| Message ID | 20240923115252.3562956-1-ruanjinjie@huawei.com (mailing list archive) |
|---|---|
| State | In Next |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | ipe: Fix out-of-bound access of kunit_suite_num_test_cases() | expand |
On Mon, Sep 23, 2024 at 7:42 AM Jinjie Ruan <ruanjinjie@huawei.com> wrote: > > Currently, there is no terminator entry for ipe_parser_test_cases, > hence facing below KASAN warning, > > BUG: KASAN: global-out-of-bounds in kunit_suite_num_test_cases+0xb4/0xcc > Read of size 8 at addr ffffffe21035fec0 by task swapper/0/1 > > CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G N 6.11.0+ #327 > Tainted: [N]=TEST > Hardware name: linux,dummy-virt (DT) > Call trace: > dump_backtrace+0x94/0xec > show_stack+0x18/0x24 > dump_stack_lvl+0x90/0xd0 > print_report+0x1f4/0x5b4 > kasan_report+0xc8/0x110 > __asan_report_load8_noabort+0x20/0x2c > kunit_suite_num_test_cases+0xb4/0xcc > attr_module_get+0x54/0xc0 > kunit_print_attr+0x234/0x358 > kunit_run_tests+0x138/0xbf4 > __kunit_test_suites_init+0x110/0x1d0 > kunit_run_all_tests+0x358/0x394 > kernel_init_freeable+0x488/0x61c > kernel_init+0x24/0x1e4 > ret_from_fork+0x10/0x20 > > The buggy address belongs to the variable: > ipe_parser_test_cases+0x60/0x1ba0 > > The buggy address belongs to the virtual mapping at > [ffffffe20ffe0000, ffffffe2120c1000) created by: > paging_init+0x474/0x60c > > The buggy address belongs to the physical page: > page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4535f > flags: 0x3fffe0000002000(reserved|node=0|zone=0|lastcpupid=0x1ffff) > raw: 03fffe0000002000 fffffffec014d7c8 fffffffec014d7c8 0000000000000000 > raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffffffe21035fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffffffe21035fe00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 > >ffffffe21035fe80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 > ^ > ffffffe21035ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffffffe21035ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ================================================================== > > Add a dummy terminator entry at the end to assist > kunit_suite_num_test_cases() in traversing up to the terminator entry > without accessing an out-of-boundary index. > > Fixes: 10ca05a76065 ("ipe: kunit test for parser") > Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com> > --- > security/ipe/policy_tests.c | 1 + > 1 file changed, 1 insertion(+) Thanks, I just saw this reported last night with the same patch/fix, lore link below. I'm giving it a few hours for Fan to come online and ACK the patch, but if I don't hear from Fan by this afternoon I'll merge it and send it up to Linus. https://lore.kernel.org/linux-security-module/20240922145226.491815-1-linux@roeck-us.net/ > diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c > index 89521f6b9994..0725fe36f8bb 100644 > --- a/security/ipe/policy_tests.c > +++ b/security/ipe/policy_tests.c > @@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test) > static struct kunit_case ipe_parser_test_cases[] = { > KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params), > KUNIT_CASE(ipe_parser_widestring_test), > + {} > }; > > static struct kunit_suite ipe_parser_test_suite = { > -- > 2.34.1
diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c index 89521f6b9994..0725fe36f8bb 100644 --- a/security/ipe/policy_tests.c +++ b/security/ipe/policy_tests.c @@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test) static struct kunit_case ipe_parser_test_cases[] = { KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params), KUNIT_CASE(ipe_parser_widestring_test), + {} }; static struct kunit_suite ipe_parser_test_suite = {