[mm,v3,34/34] kasan: add another use-after-free test

Message ID	0659cfa15809dd38faa02bc0a59d0b5dbbd81211.1662411800.git.andreyknvl@google.com (mailing list archive)
State	New
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: andrey.konovalov@linux.dev To: Andrew Morton <akpm@linux-foundation.org> Cc: Andrey Konovalov <andreyknvl@gmail.com>, Marco Elver <elver@google.com>, Alexander Potapenko <glider@google.com>, Dmitry Vyukov <dvyukov@google.com>, Andrey Ryabinin <ryabinin.a.a@gmail.com>, kasan-dev@googlegroups.com, Peter Collingbourne <pcc@google.com>, Evgenii Stepanov <eugenis@google.com>, Florian Mayer <fmayer@google.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com> Subject: [PATCH mm v3 34/34] kasan: add another use-after-free test Date: Mon, 5 Sep 2022 23:05:49 +0200 Message-Id: <0659cfa15809dd38faa02bc0a59d0b5dbbd81211.1662411800.git.andreyknvl@google.com> In-Reply-To: <cover.1662411799.git.andreyknvl@google.com> References: <cover.1662411799.git.andreyknvl@google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	kasan: switch tag-based modes to stack ring from per-object metadata \| expand [mm,v3,00/34] kasan: switch tag-based modes to stack ring from per-object metadata [mm,v3,01/34] kasan: check KASAN_NO_FREE_META in __kasan_metadata_size [mm,v3,02/34] kasan: rename kasan_set__info to kasan_save__info [mm,v3,03/34] kasan: move is_kmalloc check out of save_alloc_info [mm,v3,04/34] kasan: split save_alloc_info implementations [mm,v3,05/34] kasan: drop CONFIG_KASAN_TAGS_IDENTIFY [mm,v3,06/34] kasan: introduce kasan_print_aux_stacks [mm,v3,07/34] kasan: introduce kasan_get_alloc_track [mm,v3,08/34] kasan: introduce kasan_init_object_meta [mm,v3,09/34] kasan: clear metadata functions for tag-based modes [mm,v3,10/34] kasan: move kasan_get_*_meta to generic.c [mm,v3,11/34] kasan: introduce kasan_requires_meta [mm,v3,12/34] kasan: introduce kasan_init_cache_meta [mm,v3,13/34] kasan: drop CONFIG_KASAN_GENERIC check from kasan_init_cache_meta [mm,v3,14/34] kasan: only define kasan_metadata_size for Generic mode [mm,v3,15/34] kasan: only define kasan_never_merge for Generic mode [mm,v3,16/34] kasan: only define metadata offsets for Generic mode [mm,v3,17/34] kasan: only define metadata structs for Generic mode [mm,v3,18/34] kasan: only define kasan_cache_create for Generic mode [mm,v3,19/34] kasan: pass tagged pointers to kasan_save_alloc/free_info [mm,v3,20/34] kasan: move kasan_get_alloc/free_track definitions [mm,v3,21/34] kasan: cosmetic changes in report.c [mm,v3,22/34] kasan: use virt_addr_valid in kasan_addr_to_page/slab [mm,v3,23/34] kasan: use kasan_addr_to_slab in print_address_description [mm,v3,24/34] kasan: make kasan_addr_to_page static [mm,v3,25/34] kasan: simplify print_report [mm,v3,26/34] kasan: introduce complete_report_info [mm,v3,27/34] kasan: fill in cache and object in complete_report_info [mm,v3,28/34] kasan: rework function arguments in report.c [mm,v3,29/34] kasan: introduce kasan_complete_mode_report_info [mm,v3,30/34] kasan: implement stack ring for tag-based modes [mm,v3,31/34] kasan: support kasan.stacktrace for SW_TAGS [mm,v3,32/34] kasan: dynamically allocate stack ring entries [mm,v3,33/34] kasan: better identify bug types for tag-based modes [mm,v3,34/34] kasan: add another use-after-free test

Message ID

0659cfa15809dd38faa02bc0a59d0b5dbbd81211.1662411800.git.andreyknvl@google.com (mailing list archive)

State

New

Headers

From: andrey.konovalov@linux.dev
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>,
	Marco Elver <elver@google.com>,
	Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Andrey Ryabinin <ryabinin.a.a@gmail.com>,
	kasan-dev@googlegroups.com,
	Peter Collingbourne <pcc@google.com>,
	Evgenii Stepanov <eugenis@google.com>,
	Florian Mayer <fmayer@google.com>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH mm v3 34/34] kasan: add another use-after-free test
Date: Mon,  5 Sep 2022 23:05:49 +0200
Message-Id: 
 <0659cfa15809dd38faa02bc0a59d0b5dbbd81211.1662411800.git.andreyknvl@google.com>
In-Reply-To: <cover.1662411799.git.andreyknvl@google.com>
References: <cover.1662411799.git.andreyknvl@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

kasan: switch tag-based modes to stack ring from per-object metadata | expand

Commit Message

andrey.konovalov@linux.dev Sept. 5, 2022, 9:05 p.m. UTC

From: Andrey Konovalov <andreyknvl@google.com>

Add a new use-after-free test that checks that KASAN detects use-after-free
when another object was allocated in the same slot.

This test is mainly relevant for the tag-based modes, which do not use
quarantine.

Once [1] is resolved, this test can be extended to check that the stack
traces in the report point to the proper kmalloc/kfree calls.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=212203

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>

---

Changes v2->v3:
- This is a new patch.
---
 lib/test_kasan.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 58c1b01ccfe2..505f77ffad27 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -612,6 +612,29 @@  static void kmalloc_uaf2(struct kunit *test)
 	kfree(ptr2);
 }
 
+/*
+ * Check that KASAN detects use-after-free when another object was allocated in
+ * the same slot. Relevant for the tag-based modes, which do not use quarantine.
+ */
+static void kmalloc_uaf3(struct kunit *test)
+{
+	char *ptr1, *ptr2;
+	size_t size = 100;
+
+	/* This test is specifically crafted for tag-based modes. */
+	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
+
+	ptr1 = kmalloc(size, GFP_KERNEL);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
+	kfree(ptr1);
+
+	ptr2 = kmalloc(size, GFP_KERNEL);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
+	kfree(ptr2);
+
+	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]);
+}
+
 static void kfree_via_page(struct kunit *test)
 {
 	char *ptr;
@@ -1382,6 +1405,7 @@  static struct kunit_case kasan_kunit_test_cases[] = {
 	KUNIT_CASE(kmalloc_uaf),
 	KUNIT_CASE(kmalloc_uaf_memset),
 	KUNIT_CASE(kmalloc_uaf2),
+	KUNIT_CASE(kmalloc_uaf3),
 	KUNIT_CASE(kfree_via_page),
 	KUNIT_CASE(kfree_via_phys),
 	KUNIT_CASE(kmem_cache_oob),

[mm,v3,34/34] kasan: add another use-after-free test

Commit Message

Patch