| Message ID | 20191014103654.17982-1-walter-zh.wu@mediatek.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fix the missing underflow in memory operation function | expand |
On Mon, Oct 14, 2019 at 12:37 PM Walter Wu <walter-zh.wu@mediatek.com> wrote: > > Test size is negative numbers in memmove in order to verify > whether it correctly get KASAN report. > > Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com> Reviewed-by: Dmitry Vyukov <dvyukov@google.com> Thanks! > --- > lib/test_kasan.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index 49cc4d570a40..06942cf585cc 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -283,6 +283,23 @@ static noinline void __init kmalloc_oob_in_memset(void) > kfree(ptr); > } > > +static noinline void __init kmalloc_memmove_invalid_size(void) > +{ > + char *ptr; > + size_t size = 64; > + > + pr_info("invalid size in memmove\n"); > + ptr = kmalloc(size, GFP_KERNEL); > + if (!ptr) { > + pr_err("Allocation failed\n"); > + return; > + } > + > + memset((char *)ptr, 0, 64); > + memmove((char *)ptr, (char *)ptr + 4, -2); > + kfree(ptr); > +} > + > static noinline void __init kmalloc_uaf(void) > { > char *ptr; > @@ -773,6 +790,7 @@ static int __init kmalloc_tests_init(void) > kmalloc_oob_memset_4(); > kmalloc_oob_memset_8(); > kmalloc_oob_memset_16(); > + kmalloc_memmove_invalid_size(); > kmalloc_uaf(); > kmalloc_uaf_memset(); > kmalloc_uaf2(); > -- > 2.18.0 > > -- > You received this message because you are subscribed to the Google Groups "kasan-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20191014103654.17982-1-walter-zh.wu%40mediatek.com.
On Mon, Oct 14, 2019 at 06:36:54PM +0800, Walter Wu wrote: > Test size is negative numbers in memmove in order to verify > whether it correctly get KASAN report. You're not testing negative numbers, though. memmove() takes an unsigned type, so you're testing a very large number.
On Mon, 2019-10-14 at 08:07 -0700, Matthew Wilcox wrote: > On Mon, Oct 14, 2019 at 06:36:54PM +0800, Walter Wu wrote: > > Test size is negative numbers in memmove in order to verify > > whether it correctly get KASAN report. > > You're not testing negative numbers, though. memmove() takes an unsigned > type, so you're testing a very large number. > Casting negative numbers to size_t would indeed turn up as a "large" size_t and its value will be larger than ULONG_MAX/2. We mainly want to express this case. Maybe we can add some descriptions. Thanks for your reminder.
diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 49cc4d570a40..06942cf585cc 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -283,6 +283,23 @@ static noinline void __init kmalloc_oob_in_memset(void) kfree(ptr); } +static noinline void __init kmalloc_memmove_invalid_size(void) +{ + char *ptr; + size_t size = 64; + + pr_info("invalid size in memmove\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + memset((char *)ptr, 0, 64); + memmove((char *)ptr, (char *)ptr + 4, -2); + kfree(ptr); +} + static noinline void __init kmalloc_uaf(void) { char *ptr; @@ -773,6 +790,7 @@ static int __init kmalloc_tests_init(void) kmalloc_oob_memset_4(); kmalloc_oob_memset_8(); kmalloc_oob_memset_16(); + kmalloc_memmove_invalid_size(); kmalloc_uaf(); kmalloc_uaf_memset(); kmalloc_uaf2();
Test size is negative numbers in memmove in order to verify whether it correctly get KASAN report. Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com> --- lib/test_kasan.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)