From patchwork Thu Feb 27 02:43:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patricia Alfonso X-Patchwork-Id: 11407641 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 91A1C14D5 for ; Thu, 27 Feb 2020 02:44:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 47C962467B for ; Thu, 27 Feb 2020 02:44:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hNF4XMAW" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728186AbgB0Cok (ORCPT ); Wed, 26 Feb 2020 21:44:40 -0500 Received: from mail-qv1-f74.google.com ([209.85.219.74]:35315 "EHLO mail-qv1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728094AbgB0Cok (ORCPT ); Wed, 26 Feb 2020 21:44:40 -0500 Received: by mail-qv1-f74.google.com with SMTP id v3so1750968qvm.2 for ; Wed, 26 Feb 2020 18:44:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=6xAzi9qdeq5JU426+oZoJQTFxps8F95QOMz09BM5oGo=; b=hNF4XMAWckWSOoer4Iq1xeyqBDVSF6HjSP8JCxb9g/UhQFUPLnE4ZnQr5xGOqW1nn4 pd9PRzSgYCRtK+7/BPcQw1AduePfzAf53DHZCjeqpz2ubwh6AKEZ3p2SUC3hefYJ7Wsf fRpsrud1D4Ak45DqmjtpGAYtc3K9SSZSGZtm/wIZsjemj/5XkKF4QaDWs9aqADkyUhh3 srLwV0VbUTZ36yXgkgLKujjKKkQptFdp4bfF/dJCamelIc0bMITbgciSaHdevlAdosUQ Mmr+tc3qSiLWuyWcod8vrS1pBOAglFsKBwBhpgWtX3J8BXwzYI5RAy/mu/zkcfvAhqF0 JH9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=6xAzi9qdeq5JU426+oZoJQTFxps8F95QOMz09BM5oGo=; b=JstftsJrK5g+ry8QBV2/qvRJmR56ztS3+I49fYxS7m87u43r5q4z4Nn42iATr3KUMV pNL4Io39xkDoMaCsDdkRxtUd7HGylAY4Sg3goZIDWIHwVXS4ck2qp7MEdvvBL8fPSYUJ 3M/OoGEhKUVpCaHSpuHP/reX1Mp6M5IJFNFKs/dBbwNvEPaBG/Eaz2kjWoNefVcbpCzJ wPuKshvJJvirzoSDztfhTu1tDjLjT7fYDAXdKwHUnmOAlhzDCgMuplKNVX/5pFUBofth OEpQpr95Qzc9kkS85E798D7eAJZDEEMXOarJcHxLOHX1oh3P/sZzGQlp6mpt6ezB1uy/ 7UsQ== X-Gm-Message-State: APjAAAXC3Vbn9SZwNI1djVUO3BbIT64GLUABVZxk6lRDcNqXKWtMpFBG 1l1oJgwyxERquoVQvtltZgs+/R02Hd6gxgcn5YU= X-Google-Smtp-Source: APXvYqypWPXj6XKjEQ6PvfRLZu6jyQFaad64TLg0tKwCtyPZHR4tTl5fIaybqmpPOk4aner7hnxHc1K6IgdU/pLcYTE= X-Received: by 2002:a0c:fca2:: with SMTP id h2mr2450728qvq.146.1582771478756; Wed, 26 Feb 2020 18:44:38 -0800 (PST) Date: Wed, 26 Feb 2020 18:43:00 -0800 Message-Id: <20200227024301.217042-1-trishalfonso@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.25.0.265.gbab2e86ba0-goog Subject: [RFC PATCH 1/2] Port KASAN Tests to KUnit From: Patricia Alfonso To: aryabinin@virtuozzo.com, dvyukov@google.com, brendanhiggins@google.com, davidgow@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-kselftest@vger.kernel.org, kunit-dev@googlegroups.com, Patricia Alfonso Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Transfer all previous tests for KASAN to KUnit so they can be run more easily. With proper KASAN integration into KUnit, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. Stack tests do not work in UML so those tests are protected inside an "#if (CONFIG_KASAN_STACK == 1)" so this only runs if stack instrumentation is enabled. Signed-off-by: Patricia Alfonso --- The KUnit version of these tests could be in addition to the existing tests if that is preferred. lib/Kconfig.kasan | 2 +- lib/test_kasan.c | 352 +++++++++++++++++++++------------------------- 2 files changed, 161 insertions(+), 193 deletions(-) diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f8cc9ed60677 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -160,7 +160,7 @@ config KASAN_VMALLOC config TEST_KASAN tristate "Module for testing KASAN for bug detection" - depends on m && KASAN + depends on KASAN && KUNIT help This is a test module doing various nasty things like out of bounds accesses, use after free. It is useful for testing diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 3872d250ed2c..988650387a2a 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,17 +23,18 @@ #include +#include + /* * Note: test functions are marked noinline so that their names appear in * reports. */ -static noinline void __init kmalloc_oob_right(void) +static noinline void kmalloc_oob_right(void) { char *ptr; size_t size = 123; - pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -44,12 +45,11 @@ static noinline void __init kmalloc_oob_right(void) kfree(ptr); } -static noinline void __init kmalloc_oob_left(void) +static noinline void kmalloc_oob_left(void) { char *ptr; size_t size = 15; - pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -60,12 +60,11 @@ static noinline void __init kmalloc_oob_left(void) kfree(ptr); } -static noinline void __init kmalloc_node_oob_right(void) +static noinline void kmalloc_node_oob_right(void) { char *ptr; size_t size = 4096; - pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0); if (!ptr) { pr_err("Allocation failed\n"); @@ -77,7 +76,7 @@ static noinline void __init kmalloc_node_oob_right(void) } #ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static noinline void kmalloc_pagealloc_oob_right(void) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -85,7 +84,6 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */ - pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -96,12 +94,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) kfree(ptr); } -static noinline void __init kmalloc_pagealloc_uaf(void) +static noinline void kmalloc_pagealloc_uaf(void) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -112,12 +109,11 @@ static noinline void __init kmalloc_pagealloc_uaf(void) ptr[0] = 0; } -static noinline void __init kmalloc_pagealloc_invalid_free(void) +static noinline void kmalloc_pagealloc_invalid_free(void) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -128,14 +124,13 @@ static noinline void __init kmalloc_pagealloc_invalid_free(void) } #endif -static noinline void __init kmalloc_large_oob_right(void) +static noinline void kmalloc_large_oob_right(void) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */ - pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -146,13 +141,12 @@ static noinline void __init kmalloc_large_oob_right(void) kfree(ptr); } -static noinline void __init kmalloc_oob_krealloc_more(void) +static noinline void kmalloc_oob_krealloc_more(void) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19; - pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL); ptr2 = krealloc(ptr1, size2, GFP_KERNEL); if (!ptr1 || !ptr2) { @@ -166,13 +160,12 @@ static noinline void __init kmalloc_oob_krealloc_more(void) kfree(ptr2); } -static noinline void __init kmalloc_oob_krealloc_less(void) +static noinline void kmalloc_oob_krealloc_less(void) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15; - pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL); ptr2 = krealloc(ptr1, size2, GFP_KERNEL); if (!ptr1 || !ptr2) { @@ -184,13 +177,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void) kfree(ptr2); } -static noinline void __init kmalloc_oob_16(void) +static noinline void kmalloc_oob_16(void) { struct { u64 words[2]; } *ptr1, *ptr2; - pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); if (!ptr1 || !ptr2) { @@ -204,12 +196,11 @@ static noinline void __init kmalloc_oob_16(void) kfree(ptr2); } -static noinline void __init kmalloc_oob_memset_2(void) +static noinline void kmalloc_oob_memset_2(void) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -220,12 +211,11 @@ static noinline void __init kmalloc_oob_memset_2(void) kfree(ptr); } -static noinline void __init kmalloc_oob_memset_4(void) +static noinline void kmalloc_oob_memset_4(void) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -237,12 +227,11 @@ static noinline void __init kmalloc_oob_memset_4(void) } -static noinline void __init kmalloc_oob_memset_8(void) +static noinline void kmalloc_oob_memset_8(void) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -253,12 +242,11 @@ static noinline void __init kmalloc_oob_memset_8(void) kfree(ptr); } -static noinline void __init kmalloc_oob_memset_16(void) +static noinline void kmalloc_oob_memset_16(void) { char *ptr; size_t size = 16; - pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -269,12 +257,11 @@ static noinline void __init kmalloc_oob_memset_16(void) kfree(ptr); } -static noinline void __init kmalloc_oob_in_memset(void) +static noinline void kmalloc_oob_in_memset(void) { char *ptr; size_t size = 666; - pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -285,12 +272,11 @@ static noinline void __init kmalloc_oob_in_memset(void) kfree(ptr); } -static noinline void __init kmalloc_uaf(void) +static noinline void kmalloc_uaf(void) { char *ptr; size_t size = 10; - pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -301,12 +287,11 @@ static noinline void __init kmalloc_uaf(void) *(ptr + 8) = 'x'; } -static noinline void __init kmalloc_uaf_memset(void) +static noinline void kmalloc_uaf_memset(void) { char *ptr; size_t size = 33; - pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -317,12 +302,11 @@ static noinline void __init kmalloc_uaf_memset(void) memset(ptr, 0, size); } -static noinline void __init kmalloc_uaf2(void) +static noinline void kmalloc_uaf2(void) { char *ptr1, *ptr2; size_t size = 43; - pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL); if (!ptr1) { pr_err("Allocation failed\n"); @@ -342,14 +326,13 @@ static noinline void __init kmalloc_uaf2(void) kfree(ptr2); } -static noinline void __init kfree_via_page(void) +static noinline void kfree_via_page(void) { char *ptr; size_t size = 8; struct page *page; unsigned long offset; - pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -361,13 +344,12 @@ static noinline void __init kfree_via_page(void) kfree(page_address(page) + offset); } -static noinline void __init kfree_via_phys(void) +static noinline void kfree_via_phys(void) { char *ptr; size_t size = 8; phys_addr_t phys; - pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -378,7 +360,7 @@ static noinline void __init kfree_via_phys(void) kfree(phys_to_virt(phys)); } -static noinline void __init kmem_cache_oob(void) +static noinline void kmem_cache_oob(void) { char *p; size_t size = 200; @@ -389,7 +371,6 @@ static noinline void __init kmem_cache_oob(void) pr_err("Cache allocation failed\n"); return; } - pr_info("out-of-bounds in kmem_cache_alloc\n"); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { pr_err("Allocation failed\n"); @@ -402,7 +383,7 @@ static noinline void __init kmem_cache_oob(void) kmem_cache_destroy(cache); } -static noinline void __init memcg_accounted_kmem_cache(void) +static noinline void memcg_accounted_kmem_cache(void) { int i; char *p; @@ -415,7 +396,6 @@ static noinline void __init memcg_accounted_kmem_cache(void) return; } - pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation. @@ -435,31 +415,19 @@ static noinline void __init memcg_accounted_kmem_cache(void) static char global_array[10]; -static noinline void __init kasan_global_oob(void) +static noinline void kasan_global_oob(void) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i]; - pr_info("out-of-bounds global variable\n"); - *(volatile char *)p; -} - -static noinline void __init kasan_stack_oob(void) -{ - char stack_array[10]; - volatile int i = 0; - char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - - pr_info("out-of-bounds on stack\n"); *(volatile char *)p; } -static noinline void __init ksize_unpoisons_memory(void) +static noinline void ksize_unpoisons_memory(void) { char *ptr; size_t size = 123, real_size; - pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -473,72 +441,36 @@ static noinline void __init ksize_unpoisons_memory(void) kfree(ptr); } -static noinline void __init copy_user_test(void) +#if (CONFIG_KASAN_STACK == 1) +static noinline void kasan_stack_oob(void) { - char *kmem; - char __user *usermem; - size_t size = 10; - int unused; - - kmem = kmalloc(size, GFP_KERNEL); - if (!kmem) - return; - - usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, - PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANONYMOUS | MAP_PRIVATE, 0); - if (IS_ERR(usermem)) { - pr_err("Failed to allocate user memory\n"); - kfree(kmem); - return; - } - - pr_info("out-of-bounds in copy_from_user()\n"); - unused = copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in copy_to_user()\n"); - unused = copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user()\n"); - unused = __copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user()\n"); - unused = __copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); - unused = __copy_from_user_inatomic(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); - unused = __copy_to_user_inatomic(usermem, kmem, size + 1); - - pr_info("out-of-bounds in strncpy_from_user()\n"); - unused = strncpy_from_user(kmem, usermem, size + 1); + char stack_array[10]; + volatile int i = 0; + char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - vm_munmap((unsigned long)usermem, PAGE_SIZE); - kfree(kmem); + *(volatile char *)p; } -static noinline void __init kasan_alloca_oob_left(void) +static noinline void kasan_alloca_oob_left(void) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1; - pr_info("out-of-bounds to left on alloca\n"); *(volatile char *)p; } -static noinline void __init kasan_alloca_oob_right(void) +static noinline void kasan_alloca_oob_right(void) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i; - pr_info("out-of-bounds to right on alloca\n"); *(volatile char *)p; } +#endif /* CONFIG_KASAN_STACK */ -static noinline void __init kmem_cache_double_free(void) +static noinline void kmem_cache_double_free(void) { char *p; size_t size = 200; @@ -549,7 +481,6 @@ static noinline void __init kmem_cache_double_free(void) pr_err("Cache allocation failed\n"); return; } - pr_info("double-free on heap object\n"); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { pr_err("Allocation failed\n"); @@ -562,7 +493,7 @@ static noinline void __init kmem_cache_double_free(void) kmem_cache_destroy(cache); } -static noinline void __init kmem_cache_invalid_free(void) +static noinline void kmem_cache_invalid_free(void) { char *p; size_t size = 200; @@ -574,7 +505,6 @@ static noinline void __init kmem_cache_invalid_free(void) pr_err("Cache allocation failed\n"); return; } - pr_info("invalid-free of heap object\n"); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { pr_err("Allocation failed\n"); @@ -594,12 +524,11 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); } -static noinline void __init kasan_memchr(void) +static noinline void kasan_memchr(void) { char *ptr; size_t size = 24; - pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!ptr) return; @@ -608,13 +537,12 @@ static noinline void __init kasan_memchr(void) kfree(ptr); } -static noinline void __init kasan_memcmp(void) +static noinline void kasan_memcmp(void) { char *ptr; size_t size = 24; int arr[9]; - pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!ptr) return; @@ -624,12 +552,11 @@ static noinline void __init kasan_memcmp(void) kfree(ptr); } -static noinline void __init kasan_strings(void) +static noinline void kasan_strings(void) { char *ptr; size_t size = 24; - pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); if (!ptr) return; @@ -645,23 +572,18 @@ static noinline void __init kasan_strings(void) ptr += 16; strchr(ptr, '1'); - pr_info("use-after-free in strrchr\n"); strrchr(ptr, '1'); - pr_info("use-after-free in strcmp\n"); strcmp(ptr, "2"); - pr_info("use-after-free in strncmp\n"); strncmp(ptr, "2", 1); - pr_info("use-after-free in strlen\n"); strlen(ptr); - pr_info("use-after-free in strnlen\n"); strnlen(ptr, 1); } -static noinline void __init kasan_bitops(void) +static noinline void kasan_bitops(void) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; @@ -676,70 +598,52 @@ static noinline void __init kasan_bitops(void) * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */ - pr_info("out-of-bounds in set_bit\n"); set_bit(BITS_PER_LONG, bits); - pr_info("out-of-bounds in __set_bit\n"); __set_bit(BITS_PER_LONG, bits); - pr_info("out-of-bounds in clear_bit\n"); clear_bit(BITS_PER_LONG, bits); - pr_info("out-of-bounds in __clear_bit\n"); __clear_bit(BITS_PER_LONG, bits); - pr_info("out-of-bounds in clear_bit_unlock\n"); clear_bit_unlock(BITS_PER_LONG, bits); - pr_info("out-of-bounds in __clear_bit_unlock\n"); __clear_bit_unlock(BITS_PER_LONG, bits); - pr_info("out-of-bounds in change_bit\n"); change_bit(BITS_PER_LONG, bits); - pr_info("out-of-bounds in __change_bit\n"); __change_bit(BITS_PER_LONG, bits); /* * Below calls try to access bit beyond allocated memory. */ - pr_info("out-of-bounds in test_and_set_bit\n"); test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in __test_and_set_bit\n"); __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in test_and_set_bit_lock\n"); test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in test_and_clear_bit\n"); test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in __test_and_clear_bit\n"); __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in test_and_change_bit\n"); test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in __test_and_change_bit\n"); __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); - pr_info("out-of-bounds in test_bit\n"); (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); #if defined(clear_bit_unlock_is_negative_byte) - pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n"); clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits); #endif kfree(bits); } -static noinline void __init kmalloc_double_kzfree(void) +static noinline void kmalloc_double_kzfree(void) { char *ptr; size_t size = 16; - pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL); if (!ptr) { pr_err("Allocation failed\n"); @@ -750,29 +654,130 @@ static noinline void __init kmalloc_double_kzfree(void) kzfree(ptr); } -#ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void kunit_test_oob(struct kunit *test) +{ + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_right()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_left()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_node_oob_right()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_large_oob_right()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_krealloc_more()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_krealloc_less()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_16()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_in_memset()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_memset_2()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_memset_4()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_memset_8()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_oob_memset_16()); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_oob()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_global_oob()); + KUNIT_EXPECT_KASAN_FAIL(test, ksize_unpoisons_memory()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_memchr()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_memcmp()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_strings()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_bitops()); +#ifdef CONFIG_SLUB + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_pagealloc_oob_right()); +#endif /* CONFIG_SLUB */ + +#if (CONFIG_KASAN_STACK == 1) + KUNIT_EXPECT_KASAN_FAIL(test, kasan_stack_oob()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_alloca_oob_right()); + KUNIT_EXPECT_KASAN_FAIL(test, kasan_alloca_oob_left()); +#endif /*CONFIG_KASAN_STACK*/ +} + +static void kunit_test_uaf(struct kunit *test) +{ +#ifdef CONFIG_SLUB + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_pagealloc_uaf()); +#endif + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_uaf()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_uaf_memset()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_uaf2()); +} + +static void kunit_test_invalid_free(struct kunit *test) { - void *area; +#ifdef CONFIG_SLUB + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_pagealloc_invalid_free()); +#endif + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_invalid_free()); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_double_free()); + KUNIT_EXPECT_KASAN_FAIL(test, kmalloc_double_kzfree()); +} - pr_info("vmalloc out-of-bounds\n"); +static void kunit_test_false_positives(struct kunit *test) +{ + kfree_via_page(); + kfree_via_phys(); +} - /* - * We have to be careful not to hit the guard page. - * The MMU will catch that and crash us. - */ - area = vmalloc(3000); - if (!area) { - pr_err("Allocation failed\n"); +static void kunit_test_memcg(struct kunit *test) +{ + memcg_accounted_kmem_cache(); +} + +static struct kunit_case kasan_kunit_test_cases[] = { + KUNIT_CASE(kunit_test_oob), + KUNIT_CASE(kunit_test_uaf), + KUNIT_CASE(kunit_test_invalid_free), + KUNIT_CASE(kunit_test_false_positives), + KUNIT_CASE(kunit_test_memcg), + {} +}; + +static struct kunit_suite kasan_kunit_test_suite = { + .name = "kasan_kunit_test", + .test_cases = kasan_kunit_test_cases, +}; + +kunit_test_suite(kasan_kunit_test_suite); + +#if IS_MODULE(CONFIG_TEST_KASAN) +static noinline void __init copy_user_test(void) +{ + char *kmem; + char __user *usermem; + size_t size = 10; + int unused; + + kmem = kmalloc(size, GFP_KERNEL); + if (!kmem) + return; + + usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_ANONYMOUS | MAP_PRIVATE, 0); + if (IS_ERR(usermem)) { + pr_err("Failed to allocate user memory\n"); + kfree(kmem); return; } - ((volatile char *)area)[3100]; - vfree(area); + pr_info("out-of-bounds in copy_from_user()\n"); + unused = copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in copy_to_user()\n"); + unused = copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user()\n"); + unused = __copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user()\n"); + unused = __copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); + unused = __copy_from_user_inatomic(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); + unused = __copy_to_user_inatomic(usermem, kmem, size + 1); + + pr_info("out-of-bounds in strncpy_from_user()\n"); + unused = strncpy_from_user(kmem, usermem, size + 1); + + vm_munmap((unsigned long)usermem, PAGE_SIZE); + kfree(kmem); } -#else -static void __init vmalloc_oob(void) {} -#endif static int __init kmalloc_tests_init(void) { @@ -782,44 +787,7 @@ static int __init kmalloc_tests_init(void) */ bool multishot = kasan_save_enable_multi_shot(); - kmalloc_oob_right(); - kmalloc_oob_left(); - kmalloc_node_oob_right(); -#ifdef CONFIG_SLUB - kmalloc_pagealloc_oob_right(); - kmalloc_pagealloc_uaf(); - kmalloc_pagealloc_invalid_free(); -#endif - kmalloc_large_oob_right(); - kmalloc_oob_krealloc_more(); - kmalloc_oob_krealloc_less(); - kmalloc_oob_16(); - kmalloc_oob_in_memset(); - kmalloc_oob_memset_2(); - kmalloc_oob_memset_4(); - kmalloc_oob_memset_8(); - kmalloc_oob_memset_16(); - kmalloc_uaf(); - kmalloc_uaf_memset(); - kmalloc_uaf2(); - kfree_via_page(); - kfree_via_phys(); - kmem_cache_oob(); - memcg_accounted_kmem_cache(); - kasan_stack_oob(); - kasan_global_oob(); - kasan_alloca_oob_left(); - kasan_alloca_oob_right(); - ksize_unpoisons_memory(); copy_user_test(); - kmem_cache_double_free(); - kmem_cache_invalid_free(); - kasan_memchr(); - kasan_memcmp(); - kasan_strings(); - kasan_bitops(); - kmalloc_double_kzfree(); - vmalloc_oob(); kasan_restore_multi_shot(multishot); @@ -827,4 +795,4 @@ static int __init kmalloc_tests_init(void) } module_init(kmalloc_tests_init); -MODULE_LICENSE("GPL"); +#endif /* IS_MODULE(CONFIG_TEST_KASAN) */ From patchwork Thu Feb 27 02:43:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patricia Alfonso X-Patchwork-Id: 11407643 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 865D714B4 for ; Thu, 27 Feb 2020 02:44:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5C7C42467B for ; Thu, 27 Feb 2020 02:44:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LpMFnRUF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728288AbgB0Cor (ORCPT ); Wed, 26 Feb 2020 21:44:47 -0500 Received: from mail-pg1-f201.google.com ([209.85.215.201]:45328 "EHLO mail-pg1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728220AbgB0Coq (ORCPT ); Wed, 26 Feb 2020 21:44:46 -0500 Received: by mail-pg1-f201.google.com with SMTP id h2so938945pgr.12 for ; Wed, 26 Feb 2020 18:44:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=MzblV2B3yiELWZGgmDEXOGM+kFqZEnGt6N1xQ+fXD1M=; b=LpMFnRUFsTZOzSSVz3L/vWVaNbouZ6e3uEVcaOl9HzgxvlS8OQgBXU0Mhtmj+ZeTv7 zlPj8w44FKoXVbuE2XK/yqwkDEqLvuVnzJovbSQBjV3LoqMKFT1d87NMFE7ytOPIXn6n HhAyDnmnQ3ezj9sZZNOY8gHrdFGlbpmUBd1Iw8UF/Hn320u3kt7Xqc+cZbymUAqZ0Cll sDDeP7O96pyLmjPzhkcbUjs3HGzqlLG2d8tUbGuMZdtZ5lOceMlSKUkZo87y6W0LHesr eUKm4kSwkfZfv1NWmX/Kfu1++gxmUDso3NcdgDhw821M99iDtfVwibj+WyKg1xRfIhI+ Qsqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=MzblV2B3yiELWZGgmDEXOGM+kFqZEnGt6N1xQ+fXD1M=; b=FduH8gusLNRYx6E4JhkO6Di7A5H7vpV+WlsRNLBpgBZKuya8TSHHEYmXubalv4H1ji oJ/AkR8xJvKGGB/vvB+C7oj3GH/Wsm6KecR0HmlVqjj7zb944GstfXftGgU/CoqXiNHm LMvWtFMxt6lbnRriGSFEk/urkcJgbxF7NqwD8HqZSwOtT+Y8Y7HSmKZnGjkGuUunKZf4 30U9xkIvOdSu+e6f6mciRxoGwgZNwRC5NmzBqku0EQ+1VemSI1sEHl6aGfTObal79dJs +O5rPbChJk9BA9hFgqkDQ1k54aymqNf3mqqudjYU7B844l0o22toKkaVF4BpzzuoUjM7 HCnA== X-Gm-Message-State: APjAAAUjMnmGvR1ns94uIQj7LRTTlpEiTFq+NE2tywghydUNt4YEcDVZ h4GILov30F0eAgASvR1mopsDc3N8P9g+8RVAvmQ= X-Google-Smtp-Source: APXvYqwVKi7sHz2y1nXFcS7JIDNVl7caP9Uc41JoTXT067ZFJq/Ro+rRkhTDQI0uNB3VRnoGzxe6APTY/yu7XohfHgQ= X-Received: by 2002:a63:3085:: with SMTP id w127mr1837386pgw.176.1582771485461; Wed, 26 Feb 2020 18:44:45 -0800 (PST) Date: Wed, 26 Feb 2020 18:43:01 -0800 In-Reply-To: <20200227024301.217042-1-trishalfonso@google.com> Message-Id: <20200227024301.217042-2-trishalfonso@google.com> Mime-Version: 1.0 References: <20200227024301.217042-1-trishalfonso@google.com> X-Mailer: git-send-email 2.25.0.265.gbab2e86ba0-goog Subject: [RFC PATCH 2/2] KUnit: KASAN Integration From: Patricia Alfonso To: aryabinin@virtuozzo.com, dvyukov@google.com, brendanhiggins@google.com, davidgow@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-kselftest@vger.kernel.org, kunit-dev@googlegroups.com, Patricia Alfonso Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Integrate KASAN into KUnit testing framework. - Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - KUnit struct added to current task to keep track of the current test from KASAN code - Booleans representing if a KASAN report is expected and if a KASAN report is found added to kunit struct - This prints "line# has passed" or "line# has failed" Signed-off-by: Patricia Alfonso --- If anyone has any suggestions on how best to print the failure messages, please share! One issue I have found while testing this is the allocation fails in kmalloc_pagealloc_oob_right() sometimes, but not consistently. This does cause the test to fail on the KUnit side, as expected, but it seems to skip all the tests before this one because the output starts with this failure instead of with the first test, kmalloc_oob_right(). include/kunit/test.h | 24 ++++++++++++++++++++++++ include/linux/sched.h | 7 ++++++- lib/kunit/test.c | 7 ++++++- mm/kasan/report.c | 19 +++++++++++++++++++ tools/testing/kunit/kunit_kernel.py | 2 +- 5 files changed, 56 insertions(+), 3 deletions(-) diff --git a/include/kunit/test.h b/include/kunit/test.h index 2dfb550c6723..2e388f8937f3 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -21,6 +21,8 @@ struct kunit_resource; typedef int (*kunit_resource_init_t)(struct kunit_resource *, void *); typedef void (*kunit_resource_free_t)(struct kunit_resource *); +void kunit_set_failure(struct kunit *test); + /** * struct kunit_resource - represents a *test managed resource* * @allocation: for the user to store arbitrary data. @@ -191,6 +193,9 @@ struct kunit { * protect it with some type of lock. */ struct list_head resources; /* Protected by lock. */ + + bool kasan_report_expected; + bool kasan_report_found; }; void kunit_init_test(struct kunit *test, const char *name); @@ -941,6 +946,25 @@ do { \ ptr, \ NULL) +/** + * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does + * not cause a KASAN error. + * + */ +#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \ + test->kasan_report_expected = true; \ + test->kasan_report_found = false; \ + condition; \ + if (test->kasan_report_found == test->kasan_report_expected) { \ + pr_info("%d has passed", __LINE__); \ + } else { \ + kunit_set_failure(test); \ + pr_info("%d has failed", __LINE__); \ + } \ + test->kasan_report_expected = false; \ + test->kasan_report_found = false; \ +} while (0) + /** * KUNIT_EXPECT_TRUE() - Causes a test failure when the expression is not true. * @test: The test context object. diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..db23d56061e7 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -32,6 +32,8 @@ #include #include +#include + /* task_struct member predeclarations (sorted alphabetically): */ struct audit_context; struct backing_dev_info; @@ -1178,7 +1180,10 @@ struct task_struct { #ifdef CONFIG_KASAN unsigned int kasan_depth; -#endif +#ifdef CONFIG_KUNIT + struct kunit *kasan_kunit_test; +#endif /* CONFIG_KUNIT */ +#endif /* CONFIG_KASAN */ #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ diff --git a/lib/kunit/test.c b/lib/kunit/test.c index 9242f932896c..d266b9495c67 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -9,11 +9,12 @@ #include #include #include +#include #include "string-stream.h" #include "try-catch-impl.h" -static void kunit_set_failure(struct kunit *test) +void kunit_set_failure(struct kunit *test) { WRITE_ONCE(test->success, false); } @@ -236,6 +237,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case; +#ifdef CONFIG_KASAN + current->kasan_kunit_test = test; +#endif + /* * kunit_run_case_internal may encounter a fatal error; if it does, * abort will be called, this thread will exit, and finally the parent diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 5ef9f24f566b..5554d23799a5 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -32,6 +32,8 @@ #include +#include + #include "kasan.h" #include "../slab.h" @@ -461,6 +463,15 @@ void kasan_report_invalid_free(void *object, unsigned long ip) u8 tag = get_tag(object); object = reset_tag(object); + + if (current->kasan_kunit_test) { + if (current->kasan_kunit_test->kasan_report_expected) { + current->kasan_kunit_test->kasan_report_found = true; + return; + } + kunit_set_failure(current->kasan_kunit_test); + } + start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object); @@ -481,6 +492,14 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon if (likely(!report_enabled())) return; + if (current->kasan_kunit_test) { + if (current->kasan_kunit_test->kasan_report_expected) { + current->kasan_kunit_test->kasan_report_found = true; + return; + } + kunit_set_failure(current->kasan_kunit_test); + } + disable_trace_on_warning(); tagged_addr = (void *)addr; diff --git a/tools/testing/kunit/kunit_kernel.py b/tools/testing/kunit/kunit_kernel.py index cc5d844ecca1..63eab18a8c34 100644 --- a/tools/testing/kunit/kunit_kernel.py +++ b/tools/testing/kunit/kunit_kernel.py @@ -141,7 +141,7 @@ class LinuxSourceTree(object): return True def run_kernel(self, args=[], timeout=None, build_dir=''): - args.extend(['mem=256M']) + args.extend(['mem=256M', 'kasan_multi_shot']) process = self._ops.linux_bin(args, timeout, build_dir) with open(os.path.join(build_dir, 'test.log'), 'w') as f: for line in process.stdout: