 * Check that KASAN detects an out-of-bounds access for a big object allocated 218 * via kmalloc(). But not as big as to trigger the page_alloc fallback. 219 */ 220 static void kmalloc_big_oob_right(struct kunit *test) 221 { 222 char *ptr; 223 size_t size = KMALLOC_MAX_CACHE_SIZE - 256; 224 225 ptr = kmalloc(size, GFP_KERNEL); 226 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 227 228 OPTIMIZER_HIDE_VAR(ptr); 229 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); 230 kfree(ptr); 231 } 232 233 /* 234 * The kmalloc_large_* tests below use kmalloc() to allocate a memory chunk 235 * that does not fit into the largest slab cache and therefore is allocated via 236 * the page_alloc fallback. 237 */ 238 239 static void kmalloc_large_oob_right(struct kunit *test) 240 { 241 char *ptr; 242 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 243 244 ptr = kmalloc(size, GFP_KERNEL); 245 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 246 247 OPTIMIZER_HIDE_VAR(ptr); 248 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0); 249 250 kfree(ptr); 251 } 252 253 static void kmalloc_large_uaf(struct kunit *test) 254 { 255 char *ptr; 256 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 257 258 ptr = kmalloc(size, GFP_KERNEL); 259 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 260 kfree(ptr); 261 262 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); 263 } 264 265 static void kmalloc_large_invalid_free(struct kunit *test) 266 { 267 char *ptr; 268 size_t size = KMALLOC_MAX_CACHE_SIZE + 10; 269 270 ptr = kmalloc(size, GFP_KERNEL); 271 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 272 273 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1)); 274 } 275 276 static void page_alloc_oob_right(struct kunit *test) 277 { 278 char *ptr; 279 struct page *pages; 280 size_t order = 4; 281 size_t size = (1UL << (PAGE_SHIFT + order)); 282 283 /* 284 * With generic KASAN page allocations have no redzones, thus 285 * out-of-bounds detection is not guaranteed. 286 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503. 287 */ 288 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 289 290 pages = alloc_pages(GFP_KERNEL, order); 291 ptr = page_address(pages); 292 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 293 294 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]); 295 free_pages((unsigned long)ptr, order); 296 } 297 298 static void page_alloc_uaf(struct kunit *test) 299 { 300 char *ptr; 301 struct page *pages; 302 size_t order = 4; 303 304 pages = alloc_pages(GFP_KERNEL, order); 305 ptr = page_address(pages); 306 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 307 free_pages((unsigned long)ptr, order); 308 309 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); 310 } 311 312 static void krealloc_more_oob_helper(struct kunit *test, 313 size_t size1, size_t size2) 314 { 315 char *ptr1, *ptr2; 316 size_t middle; 317 318 KUNIT_ASSERT_LT(test, size1, size2); 319 middle = size1 + (size2 - size1) / 2; 320 321 ptr1 = kmalloc(size1, GFP_KERNEL); 322 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 323 324 ptr2 = krealloc(ptr1, size2, GFP_KERNEL); 325 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 326 327 /* Suppress -Warray-bounds warnings. */ 328 OPTIMIZER_HIDE_VAR(ptr2); 329 330 /* All offsets up to size2 must be accessible. */ 331 ptr2[size1 - 1] = 'x'; 332 ptr2[size1] = 'x'; 333 ptr2[middle] = 'x'; 334 ptr2[size2 - 1] = 'x'; 335 336 /* Generic mode is precise, so unaligned size2 must be inaccessible. */ 337 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 338 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); 339 340 /* For all modes first aligned offset after size2 must be inaccessible. */ 341 KUNIT_EXPECT_KASAN_FAIL(test, 342 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x'); 343 344 kfree(ptr2); 345 } 346 347 static void krealloc_less_oob_helper(struct kunit *test, 348 size_t size1, size_t size2) 349 { 350 char *ptr1, *ptr2; 351 size_t middle; 352 353 KUNIT_ASSERT_LT(test, size2, size1); 354 middle = size2 + (size1 - size2) / 2; 355 356 ptr1 = kmalloc(size1, GFP_KERNEL); 357 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 358 359 ptr2 = krealloc(ptr1, size2, GFP_KERNEL); 360 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 361 362 /* Suppress -Warray-bounds warnings. */ 363 OPTIMIZER_HIDE_VAR(ptr2); 364 365 /* Must be accessible for all modes. */ 366 ptr2[size2 - 1] = 'x'; 367 368 /* Generic mode is precise, so unaligned size2 must be inaccessible. */ 369 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 370 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); 371 372 /* For all modes first aligned offset after size2 must be inaccessible. */ 373 KUNIT_EXPECT_KASAN_FAIL(test, 374 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x'); 375 376 /* 377 * For all modes all size2, middle, and size1 should land in separate 378 * granules and thus the latter two offsets should be inaccessible. 379 */ 380 KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE), 381 round_down(middle, KASAN_GRANULE_SIZE)); 382 KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE), 383 round_down(size1, KASAN_GRANULE_SIZE)); 384 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x'); 385 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x'); 386 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x'); 387 388 kfree(ptr2); 389 } 390 391 static void krealloc_more_oob(struct kunit *test) 392 { 393 krealloc_more_oob_helper(test, 201, 235); 394 } 395 396 static void krealloc_less_oob(struct kunit *test) 397 { 398 krealloc_less_oob_helper(test, 235, 201); 399 } 400 401 static void krealloc_large_more_oob(struct kunit *test) 402 { 403 krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201, 404 KMALLOC_MAX_CACHE_SIZE + 235); 405 } 406 407 static void krealloc_large_less_oob(struct kunit *test) 408 { 409 krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235, 410 KMALLOC_MAX_CACHE_SIZE + 201); 411 } 412 413 /* 414 * Check that krealloc() detects a use-after-free, returns NULL, 415 * and doesn't unpoison the freed object. 416 */ 417 static void krealloc_uaf(struct kunit *test) 418 { 419 char *ptr1, *ptr2; 420 int size1 = 201; 421 int size2 = 235; 422 423 ptr1 = kmalloc(size1, GFP_KERNEL); 424 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 425 kfree(ptr1); 426 427 KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL)); 428 KUNIT_ASSERT_NULL(test, ptr2); 429 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1); 430 } 431 432 static void kmalloc_oob_16(struct kunit *test) 433 { 434 struct { 435 u64 words[2]; 436 } *ptr1, *ptr2; 437 438 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 439 440 /* This test is specifically crafted for the generic mode. */ 441 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 442 443 /* RELOC_HIDE to prevent gcc from warning about short alloc */ 444 ptr1 = RELOC_HIDE(kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL), 0); 445 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 446 447 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); 448 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 449 450 OPTIMIZER_HIDE_VAR(ptr1); 451 OPTIMIZER_HIDE_VAR(ptr2); 452 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); 453 kfree(ptr1); 454 kfree(ptr2); 455 } 456 457 static void kmalloc_uaf_16(struct kunit *test) 458 { 459 struct { 460 u64 words[2]; 461 } *ptr1, *ptr2; 462 463 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 464 465 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL); 466 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 467 468 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); 469 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 470 kfree(ptr2); 471 472 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); 473 kfree(ptr1); 474 } 475 476 /* 477 * Note: in the memset tests below, the written range touches both valid and 478 * invalid memory. This makes sure that the instrumentation does not only check 479 * the starting address but the whole range. 480 */ 481 482 static void kmalloc_oob_memset_2(struct kunit *test) 483 { 484 char *ptr; 485 size_t size = 128 - KASAN_GRANULE_SIZE; 486 size_t memset_size = 2; 487 488 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 489 490 ptr = kmalloc(size, GFP_KERNEL); 491 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 492 493 OPTIMIZER_HIDE_VAR(ptr); 494 OPTIMIZER_HIDE_VAR(size); 495 OPTIMIZER_HIDE_VAR(memset_size); 496 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 1, 0, memset_size)); 497 kfree(ptr); 498 } 499 500 static void kmalloc_oob_memset_4(struct kunit *test) 501 { 502 char *ptr; 503 size_t size = 128 - KASAN_GRANULE_SIZE; 504 size_t memset_size = 4; 505 506 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 507 508 ptr = kmalloc(size, GFP_KERNEL); 509 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 510 511 OPTIMIZER_HIDE_VAR(ptr); 512 OPTIMIZER_HIDE_VAR(size); 513 OPTIMIZER_HIDE_VAR(memset_size); 514 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 3, 0, memset_size)); 515 kfree(ptr); 516 } 517 518 static void kmalloc_oob_memset_8(struct kunit *test) 519 { 520 char *ptr; 521 size_t size = 128 - KASAN_GRANULE_SIZE; 522 size_t memset_size = 8; 523 524 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 525 526 ptr = kmalloc(size, GFP_KERNEL); 527 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 528 529 OPTIMIZER_HIDE_VAR(ptr); 530 OPTIMIZER_HIDE_VAR(size); 531 OPTIMIZER_HIDE_VAR(memset_size); 532 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 7, 0, memset_size)); 533 kfree(ptr); 534 } 535 536 static void kmalloc_oob_memset_16(struct kunit *test) 537 { 538 char *ptr; 539 size_t size = 128 - KASAN_GRANULE_SIZE; 540 size_t memset_size = 16; 541 542 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 543 544 ptr = kmalloc(size, GFP_KERNEL); 545 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 546 547 OPTIMIZER_HIDE_VAR(ptr); 548 OPTIMIZER_HIDE_VAR(size); 549 OPTIMIZER_HIDE_VAR(memset_size); 550 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + size - 15, 0, memset_size)); 551 kfree(ptr); 552 } 553 554 static void kmalloc_oob_in_memset(struct kunit *test) 555 { 556 char *ptr; 557 size_t size = 128 - KASAN_GRANULE_SIZE; 558 559 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 560 561 ptr = kmalloc(size, GFP_KERNEL); 562 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 563 564 OPTIMIZER_HIDE_VAR(ptr); 565 OPTIMIZER_HIDE_VAR(size); 566 KUNIT_EXPECT_KASAN_FAIL(test, 567 memset(ptr, 0, size + KASAN_GRANULE_SIZE)); 568 kfree(ptr); 569 } 570 571 static void kmalloc_memmove_negative_size(struct kunit *test) 572 { 573 char *ptr; 574 size_t size = 64; 575 size_t invalid_size = -2; 576 577 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 578 579 /* 580 * Hardware tag-based mode doesn't check memmove for negative size. 581 * As a result, this test introduces a side-effect memory corruption, 582 * which can result in a crash. 583 */ 584 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); 585 586 ptr = kmalloc(size, GFP_KERNEL); 587 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 588 589 memset((char *)ptr, 0, 64); 590 OPTIMIZER_HIDE_VAR(ptr); 591 OPTIMIZER_HIDE_VAR(invalid_size); 592 KUNIT_EXPECT_KASAN_FAIL(test, 593 memmove((char *)ptr, (char *)ptr + 4, invalid_size)); 594 kfree(ptr); 595 } 596 597 static void kmalloc_memmove_invalid_size(struct kunit *test) 598 { 599 char *ptr; 600 size_t size = 64; 601 size_t invalid_size = size; 602 603 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 604 605 ptr = kmalloc(size, GFP_KERNEL); 606 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 607 608 memset((char *)ptr, 0, 64); 609 OPTIMIZER_HIDE_VAR(ptr); 610 OPTIMIZER_HIDE_VAR(invalid_size); 611 KUNIT_EXPECT_KASAN_FAIL(test, 612 memmove((char *)ptr, (char *)ptr + 4, invalid_size)); 613 kfree(ptr); 614 } 615 616 static void kmalloc_uaf(struct kunit *test) 617 { 618 char *ptr; 619 size_t size = 10; 620 621 ptr = kmalloc(size, GFP_KERNEL); 622 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 623 624 kfree(ptr); 625 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]); 626 } 627 628 static void kmalloc_uaf_memset(struct kunit *test) 629 { 630 char *ptr; 631 size_t size = 33; 632 633 KASAN_TEST_NEEDS_CHECKED_MEMINTRINSICS(test); 634 635 /* 636 * Only generic KASAN uses quarantine, which is required to avoid a 637 * kernel memory corruption this test causes. 638 */ 639 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 640 641 ptr = kmalloc(size, GFP_KERNEL); 642 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 643 644 kfree(ptr); 645 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size)); 646 } 647 648 static void kmalloc_uaf2(struct kunit *test) 649 { 650 char *ptr1, *ptr2; 651 size_t size = 43; 652 int counter = 0; 653 654 again: 655 ptr1 = kmalloc(size, GFP_KERNEL); 656 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 657 658 kfree(ptr1); 659 660 ptr2 = kmalloc(size, GFP_KERNEL); 661 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 662 663 /* 664 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same. 665 * Allow up to 16 attempts at generating different tags. 666 */ 667 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) { 668 kfree(ptr2); 669 goto again; 670 } 671 672 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]); 673 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2); 674 675 kfree(ptr2); 676 } 677 678 /* 679 * Check that KASAN detects use-after-free when another object was allocated in 680 * the same slot. Relevant for the tag-based modes, which do not use quarantine. 681 */ 682 static void kmalloc_uaf3(struct kunit *test) 683 { 684 char *ptr1, *ptr2; 685 size_t size = 100; 686 687 /* This test is specifically crafted for tag-based modes. */ 688 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 689 690 ptr1 = kmalloc(size, GFP_KERNEL); 691 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); 692 kfree(ptr1); 693 694 ptr2 = kmalloc(size, GFP_KERNEL); 695 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); 696 kfree(ptr2); 697 698 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]); 699 } 700 701 static void kasan_atomics_helper(struct kunit *test, void *unsafe, void *safe) 702 { 703 int *i_unsafe = unsafe; 704 705 KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*i_unsafe)); 706 KUNIT_EXPECT_KASAN_FAIL(test, WRITE_ONCE(*i_unsafe, 42)); 707 KUNIT_EXPECT_KASAN_FAIL(test, smp_load_acquire(i_unsafe)); 708 KUNIT_EXPECT_KASAN_FAIL(test, smp_store_release(i_unsafe, 42)); 709 710 KUNIT_EXPECT_KASAN_FAIL(test, atomic_read(unsafe)); 711 KUNIT_EXPECT_KASAN_FAIL(test, atomic_set(unsafe, 42)); 712 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add(42, unsafe)); 713 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub(42, unsafe)); 714 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc(unsafe)); 715 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec(unsafe)); 716 KUNIT_EXPECT_KASAN_FAIL(test, atomic_and(42, unsafe)); 717 KUNIT_EXPECT_KASAN_FAIL(test, atomic_andnot(42, unsafe)); 718 KUNIT_EXPECT_KASAN_FAIL(test, atomic_or(42, unsafe)); 719 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xor(42, unsafe)); 720 KUNIT_EXPECT_KASAN_FAIL(test, atomic_xchg(unsafe, 42)); 721 KUNIT_EXPECT_KASAN_FAIL(test, atomic_cmpxchg(unsafe, 21, 42)); 722 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(unsafe, safe, 42)); 723 KUNIT_EXPECT_KASAN_FAIL(test, atomic_try_cmpxchg(safe, unsafe, 42)); 724 KUNIT_EXPECT_KASAN_FAIL(test, atomic_sub_and_test(42, unsafe)); 725 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_and_test(unsafe)); 726 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_and_test(unsafe)); 727 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_negative(42, unsafe)); 728 KUNIT_EXPECT_KASAN_FAIL(test, atomic_add_unless(unsafe, 21, 42)); 729 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_not_zero(unsafe)); 730 KUNIT_EXPECT_KASAN_FAIL(test, atomic_inc_unless_negative(unsafe)); 731 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_unless_positive(unsafe)); 732 KUNIT_EXPECT_KASAN_FAIL(test, atomic_dec_if_positive(unsafe)); 733 734 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_read(unsafe)); 735 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_set(unsafe, 42)); 736 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add(42, unsafe)); 737 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub(42, unsafe)); 738 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc(unsafe)); 739 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec(unsafe)); 740 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_and(42, unsafe)); 741 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_andnot(42, unsafe)); 742 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_or(42, unsafe)); 743 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xor(42, unsafe)); 744 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_xchg(unsafe, 42)); 745 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_cmpxchg(unsafe, 21, 42)); 746 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(unsafe, safe, 42)); 747 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_try_cmpxchg(safe, unsafe, 42)); 748 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_sub_and_test(42, unsafe)); 749 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_and_test(unsafe)); 750 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_and_test(unsafe)); 751 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_negative(42, unsafe)); 752 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_add_unless(unsafe, 21, 42)); 753 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_not_zero(unsafe)); 754 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_inc_unless_negative(unsafe)); 755 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_unless_positive(unsafe)); 756 KUNIT_EXPECT_KASAN_FAIL(test, atomic_long_dec_if_positive(unsafe)); 757 } 758 759 static void kasan_atomics(struct kunit *test) 760 { 761 void *a1, *a2; 762 763 /* 764 * Just as with kasan_bitops_tags(), we allocate 48 bytes of memory such 765 * that the following 16 bytes will make up the redzone. 766 */ 767 a1 = kzalloc(48, GFP_KERNEL); 768 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a1); 769 a2 = kzalloc(sizeof(atomic_long_t), GFP_KERNEL); 770 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, a2); 771 772 /* Use atomics to access the redzone. */ 773 kasan_atomics_helper(test, a1 + 48, a2); 774 775 kfree(a1); 776 kfree(a2); 777 } 778 779 static void kmalloc_double_kzfree(struct kunit *test) 780 { 781 char *ptr; 782 size_t size = 16; 783 784 ptr = kmalloc(size, GFP_KERNEL); 785 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 786 787 kfree_sensitive(ptr); 788 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr)); 789 } 790 791 /* Check that ksize() does NOT unpoison whole object. */ 792 static void ksize_unpoisons_memory(struct kunit *test) 793 { 794 char *ptr; 795 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 796 size_t real_size; 797 798 ptr = kmalloc(size, GFP_KERNEL); 799 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 800 801 real_size = ksize(ptr); 802 KUNIT_EXPECT_GT(test, real_size, size); 803 804 OPTIMIZER_HIDE_VAR(ptr); 805 806 /* These accesses shouldn't trigger a KASAN report. */ 807 ptr[0] = 'x'; 808 ptr[size - 1] = 'x'; 809 810 /* These must trigger a KASAN report. */ 811 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 812 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); 813 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size + 5]); 814 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]); 815 816 kfree(ptr); 817 } 818 819 /* 820 * Check that a use-after-free is detected by ksize() and via normal accesses 821 * after it. 822 */ 823 static void ksize_uaf(struct kunit *test) 824 { 825 char *ptr; 826 int size = 128 - KASAN_GRANULE_SIZE; 827 828 ptr = kmalloc(size, GFP_KERNEL); 829 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 830 kfree(ptr); 831 832 OPTIMIZER_HIDE_VAR(ptr); 833 KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr)); 834 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); 835 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); 836 } 837 838 /* 839 * The two tests below check that Generic KASAN prints auxiliary stack traces 840 * for RCU callbacks and workqueues. The reports need to be inspected manually. 841 * 842 * These tests are still enabled for other KASAN modes to make sure that all 843 * modes report bad accesses in tested scenarios. 844 */ 845 846 static struct kasan_rcu_info { 847 int i; 848 struct rcu_head rcu; 849 } *global_rcu_ptr; 850 851 static void rcu_uaf_reclaim(struct rcu_head *rp) 852 { 853 struct kasan_rcu_info *fp = 854 container_of(rp, struct kasan_rcu_info, rcu); 855 856 kfree(fp); 857 ((volatile struct kasan_rcu_info *)fp)->i; 858 } 859 860 static void rcu_uaf(struct kunit *test) 861 { 862 struct kasan_rcu_info *ptr; 863 864 ptr = kmalloc(sizeof(struct kasan_rcu_info), GFP_KERNEL); 865 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 866 867 global_rcu_ptr = rcu_dereference_protected( 868 (struct kasan_rcu_info __rcu *)ptr, NULL); 869 870 KUNIT_EXPECT_KASAN_FAIL(test, 871 call_rcu(&global_rcu_ptr->rcu, rcu_uaf_reclaim); 872 rcu_barrier()); 873 } 874 875 static void workqueue_uaf_work(struct work_struct *work) 876 { 877 kfree(work); 878 } 879 880 static void workqueue_uaf(struct kunit *test) 881 { 882 struct workqueue_struct *workqueue; 883 struct work_struct *work; 884 885 workqueue = create_workqueue("kasan_workqueue_test"); 886 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, workqueue); 887 888 work = kmalloc(sizeof(struct work_struct), GFP_KERNEL); 889 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, work); 890 891 INIT_WORK(work, workqueue_uaf_work); 892 queue_work(workqueue, work); 893 destroy_workqueue(workqueue); 894 895 KUNIT_EXPECT_KASAN_FAIL(test, 896 ((volatile struct work_struct *)work)->data); 897 } 898 899 static void kfree_via_page(struct kunit *test) 900 { 901 char *ptr; 902 size_t size = 8; 903 struct page *page; 904 unsigned long offset; 905 906 ptr = kmalloc(size, GFP_KERNEL); 907 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 908 909 page = virt_to_page(ptr); 910 offset = offset_in_page(ptr); 911 kfree(page_address(page) + offset); 912 } 913 914 static void kfree_via_phys(struct kunit *test) 915 { 916 char *ptr; 917 size_t size = 8; 918 phys_addr_t phys; 919 920 ptr = kmalloc(size, GFP_KERNEL); 921 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 922 923 phys = virt_to_phys(ptr); 924 kfree(phys_to_virt(phys)); 925 } 926 927 static void kmem_cache_oob(struct kunit *test) 928 { 929 char *p; 930 size_t size = 200; 931 struct kmem_cache *cache; 932 933 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 934 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 935 936 p = kmem_cache_alloc(cache, GFP_KERNEL); 937 if (!p) { 938 kunit_err(test, "Allocation failed: %s\n", __func__); 939 kmem_cache_destroy(cache); 940 return; 941 } 942 943 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]); 944 945 kmem_cache_free(cache, p); 946 kmem_cache_destroy(cache); 947 } 948 949 static void kmem_cache_double_free(struct kunit *test) 950 { 951 char *p; 952 size_t size = 200; 953 struct kmem_cache *cache; 954 955 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 956 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 957 958 p = kmem_cache_alloc(cache, GFP_KERNEL); 959 if (!p) { 960 kunit_err(test, "Allocation failed: %s\n", __func__); 961 kmem_cache_destroy(cache); 962 return; 963 } 964 965 kmem_cache_free(cache, p); 966 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); 967 kmem_cache_destroy(cache); 968 } 969 970 static void kmem_cache_invalid_free(struct kunit *test) 971 { 972 char *p; 973 size_t size = 200; 974 struct kmem_cache *cache; 975 976 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, 977 NULL); 978 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 979 980 p = kmem_cache_alloc(cache, GFP_KERNEL); 981 if (!p) { 982 kunit_err(test, "Allocation failed: %s\n", __func__); 983 kmem_cache_destroy(cache); 984 return; 985 } 986 987 /* Trigger invalid free, the object doesn't get freed. */ 988 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); 989 990 /* 991 * Properly free the object to prevent the "Objects remaining in 992 * test_cache on __kmem_cache_shutdown" BUG failure. 993 */ 994 kmem_cache_free(cache, p); 995 996 kmem_cache_destroy(cache); 997 } 998 999 static void kmem_cache_rcu_uaf(struct kunit *test) 1000 { 1001 char *p; 1002 size_t size = 200; 1003 struct kmem_cache *cache; 1004 1005 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB_RCU_DEBUG); 1006 1007 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, 1008 NULL); 1009 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1010 1011 p = kmem_cache_alloc(cache, GFP_KERNEL); 1012 if (!p) { 1013 kunit_err(test, "Allocation failed: %s\n", __func__); 1014 kmem_cache_destroy(cache); 1015 return; 1016 } 1017 *p = 1; 1018 1019 rcu_read_lock(); 1020 1021 /* Free the object - this will internally schedule an RCU callback. */ 1022 kmem_cache_free(cache, p); 1023 1024 /* 1025 * We should still be allowed to access the object at this point because 1026 * the cache is SLAB_TYPESAFE_BY_RCU and we've been in an RCU read-side 1027 * critical section since before the kmem_cache_free(). 1028 */ 1029 READ_ONCE(*p); 1030 1031 rcu_read_unlock(); 1032 1033 /* 1034 * Wait for the RCU callback to execute; after this, the object should 1035 * have actually been freed from KASAN's perspective. 1036 */ 1037 rcu_barrier(); 1038 1039 KUNIT_EXPECT_KASAN_FAIL(test, READ_ONCE(*p)); 1040 1041 kmem_cache_destroy(cache); 1042 } 1043 1044 static void empty_cache_ctor(void *object) { } 1045 1046 static void kmem_cache_double_destroy(struct kunit *test) 1047 { 1048 struct kmem_cache *cache; 1049 1050 /* Provide a constructor to prevent cache merging. */ 1051 cache = kmem_cache_create("test_cache", 200, 0, 0, empty_cache_ctor); 1052 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1053 kmem_cache_destroy(cache); 1054 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_destroy(cache)); 1055 } 1056 1057 static void kmem_cache_accounted(struct kunit *test) 1058 { 1059 int i; 1060 char *p; 1061 size_t size = 200; 1062 struct kmem_cache *cache; 1063 1064 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL); 1065 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1066 1067 /* 1068 * Several allocations with a delay to allow for lazy per memcg kmem 1069 * cache creation. 1070 */ 1071 for (i = 0; i < 5; i++) { 1072 p = kmem_cache_alloc(cache, GFP_KERNEL); 1073 if (!p) 1074 goto free_cache; 1075 1076 kmem_cache_free(cache, p); 1077 msleep(100); 1078 } 1079 1080 free_cache: 1081 kmem_cache_destroy(cache); 1082 } 1083 1084 static void kmem_cache_bulk(struct kunit *test) 1085 { 1086 struct kmem_cache *cache; 1087 size_t size = 200; 1088 char *p[10]; 1089 bool ret; 1090 int i; 1091 1092 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1093 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1094 1095 ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p); 1096 if (!ret) { 1097 kunit_err(test, "Allocation failed: %s\n", __func__); 1098 kmem_cache_destroy(cache); 1099 return; 1100 } 1101 1102 for (i = 0; i < ARRAY_SIZE(p); i++) 1103 p[i][0] = p[i][size - 1] = 42; 1104 1105 kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p); 1106 kmem_cache_destroy(cache); 1107 } 1108 1109 static void *mempool_prepare_kmalloc(struct kunit *test, mempool_t *pool, size_t size) 1110 { 1111 int pool_size = 4; 1112 int ret; 1113 void *elem; 1114 1115 memset(pool, 0, sizeof(*pool)); 1116 ret = mempool_init_kmalloc_pool(pool, pool_size, size); 1117 KUNIT_ASSERT_EQ(test, ret, 0); 1118 1119 /* 1120 * Allocate one element to prevent mempool from freeing elements to the 1121 * underlying allocator and instead make it add them to the element 1122 * list when the tests trigger double-free and invalid-free bugs. 1123 * This allows testing KASAN annotations in add_element(). 1124 */ 1125 elem = mempool_alloc_preallocated(pool); 1126 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1127 1128 return elem; 1129 } 1130 1131 static struct kmem_cache *mempool_prepare_slab(struct kunit *test, mempool_t *pool, size_t size) 1132 { 1133 struct kmem_cache *cache; 1134 int pool_size = 4; 1135 int ret; 1136 1137 cache = kmem_cache_create("test_cache", size, 0, 0, NULL); 1138 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); 1139 1140 memset(pool, 0, sizeof(*pool)); 1141 ret = mempool_init_slab_pool(pool, pool_size, cache); 1142 KUNIT_ASSERT_EQ(test, ret, 0); 1143 1144 /* 1145 * Do not allocate one preallocated element, as we skip the double-free 1146 * and invalid-free tests for slab mempool for simplicity. 1147 */ 1148 1149 return cache; 1150 } 1151 1152 static void *mempool_prepare_page(struct kunit *test, mempool_t *pool, int order) 1153 { 1154 int pool_size = 4; 1155 int ret; 1156 void *elem; 1157 1158 memset(pool, 0, sizeof(*pool)); 1159 ret = mempool_init_page_pool(pool, pool_size, order); 1160 KUNIT_ASSERT_EQ(test, ret, 0); 1161 1162 elem = mempool_alloc_preallocated(pool); 1163 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1164 1165 return elem; 1166 } 1167 1168 static void mempool_oob_right_helper(struct kunit *test, mempool_t *pool, size_t size) 1169 { 1170 char *elem; 1171 1172 elem = mempool_alloc_preallocated(pool); 1173 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1174 1175 OPTIMIZER_HIDE_VAR(elem); 1176 1177 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 1178 KUNIT_EXPECT_KASAN_FAIL(test, 1179 ((volatile char *)&elem[size])[0]); 1180 else 1181 KUNIT_EXPECT_KASAN_FAIL(test, 1182 ((volatile char *)&elem[round_up(size, KASAN_GRANULE_SIZE)])[0]); 1183 1184 mempool_free(elem, pool); 1185 } 1186 1187 static void mempool_kmalloc_oob_right(struct kunit *test) 1188 { 1189 mempool_t pool; 1190 size_t size = 128 - KASAN_GRANULE_SIZE - 5; 1191 void *extra_elem; 1192 1193 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1194 1195 mempool_oob_right_helper(test, &pool, size); 1196 1197 mempool_free(extra_elem, &pool); 1198 mempool_exit(&pool); 1199 } 1200 1201 static void mempool_kmalloc_large_oob_right(struct kunit *test) 1202 { 1203 mempool_t pool; 1204 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1205 void *extra_elem; 1206 1207 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1208 1209 mempool_oob_right_helper(test, &pool, size); 1210 1211 mempool_free(extra_elem, &pool); 1212 mempool_exit(&pool); 1213 } 1214 1215 static void mempool_slab_oob_right(struct kunit *test) 1216 { 1217 mempool_t pool; 1218 size_t size = 123; 1219 struct kmem_cache *cache; 1220 1221 cache = mempool_prepare_slab(test, &pool, size); 1222 1223 mempool_oob_right_helper(test, &pool, size); 1224 1225 mempool_exit(&pool); 1226 kmem_cache_destroy(cache); 1227 } 1228 1229 /* 1230 * Skip the out-of-bounds test for page mempool. With Generic KASAN, page 1231 * allocations have no redzones, and thus the out-of-bounds detection is not 1232 * guaranteed; see https://bugzilla.kernel.org/show_bug.cgi?id=210503. With 1233 * the tag-based KASAN modes, the neighboring allocation might have the same 1234 * tag; see https://bugzilla.kernel.org/show_bug.cgi?id=203505. 1235 */ 1236 1237 static void mempool_uaf_helper(struct kunit *test, mempool_t *pool, bool page) 1238 { 1239 char *elem, *ptr; 1240 1241 elem = mempool_alloc_preallocated(pool); 1242 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1243 1244 mempool_free(elem, pool); 1245 1246 ptr = page ? page_address((struct page *)elem) : elem; 1247 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); 1248 } 1249 1250 static void mempool_kmalloc_uaf(struct kunit *test) 1251 { 1252 mempool_t pool; 1253 size_t size = 128; 1254 void *extra_elem; 1255 1256 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1257 1258 mempool_uaf_helper(test, &pool, false); 1259 1260 mempool_free(extra_elem, &pool); 1261 mempool_exit(&pool); 1262 } 1263 1264 static void mempool_kmalloc_large_uaf(struct kunit *test) 1265 { 1266 mempool_t pool; 1267 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1268 void *extra_elem; 1269 1270 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1271 1272 mempool_uaf_helper(test, &pool, false); 1273 1274 mempool_free(extra_elem, &pool); 1275 mempool_exit(&pool); 1276 } 1277 1278 static void mempool_slab_uaf(struct kunit *test) 1279 { 1280 mempool_t pool; 1281 size_t size = 123; 1282 struct kmem_cache *cache; 1283 1284 cache = mempool_prepare_slab(test, &pool, size); 1285 1286 mempool_uaf_helper(test, &pool, false); 1287 1288 mempool_exit(&pool); 1289 kmem_cache_destroy(cache); 1290 } 1291 1292 static void mempool_page_alloc_uaf(struct kunit *test) 1293 { 1294 mempool_t pool; 1295 int order = 2; 1296 void *extra_elem; 1297 1298 extra_elem = mempool_prepare_page(test, &pool, order); 1299 1300 mempool_uaf_helper(test, &pool, true); 1301 1302 mempool_free(extra_elem, &pool); 1303 mempool_exit(&pool); 1304 } 1305 1306 static void mempool_double_free_helper(struct kunit *test, mempool_t *pool) 1307 { 1308 char *elem; 1309 1310 elem = mempool_alloc_preallocated(pool); 1311 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1312 1313 mempool_free(elem, pool); 1314 1315 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem, pool)); 1316 } 1317 1318 static void mempool_kmalloc_double_free(struct kunit *test) 1319 { 1320 mempool_t pool; 1321 size_t size = 128; 1322 char *extra_elem; 1323 1324 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1325 1326 mempool_double_free_helper(test, &pool); 1327 1328 mempool_free(extra_elem, &pool); 1329 mempool_exit(&pool); 1330 } 1331 1332 static void mempool_kmalloc_large_double_free(struct kunit *test) 1333 { 1334 mempool_t pool; 1335 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1336 char *extra_elem; 1337 1338 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1339 1340 mempool_double_free_helper(test, &pool); 1341 1342 mempool_free(extra_elem, &pool); 1343 mempool_exit(&pool); 1344 } 1345 1346 static void mempool_page_alloc_double_free(struct kunit *test) 1347 { 1348 mempool_t pool; 1349 int order = 2; 1350 char *extra_elem; 1351 1352 extra_elem = mempool_prepare_page(test, &pool, order); 1353 1354 mempool_double_free_helper(test, &pool); 1355 1356 mempool_free(extra_elem, &pool); 1357 mempool_exit(&pool); 1358 } 1359 1360 static void mempool_kmalloc_invalid_free_helper(struct kunit *test, mempool_t *pool) 1361 { 1362 char *elem; 1363 1364 elem = mempool_alloc_preallocated(pool); 1365 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, elem); 1366 1367 KUNIT_EXPECT_KASAN_FAIL(test, mempool_free(elem + 1, pool)); 1368 1369 mempool_free(elem, pool); 1370 } 1371 1372 static void mempool_kmalloc_invalid_free(struct kunit *test) 1373 { 1374 mempool_t pool; 1375 size_t size = 128; 1376 char *extra_elem; 1377 1378 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1379 1380 mempool_kmalloc_invalid_free_helper(test, &pool); 1381 1382 mempool_free(extra_elem, &pool); 1383 mempool_exit(&pool); 1384 } 1385 1386 static void mempool_kmalloc_large_invalid_free(struct kunit *test) 1387 { 1388 mempool_t pool; 1389 size_t size = KMALLOC_MAX_CACHE_SIZE + 1; 1390 char *extra_elem; 1391 1392 extra_elem = mempool_prepare_kmalloc(test, &pool, size); 1393 1394 mempool_kmalloc_invalid_free_helper(test, &pool); 1395 1396 mempool_free(extra_elem, &pool); 1397 mempool_exit(&pool); 1398 } 1399 1400 /* 1401 * Skip the invalid-free test for page mempool. The invalid-free detection only 1402 * works for compound pages and mempool preallocates all page elements without 1403 * the __GFP_COMP flag. 1404 */ 1405 1406 static char global_array[10]; 1407 1408 static void kasan_global_oob_right(struct kunit *test) 1409 { 1410 /* 1411 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS 1412 * from failing here and panicking the kernel, access the array via a 1413 * volatile pointer, which will prevent the compiler from being able to 1414 * determine the array bounds. 1415 * 1416 * This access uses a volatile pointer to char (char *volatile) rather 1417 * than the more conventional pointer to volatile char (volatile char *) 1418 * because we want to prevent the compiler from making inferences about 1419 * the pointer itself (i.e. its array bounds), not the data that it 1420 * refers to. 1421 */ 1422 char *volatile array = global_array; 1423 char *p = &array[ARRAY_SIZE(global_array) + 3]; 1424 1425 /* Only generic mode instruments globals. */ 1426 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1427 1428 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1429 } 1430 1431 static void kasan_global_oob_left(struct kunit *test) 1432 { 1433 char *volatile array = global_array; 1434 char *p = array - 3; 1435 1436 /* 1437 * GCC is known to fail this test, skip it. 1438 * See https://bugzilla.kernel.org/show_bug.cgi?id=215051. 1439 */ 1440 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_CC_IS_CLANG); 1441 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1442 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1443 } 1444 1445 static void kasan_stack_oob(struct kunit *test) 1446 { 1447 char stack_array[10]; 1448 /* See comment in kasan_global_oob_right. */ 1449 char *volatile array = stack_array; 1450 char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF]; 1451 1452 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1453 1454 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1455 } 1456 1457 static void kasan_alloca_oob_left(struct kunit *test) 1458 { 1459 volatile int i = 10; 1460 char alloca_array[i]; 1461 /* See comment in kasan_global_oob_right. */ 1462 char *volatile array = alloca_array; 1463 char *p = array - 1; 1464 1465 /* Only generic mode instruments dynamic allocas. */ 1466 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1467 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1468 1469 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1470 } 1471 1472 static void kasan_alloca_oob_right(struct kunit *test) 1473 { 1474 volatile int i = 10; 1475 char alloca_array[i]; 1476 /* See comment in kasan_global_oob_right. */ 1477 char *volatile array = alloca_array; 1478 char *p = array + i; 1479 1480 /* Only generic mode instruments dynamic allocas. */ 1481 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1482 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK); 1483 1484 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); 1485 } 1486 1487 static void kasan_memchr(struct kunit *test) 1488 { 1489 char *ptr; 1490 size_t size = 24; 1491 1492 /* 1493 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1494 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1495 */ 1496 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1497 1498 if (OOB_TAG_OFF) 1499 size = round_up(size, OOB_TAG_OFF); 1500 1501 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1502 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1503 1504 OPTIMIZER_HIDE_VAR(ptr); 1505 OPTIMIZER_HIDE_VAR(size); 1506 KUNIT_EXPECT_KASAN_FAIL(test, 1507 kasan_ptr_result = memchr(ptr, '1', size + 1)); 1508 1509 kfree(ptr); 1510 } 1511 1512 static void kasan_memcmp(struct kunit *test) 1513 { 1514 char *ptr; 1515 size_t size = 24; 1516 int arr[9]; 1517 1518 /* 1519 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1520 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1521 */ 1522 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1523 1524 if (OOB_TAG_OFF) 1525 size = round_up(size, OOB_TAG_OFF); 1526 1527 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1528 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1529 memset(arr, 0, sizeof(arr)); 1530 1531 OPTIMIZER_HIDE_VAR(ptr); 1532 OPTIMIZER_HIDE_VAR(size); 1533 KUNIT_EXPECT_KASAN_FAIL(test, 1534 kasan_int_result = memcmp(ptr, arr, size+1)); 1535 kfree(ptr); 1536 } 1537 1538 static void kasan_strings(struct kunit *test) 1539 { 1540 char *ptr; 1541 size_t size = 24; 1542 1543 /* 1544 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT. 1545 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details. 1546 */ 1547 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT); 1548 1549 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); 1550 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1551 1552 kfree(ptr); 1553 1554 /* 1555 * Try to cause only 1 invalid access (less spam in dmesg). 1556 * For that we need ptr to point to zeroed byte. 1557 * Skip metadata that could be stored in freed object so ptr 1558 * will likely point to zeroed byte. 1559 */ 1560 ptr += 16; 1561 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1')); 1562 1563 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1')); 1564 1565 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2")); 1566 1567 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1)); 1568 1569 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr)); 1570 1571 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1)); 1572 } 1573 1574 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr) 1575 { 1576 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr)); 1577 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr)); 1578 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr)); 1579 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr)); 1580 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr)); 1581 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr)); 1582 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr)); 1583 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr)); 1584 } 1585 1586 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr) 1587 { 1588 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr)); 1589 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr)); 1590 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr)); 1591 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr)); 1592 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr)); 1593 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr)); 1594 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr)); 1595 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr)); 1596 if (nr < 7) 1597 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = 1598 xor_unlock_is_negative_byte(1 << nr, addr)); 1599 } 1600 1601 static void kasan_bitops_generic(struct kunit *test) 1602 { 1603 long *bits; 1604 1605 /* This test is specifically crafted for the generic mode. */ 1606 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC); 1607 1608 /* 1609 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes; 1610 * this way we do not actually corrupt other memory. 1611 */ 1612 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL); 1613 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); 1614 1615 /* 1616 * Below calls try to access bit within allocated memory; however, the 1617 * below accesses are still out-of-bounds, since bitops are defined to 1618 * operate on the whole long the bit is in. 1619 */ 1620 kasan_bitops_modify(test, BITS_PER_LONG, bits); 1621 1622 /* 1623 * Below calls try to access bit beyond allocated memory. 1624 */ 1625 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits); 1626 1627 kfree(bits); 1628 } 1629 1630 static void kasan_bitops_tags(struct kunit *test) 1631 { 1632 long *bits; 1633 1634 /* This test is specifically crafted for tag-based modes. */ 1635 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1636 1637 /* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */ 1638 bits = kzalloc(48, GFP_KERNEL); 1639 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); 1640 1641 /* Do the accesses past the 48 allocated bytes, but within the redone. */ 1642 kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48); 1643 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48); 1644 1645 kfree(bits); 1646 } 1647 1648 static void vmalloc_helpers_tags(struct kunit *test) 1649 { 1650 void *ptr; 1651 1652 /* This test is intended for tag-based modes. */ 1653 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1654 1655 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1656 1657 if (!kasan_vmalloc_enabled()) 1658 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1659 1660 ptr = vmalloc(PAGE_SIZE); 1661 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1662 1663 /* Check that the returned pointer is tagged. */ 1664 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 1665 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1666 1667 /* Make sure exported vmalloc helpers handle tagged pointers. */ 1668 KUNIT_ASSERT_TRUE(test, is_vmalloc_addr(ptr)); 1669 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, vmalloc_to_page(ptr)); 1670 1671 #if !IS_MODULE(CONFIG_KASAN_KUNIT_TEST) 1672 { 1673 int rv; 1674 1675 /* Make sure vmalloc'ed memory permissions can be changed. */ 1676 rv = set_memory_ro((unsigned long)ptr, 1); 1677 KUNIT_ASSERT_GE(test, rv, 0); 1678 rv = set_memory_rw((unsigned long)ptr, 1); 1679 KUNIT_ASSERT_GE(test, rv, 0); 1680 } 1681 #endif 1682 1683 vfree(ptr); 1684 } 1685 1686 static void vmalloc_oob(struct kunit *test) 1687 { 1688 char *v_ptr, *p_ptr; 1689 struct page *page; 1690 size_t size = PAGE_SIZE / 2 - KASAN_GRANULE_SIZE - 5; 1691 1692 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1693 1694 if (!kasan_vmalloc_enabled()) 1695 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1696 1697 v_ptr = vmalloc(size); 1698 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1699 1700 OPTIMIZER_HIDE_VAR(v_ptr); 1701 1702 /* 1703 * We have to be careful not to hit the guard page in vmalloc tests. 1704 * The MMU will catch that and crash us. 1705 */ 1706 1707 /* Make sure in-bounds accesses are valid. */ 1708 v_ptr[0] = 0; 1709 v_ptr[size - 1] = 0; 1710 1711 /* 1712 * An unaligned access past the requested vmalloc size. 1713 * Only generic KASAN can precisely detect these. 1714 */ 1715 if (IS_ENABLED(CONFIG_KASAN_GENERIC)) 1716 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size]); 1717 1718 /* An aligned access into the first out-of-bounds granule. */ 1719 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)v_ptr)[size + 5]); 1720 1721 /* Check that in-bounds accesses to the physical page are valid. */ 1722 page = vmalloc_to_page(v_ptr); 1723 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page); 1724 p_ptr = page_address(page); 1725 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1726 p_ptr[0] = 0; 1727 1728 vfree(v_ptr); 1729 1730 /* 1731 * We can't check for use-after-unmap bugs in this nor in the following 1732 * vmalloc tests, as the page might be fully unmapped and accessing it 1733 * will crash the kernel. 1734 */ 1735 } 1736 1737 static void vmap_tags(struct kunit *test) 1738 { 1739 char *p_ptr, *v_ptr; 1740 struct page *p_page, *v_page; 1741 1742 /* 1743 * This test is specifically crafted for the software tag-based mode, 1744 * the only tag-based mode that poisons vmap mappings. 1745 */ 1746 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); 1747 1748 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC); 1749 1750 if (!kasan_vmalloc_enabled()) 1751 kunit_skip(test, "Test requires kasan.vmalloc=on"); 1752 1753 p_page = alloc_pages(GFP_KERNEL, 1); 1754 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_page); 1755 p_ptr = page_address(p_page); 1756 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1757 1758 v_ptr = vmap(&p_page, 1, VM_MAP, PAGE_KERNEL); 1759 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1760 1761 /* 1762 * We can't check for out-of-bounds bugs in this nor in the following 1763 * vmalloc tests, as allocations have page granularity and accessing 1764 * the guard page will crash the kernel. 1765 */ 1766 1767 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN); 1768 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL); 1769 1770 /* Make sure that in-bounds accesses through both pointers work. */ 1771 *p_ptr = 0; 1772 *v_ptr = 0; 1773 1774 /* Make sure vmalloc_to_page() correctly recovers the page pointer. */ 1775 v_page = vmalloc_to_page(v_ptr); 1776 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_page); 1777 KUNIT_EXPECT_PTR_EQ(test, p_page, v_page); 1778 1779 vunmap(v_ptr); 1780 free_pages((unsigned long)p_ptr, 1); 1781 } 1782 1783 static void vm_map_ram_tags(struct kunit *test) 1784 { 1785 char *p_ptr, *v_ptr; 1786 struct page *page; 1787 1788 /* 1789 * This test is specifically crafted for the software tag-based mode, 1790 * the only tag-based mode that poisons vm_map_ram mappings. 1791 */ 1792 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_SW_TAGS); 1793 1794 page = alloc_pages(GFP_KERNEL, 1); 1795 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, page); 1796 p_ptr = page_address(page); 1797 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, p_ptr); 1798 1799 v_ptr = vm_map_ram(&page, 1, -1); 1800 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, v_ptr); 1801 1802 KUNIT_EXPECT_GE(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_MIN); 1803 KUNIT_EXPECT_LT(test, (u8)get_tag(v_ptr), (u8)KASAN_TAG_KERNEL); 1804 1805 /* Make sure that in-bounds accesses through both pointers work. */ 1806 *p_ptr = 0; 1807 *v_ptr = 0; 1808 1809 vm_unmap_ram(v_ptr, 1); 1810 free_pages((unsigned long)p_ptr, 1); 1811 } 1812 1813 /* 1814 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN, 1815 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based 1816 * modes. 1817 */ 1818 static void match_all_not_assigned(struct kunit *test) 1819 { 1820 char *ptr; 1821 struct page *pages; 1822 int i, size, order; 1823 1824 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1825 1826 for (i = 0; i < 256; i++) { 1827 size = get_random_u32_inclusive(1, 1024); 1828 ptr = kmalloc(size, GFP_KERNEL); 1829 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1830 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 1831 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1832 kfree(ptr); 1833 } 1834 1835 for (i = 0; i < 256; i++) { 1836 order = get_random_u32_inclusive(1, 4); 1837 pages = alloc_pages(GFP_KERNEL, order); 1838 ptr = page_address(pages); 1839 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1840 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 1841 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1842 free_pages((unsigned long)ptr, order); 1843 } 1844 1845 if (!kasan_vmalloc_enabled()) 1846 return; 1847 1848 for (i = 0; i < 256; i++) { 1849 size = get_random_u32_inclusive(1, 1024); 1850 ptr = vmalloc(size); 1851 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1852 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN); 1853 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1854 vfree(ptr); 1855 } 1856 } 1857 1858 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */ 1859 static void match_all_ptr_tag(struct kunit *test) 1860 { 1861 char *ptr; 1862 u8 tag; 1863 1864 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1865 1866 ptr = kmalloc(128, GFP_KERNEL); 1867 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1868 1869 /* Backup the assigned tag. */ 1870 tag = get_tag(ptr); 1871 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL); 1872 1873 /* Reset the tag to 0xff.*/ 1874 ptr = set_tag(ptr, KASAN_TAG_KERNEL); 1875 1876 /* This access shouldn't trigger a KASAN report. */ 1877 *ptr = 0; 1878 1879 /* Recover the pointer tag and free. */ 1880 ptr = set_tag(ptr, tag); 1881 kfree(ptr); 1882 } 1883 1884 /* Check that there are no match-all memory tags for tag-based modes. */ 1885 static void match_all_mem_tag(struct kunit *test) 1886 { 1887 char *ptr; 1888 int tag; 1889 1890 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC); 1891 1892 ptr = kmalloc(128, GFP_KERNEL); 1893 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); 1894 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); 1895 1896 /* For each possible tag value not matching the pointer tag. */ 1897 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) { 1898 /* 1899 * For Software Tag-Based KASAN, skip the majority of tag 1900 * values to avoid the test printing too many reports. 1901 */ 1902 if (IS_ENABLED(CONFIG_KASAN_SW_TAGS) && 1903 tag >= KASAN_TAG_MIN + 8 && tag <= KASAN_TAG_KERNEL - 8) 1904 continue; 1905 1906 if (tag == get_tag(ptr)) 1907 continue; 1908 1909 /* Mark the first memory granule with the chosen memory tag. */ 1910 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false); 1911 1912 /* This access must cause a KASAN report. */ 1913 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0); 1914 } 1915 1916 /* Recover the memory tag and free. */ 1917 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false); 1918 kfree(ptr); 1919 } 1920 1921 /* 1922 * Check that Rust performing a use-after-free using `unsafe` is detected. 1923 * This is a smoke test to make sure that Rust is being sanitized properly. 1924 */ 1925 static void rust_uaf(struct kunit *test) 1926 { 1927 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST); 1928 KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); 1929 } 1930 1931 static struct kunit_case kasan_kunit_test_cases[] = { 1932 KUNIT_CASE(kmalloc_oob_right), 1933 KUNIT_CASE(kmalloc_oob_left), 1934 KUNIT_CASE(kmalloc_node_oob_right), 1935 KUNIT_CASE(kmalloc_big_oob_right), 1936 KUNIT_CASE(kmalloc_large_oob_right), 1937 KUNIT_CASE(kmalloc_large_uaf), 1938 KUNIT_CASE(kmalloc_large_invalid_free), 1939 KUNIT_CASE(page_alloc_oob_right), 1940 KUNIT_CASE(page_alloc_uaf), 1941 KUNIT_CASE(krealloc_more_oob), 1942 KUNIT_CASE(krealloc_less_oob), 1943 KUNIT_CASE(krealloc_large_more_oob), 1944 KUNIT_CASE(krealloc_large_less_oob), 1945 KUNIT_CASE(krealloc_uaf), 1946 KUNIT_CASE(kmalloc_oob_16), 1947 KUNIT_CASE(kmalloc_uaf_16), 1948 KUNIT_CASE(kmalloc_oob_in_memset), 1949 KUNIT_CASE(kmalloc_oob_memset_2), 1950 KUNIT_CASE(kmalloc_oob_memset_4), 1951 KUNIT_CASE(kmalloc_oob_memset_8), 1952 KUNIT_CASE(kmalloc_oob_memset_16), 1953 KUNIT_CASE(kmalloc_memmove_negative_size), 1954 KUNIT_CASE(kmalloc_memmove_invalid_size), 1955 KUNIT_CASE(kmalloc_uaf), 1956 KUNIT_CASE(kmalloc_uaf_memset), 1957 KUNIT_CASE(kmalloc_uaf2), 1958 KUNIT_CASE(kmalloc_uaf3), 1959 KUNIT_CASE(kmalloc_double_kzfree), 1960 KUNIT_CASE(ksize_unpoisons_memory), 1961 KUNIT_CASE(ksize_uaf), 1962 KUNIT_CASE(rcu_uaf), 1963 KUNIT_CASE(workqueue_uaf), 1964 KUNIT_CASE(kfree_via_page), 1965 KUNIT_CASE(kfree_via_phys), 1966 KUNIT_CASE(kmem_cache_oob), 1967 KUNIT_CASE(kmem_cache_double_free), 1968 KUNIT_CASE(kmem_cache_invalid_free), 1969 KUNIT_CASE(kmem_cache_rcu_uaf), 1970 KUNIT_CASE(kmem_cache_double_destroy), 1971 KUNIT_CASE(kmem_cache_accounted), 1972 KUNIT_CASE(kmem_cache_bulk), 1973 KUNIT_CASE(mempool_kmalloc_oob_right), 1974 KUNIT_CASE(mempool_kmalloc_large_oob_right), 1975 KUNIT_CASE(mempool_slab_oob_right), 1976 KUNIT_CASE(mempool_kmalloc_uaf), 1977 KUNIT_CASE(mempool_kmalloc_large_uaf), 1978 KUNIT_CASE(mempool_slab_uaf), 1979 KUNIT_CASE(mempool_page_alloc_uaf), 1980 KUNIT_CASE(mempool_kmalloc_double_free), 1981 KUNIT_CASE(mempool_kmalloc_large_double_free), 1982 KUNIT_CASE(mempool_page_alloc_double_free), 1983 KUNIT_CASE(mempool_kmalloc_invalid_free), 1984 KUNIT_CASE(mempool_kmalloc_large_invalid_free), 1985 KUNIT_CASE(kasan_global_oob_right), 1986 KUNIT_CASE(kasan_global_oob_left), 1987 KUNIT_CASE(kasan_stack_oob), 1988 KUNIT_CASE(kasan_alloca_oob_left), 1989 KUNIT_CASE(kasan_alloca_oob_right), 1990 KUNIT_CASE(kasan_memchr), 1991 KUNIT_CASE(kasan_memcmp), 1992 KUNIT_CASE(kasan_strings), 1993 KUNIT_CASE(kasan_bitops_generic), 1994 KUNIT_CASE(kasan_bitops_tags), 1995 KUNIT_CASE(kasan_atomics), 1996 KUNIT_CASE(vmalloc_helpers_tags), 1997 KUNIT_CASE(vmalloc_oob), 1998 KUNIT_CASE(vmap_tags), 1999 KUNIT_CASE(vm_map_ram_tags), 2000 KUNIT_CASE(match_all_not_assigned), 2001 KUNIT_CASE(match_all_ptr_tag), 2002 KUNIT_CASE(match_all_mem_tag), 2003 KUNIT_CASE(rust_uaf), 2004 {} 2005 }; 2006 2007 static struct kunit_suite kasan_kunit_test_suite = { 2008 .name = "kasan", 2009 .test_cases = kasan_kunit_test_cases, 2010 .exit = kasan_test_exit, 2011 .suite_init = kasan_suite_init, 2012 .suite_exit = kasan_suite_exit, 2013 }; 2014 2015 kunit_test_suite(kasan_kunit_test_suite); 2016 2017 MODULE_LICENSE("GPL"); 2018