From patchwork Thu Mar 19 16:42:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patricia Alfonso X-Patchwork-Id: 11447697 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 266FF92A for ; Thu, 19 Mar 2020 16:42:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 049A02070A for ; Thu, 19 Mar 2020 16:42:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pAEEZ2fM" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728548AbgCSQmp (ORCPT ); Thu, 19 Mar 2020 12:42:45 -0400 Received: from mail-qv1-f74.google.com ([209.85.219.74]:45808 "EHLO mail-qv1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727517AbgCSQmp (ORCPT ); Thu, 19 Mar 2020 12:42:45 -0400 Received: by mail-qv1-f74.google.com with SMTP id d7so3269287qvq.12 for ; Thu, 19 Mar 2020 09:42:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=/e3rkkmfd1b6sk0SVgpVxi2weXIopunVz1TGXPB1o2Q=; b=pAEEZ2fM6YsbHdnzBd/r6un+oIKRlxlvz3jic9B38l9/9IankeiOaoOJIXS9p0D2jV ow0SmBoXTSKrrRTwRcAO4tMBMAlurZUVf0uJrxkFF+knk+IJ068r0uXlT1HVEAj3eNW9 uaCBdYWNvy6U/Q67m78UJaYkOtw8lYRXqJOpEyvXoINYqFniiK/7opnn84Ne18pmkW5h B0KdDc7uye/6o5EQbKiuVQ7OcVeKdMmjIFdOlDri/nbc4xmHHGd1rbHr4j953sC03Jn3 EPosz5P6phBMu3ty+ycigOodD8CI0sTLjhIALQz96fDc0KKaVQ8LyLQP07s054PHlsAG bb4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=/e3rkkmfd1b6sk0SVgpVxi2weXIopunVz1TGXPB1o2Q=; b=LBWeMVI3WKrcY2B+eIKbSYaKGNFwTZuXhfea/alkRX75RrWQevtKAw+NDw9j014yNi a9fa6OFaBiLLT6NU6AmisPAiJTw3gvN/Ubnp3V9sK3prhy1dINYEKNo3VuQ52OT9sITv 9kGZ8jO1V8PjvpryUAuQUIf55iWwIp6BTsVW7x9MNgYFH56yyK+HZLDtLCGbo0OT98IG 8QCVrANX9QUFaV5Lo+0fLd0fGoGXTKdolHwJ1RxoEuZxF+GF9qukTu7YoXMgOa8wqVA2 NJxhXqaN8DVtXLJ8dcGdtWgtWrE3ash18tOlOVz4QGl1tRyTnDoQmcWZABYvkqi8nh0+ yABw== X-Gm-Message-State: ANhLgQ1Brr5lEpnUo3t6l6d2iBXUUoNIj6WHxFk0OEprjccOk3EsHoyU m0zBvK9EsCOcIFesFxcPLgijC3uimRIN447xdNE= X-Google-Smtp-Source: ADFU+vtdcXY065iMK3lYGT0t093yNfaC6nBS+XBMSZLjKKHl191H/3QSOnSZr4cojJzsteGn1+C2lU/+Rpuc1wcTgW8= X-Received: by 2002:a0c:edcf:: with SMTP id i15mr3610736qvr.151.1584636164003; Thu, 19 Mar 2020 09:42:44 -0700 (PDT) Date: Thu, 19 Mar 2020 09:42:25 -0700 In-Reply-To: <20200319164227.87419-1-trishalfonso@google.com> Message-Id: <20200319164227.87419-2-trishalfonso@google.com> Mime-Version: 1.0 References: <20200319164227.87419-1-trishalfonso@google.com> X-Mailer: git-send-email 2.25.1.696.g5e7596f4ac-goog Subject: [RFC PATCH v2 1/3] Add KUnit Struct to Current Task From: Patricia Alfonso To: davidgow@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, Patricia Alfonso Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org In order to integrate debugging tools like KASAN into the KUnit framework, add KUnit struct to the current task to keep track of the current KUnit test. Signed-off-by: Patricia Alfonso Reviewed-by: Brendan Higgins --- include/linux/sched.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/linux/sched.h b/include/linux/sched.h index 04278493bf15..1fbfa0634776 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1180,6 +1180,10 @@ struct task_struct { unsigned int kasan_depth; #endif +#if IS_BUILTIN(CONFIG_KUNIT) + struct kunit *kunit_test; +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + #ifdef CONFIG_FUNCTION_GRAPH_TRACER /* Index of current stored address in ret_stack: */ int curr_ret_stack; From patchwork Thu Mar 19 16:42:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patricia Alfonso X-Patchwork-Id: 11447701 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6BEA692A for ; Thu, 19 Mar 2020 16:43:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 430BE208E4 for ; Thu, 19 Mar 2020 16:43:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="hdDV9H3L" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727928AbgCSQnB (ORCPT ); Thu, 19 Mar 2020 12:43:01 -0400 Received: from mail-pj1-f74.google.com ([209.85.216.74]:36748 "EHLO mail-pj1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728517AbgCSQmr (ORCPT ); Thu, 19 Mar 2020 12:42:47 -0400 Received: by mail-pj1-f74.google.com with SMTP id np18so1902549pjb.1 for ; Thu, 19 Mar 2020 09:42:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Xrj+8qNx0KoAn4W34u+9YgQgrTU26Dej+YkYnDk+H1c=; b=hdDV9H3LGLfw9B2j+rY32eFKH/QungX8UAevdSoATXhma0CpBUEEQUyIVStD1d/goi vxMe2D29lwWcohOOzgn8GaGyT8UXBOESTGPLl5PuE1zTnk6rMdrlVIU8N8XXvIuBGeJh 4MaQVu+ARvZZXACt8TO1IybXdKM0h3mly2l7kpFrc57GUvLUNePANrUIFHwiYdOjNhze Uph5tqZreaTlr9sxV/CZogEQEz4tuSV/MSxfVfIdAtzM5yxzNlIBgCR9+5CFDfefn+iI hOLs1Un9z0uXs3FNLkpQF+L/XcNP7H75PB09b2mZCtE6OT7mnCCM9zFQTBnbYIclq9am muUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Xrj+8qNx0KoAn4W34u+9YgQgrTU26Dej+YkYnDk+H1c=; b=k015UQyYF3HVjN/x0h2NcFKGmdM4NHpfunfqk/4R+QduEqpKuiWRrz0ar5cMc2q2hp U6qksZ/Ig9Q7pzHOHmrw0JbOCvKZ4jaGAkdxHBRw+tsODVtthugI8WtYY7XD5UOHKb5w ZkfBHfcGydE5SOw7hKVIzSIW+eOFkbLo4cPs1nB4LHypqyRJlp36Lp/H1+AQ25u7sqL6 Cr9ZkvQIX4rk21yX0SkdxitpKoqkhVWQZncZUEQol4m4pjzZ1k9ZrDV9uyVs/aZX6Co3 pCCdsYCJUQmEGJPGvqBTbr/Jt80ZLM9boU6n9vxhDAPgAyKgXJpwEAO9KPVEtNb1uiB5 STHQ== X-Gm-Message-State: ANhLgQ01PMsJCN5yQcJxYqJHImOxS8+AI8B++hKR1mO8VwW4WtmQl6Bk AMtJoe+HZMbU6YyB03JXI+b2W60tU62iG2mgnA4= X-Google-Smtp-Source: ADFU+vvni+PtP80Ym72JDcL2wDY/IhrppRfbMtCdXXnSKQRu9nkusLnMWQK9sqqywJ7J/5+kEz+pKK25dtcp17twTvs= X-Received: by 2002:a17:90a:628a:: with SMTP id d10mr4805164pjj.25.1584636166443; Thu, 19 Mar 2020 09:42:46 -0700 (PDT) Date: Thu, 19 Mar 2020 09:42:26 -0700 In-Reply-To: <20200319164227.87419-1-trishalfonso@google.com> Message-Id: <20200319164227.87419-3-trishalfonso@google.com> Mime-Version: 1.0 References: <20200319164227.87419-1-trishalfonso@google.com> X-Mailer: git-send-email 2.25.1.696.g5e7596f4ac-goog Subject: [RFC PATCH v2 2/3] KUnit: KASAN Integration From: Patricia Alfonso To: davidgow@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, Patricia Alfonso Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Integrate KASAN into KUnit testing framework. - Fail tests when KASAN reports an error that is not expected - Use KUNIT_EXPECT_KASAN_FAIL to expect a KASAN error in KASAN tests - Expected KASAN reports pass tests and are still printed when run without kunit_tool (kunit_tool still bypasses the report due to the test passing) - KUnit struct in current task used to keep track of the current test from KASAN code Make use of "[RFC PATCH kunit-next 1/2] kunit: generalize kunit_resource API beyond allocated resources" and "[RFC PATCH kunit-next 2/2] kunit: add support for named resources" from Alan Maguire [1] - A named resource is added to a test when a KASAN report is expected - This resource contains a struct for kasan_data containing booleans representing if a KASAN report is expected and if a KASAN report is found [1] (https://lore.kernel.org/linux-kselftest/1583251361-12748-1-git-send-email-alan.maguire@oracle.com/T/#t) Signed-off-by: Patricia Alfonso --- include/kunit/test.h | 10 ++++++++++ lib/kunit/test.c | 10 +++++++++- lib/test_kasan.c | 37 +++++++++++++++++++++++++++++++++++++ mm/kasan/report.c | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/include/kunit/test.h b/include/kunit/test.h index 70ee581b19cd..2ab265f4f76c 100644 --- a/include/kunit/test.h +++ b/include/kunit/test.h @@ -19,9 +19,19 @@ struct kunit_resource; +#ifdef CONFIG_KASAN +/* kasan_data struct is used in KUnit tests for KASAN expected failures */ +struct kunit_kasan_expectation { + bool report_expected; + bool report_found; +}; +#endif /* CONFIG_KASAN */ + typedef int (*kunit_resource_init_t)(struct kunit_resource *, void *); typedef void (*kunit_resource_free_t)(struct kunit_resource *); +void kunit_set_failure(struct kunit *test); + /** * struct kunit_resource - represents a *test managed resource* * @data: for the user to store arbitrary data. diff --git a/lib/kunit/test.c b/lib/kunit/test.c index 86a4d9ca0a45..3f927ef45827 100644 --- a/lib/kunit/test.c +++ b/lib/kunit/test.c @@ -10,11 +10,12 @@ #include #include #include +#include #include "string-stream.h" #include "try-catch-impl.h" -static void kunit_set_failure(struct kunit *test) +void kunit_set_failure(struct kunit *test) { WRITE_ONCE(test->success, false); } @@ -237,6 +238,10 @@ static void kunit_try_run_case(void *data) struct kunit_suite *suite = ctx->suite; struct kunit_case *test_case = ctx->test_case; +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)) + current->kunit_test = test; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT) */ + /* * kunit_run_case_internal may encounter a fatal error; if it does, * abort will be called, this thread will exit, and finally the parent @@ -590,6 +595,9 @@ void kunit_cleanup(struct kunit *test) spin_unlock(&test->lock); kunit_remove_resource(test, res); } +#if (IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)) + current->kunit_test = NULL; +#endif /* IS_ENABLED(CONFIG_KASAN) && IS_BUILTIN(CONFIG_KUNIT)*/ } EXPORT_SYMBOL_GPL(kunit_cleanup); diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 3872d250ed2c..cf73c6bee81b 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -23,6 +23,43 @@ #include +#include + +struct kunit_resource resource; +struct kunit_kasan_expectation fail_data; + +#define KUNIT_SET_KASAN_DATA(test) do { \ + fail_data.report_expected = true; \ + fail_data.report_found = false; \ + kunit_add_named_resource(test, \ + NULL, \ + NULL, \ + &resource, \ + "kasan_data", &fail_data); \ +} while (0) + +#define KUNIT_DO_EXPECT_KASAN_FAIL(test, condition) do { \ + struct kunit_resource *resource; \ + struct kunit_kasan_expectation *kasan_data; \ + condition; \ + resource = kunit_find_named_resource(test, "kasan_data"); \ + kasan_data = resource->data; \ + KUNIT_EXPECT_EQ(test, \ + kasan_data->report_expected, \ + kasan_data->report_found); \ + kunit_put_resource(resource); \ +} while (0) + +/** + * KUNIT_EXPECT_KASAN_FAIL() - Causes a test failure when the expression does + * not cause a KASAN error. + * + */ +#define KUNIT_EXPECT_KASAN_FAIL(test, condition) do { \ + KUNIT_SET_KASAN_DATA(test); \ + KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ +} while (0) + /* * Note: test functions are marked noinline so that their names appear in * reports. diff --git a/mm/kasan/report.c b/mm/kasan/report.c index 5ef9f24f566b..ef3d0f54097e 100644 --- a/mm/kasan/report.c +++ b/mm/kasan/report.c @@ -32,6 +32,8 @@ #include +#include + #include "kasan.h" #include "../slab.h" @@ -455,12 +457,38 @@ static bool report_enabled(void) return !test_and_set_bit(KASAN_BIT_REPORTED, &kasan_flags); } +#if IS_BUILTIN(CONFIG_KUNIT) +void kasan_update_kunit_status(struct kunit *cur_test) +{ + struct kunit_resource *resource; + struct kunit_kasan_expectation *kasan_data; + + if (kunit_find_named_resource(cur_test, "kasan_data")) { + resource = kunit_find_named_resource(cur_test, "kasan_data"); + kasan_data = resource->data; + kasan_data->report_found = true; + + if (!kasan_data->report_expected) + kunit_set_failure(current->kunit_test); + else + return; + } else + kunit_set_failure(current->kunit_test); +} +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + void kasan_report_invalid_free(void *object, unsigned long ip) { unsigned long flags; u8 tag = get_tag(object); object = reset_tag(object); + +#if IS_BUILTIN(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + start_report(&flags); pr_err("BUG: KASAN: double-free or invalid-free in %pS\n", (void *)ip); print_tags(tag, object); @@ -481,6 +509,11 @@ void __kasan_report(unsigned long addr, size_t size, bool is_write, unsigned lon if (likely(!report_enabled())) return; +#if IS_BUILTIN(CONFIG_KUNIT) + if (current->kunit_test) + kasan_update_kunit_status(current->kunit_test); +#endif /* IS_BUILTIN(CONFIG_KUNIT) */ + disable_trace_on_warning(); tagged_addr = (void *)addr; From patchwork Thu Mar 19 16:42:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patricia Alfonso X-Patchwork-Id: 11447699 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 768791667 for ; Thu, 19 Mar 2020 16:42:53 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 300482070A for ; Thu, 19 Mar 2020 16:42:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="ZYN60z8G" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728613AbgCSQmv (ORCPT ); Thu, 19 Mar 2020 12:42:51 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:56101 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728200AbgCSQmv (ORCPT ); Thu, 19 Mar 2020 12:42:51 -0400 Received: by mail-pf1-f202.google.com with SMTP id 78so2109709pfy.22 for ; Thu, 19 Mar 2020 09:42:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=LR0ioLroY6Lrcs2GLGlEYrQNErAf8a1bvtdtes9iBsU=; b=ZYN60z8GNAGI+7xBZcQp17WzvYaTD9gWz+6kH5JHAafw0NRrLUu3ItuMuj2iMAsBLn jgubWF8njEqCbC0Kcq1gmAjXXceSeZtY3UBf2zALQqJAQmkT8A0iUA6PzPbgAOQNoXcn nY3cxzomoHzvnJJ29v6vQJu8xQ4lEUX54PEpQnnW5iiVXRj8sbnzUrGdfwqj8E3PVa8x rN3IQH/wCaMenC42qdybnzjRAZclqQPXVns+VqLD3r6U8c38X7Pxs2Q9DBZnhbGTDOG4 O5mW8+lZVdHTfbIhYhJNypUsR5uAe14EuVtrZTHMy+zVYeUbZwI+Umiux1kcd4LnT2+3 EY7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=LR0ioLroY6Lrcs2GLGlEYrQNErAf8a1bvtdtes9iBsU=; b=b3DF5Eq41dzXzUHvL+3huf8JHp+HyAdTxn6uLgpIM/t3tJLkKcqvZyqpWyN9SobEf6 Mp8xdO42fweRJL+hS52rnoOCDYNj1t/zng5F0I4emaRr1ipPj4up2eQ7xxVdx0L3BxLB 1laP2MOo6VC/5gnZzLRLe0sdGDAIy+paxli+JarKhlprXgcnmK5oKT6VVs6dXQDfMSlV IjgN+dnnqC02yUgAJE+k6/nDA+drc5rAbjM2MmhFMR5D+qU/Ufvvo4y/RS5QPTQYtOHF Ktf8AMwhIhd5ejEOa/QEeKgEzaKQ8+Rl56lvXIwdzhJ5ASY0SsM/ZhFACO2iThmhgCY5 zNjQ== X-Gm-Message-State: ANhLgQ29FysRDd9snLZlw9eXY9+Z7Px6VioJ7Wq48Hzsn0pofmk89aTx XA/yIMV5C6gSqHqRaD1wmYB7Xyei9fBVqXbtme0= X-Google-Smtp-Source: ADFU+vscMcLXm3T2plYdzlzZZih5mOhj9zf1UI8CEFYAqgWAORIQqA48UmXTjMHU//tYyzhJv6GKZn+GvTIahvIJfdc= X-Received: by 2002:a17:90a:a102:: with SMTP id s2mr4691845pjp.46.1584636168725; Thu, 19 Mar 2020 09:42:48 -0700 (PDT) Date: Thu, 19 Mar 2020 09:42:27 -0700 In-Reply-To: <20200319164227.87419-1-trishalfonso@google.com> Message-Id: <20200319164227.87419-4-trishalfonso@google.com> Mime-Version: 1.0 References: <20200319164227.87419-1-trishalfonso@google.com> X-Mailer: git-send-email 2.25.1.696.g5e7596f4ac-goog Subject: [RFC PATCH v2 3/3] KASAN: Port KASAN Tests to KUnit From: Patricia Alfonso To: davidgow@google.com, brendanhiggins@google.com, aryabinin@virtuozzo.com, dvyukov@google.com, mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org Cc: linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, kunit-dev@googlegroups.com, linux-kselftest@vger.kernel.org, Patricia Alfonso Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Transfer all previous tests for KASAN to KUnit so they can be run more easily. Using kunit_tool, developers can run these tests with their other KUnit tests and see "pass" or "fail" with the appropriate KASAN report instead of needing to parse each KASAN report to test KASAN functionalities. All KASAN reports are still printed to dmesg. Stack tests do not work in UML so those tests are protected inside an "#if IS_ENABLED(CONFIG_KASAN_STACK)" so this only runs if stack instrumentation is enabled. copy_user_test cannot be run in KUnit so there is a separate test file for those tests, which can be run as before as a module. Signed-off-by: Patricia Alfonso Reviewed-by: Brendan Higgins --- lib/Kconfig.kasan | 13 +- lib/Makefile | 1 + lib/test_kasan.c | 606 ++++++++++++++----------------------- lib/test_kasan_copy_user.c | 75 +++++ 4 files changed, 309 insertions(+), 386 deletions(-) create mode 100644 lib/test_kasan_copy_user.c diff --git a/lib/Kconfig.kasan b/lib/Kconfig.kasan index 5b54f3c9a741..f026c2e62b1d 100644 --- a/lib/Kconfig.kasan +++ b/lib/Kconfig.kasan @@ -159,9 +159,16 @@ config KASAN_VMALLOC stacks), but at the cost of higher memory usage. config TEST_KASAN - tristate "Module for testing KASAN for bug detection" - depends on m && KASAN + tristate "KUnit testing KASAN for bug detection" + depends on KASAN && KUNIT=y help - This is a test module doing various nasty things like + This is a test suite doing various nasty things like out of bounds accesses, use after free. It is useful for testing kernel debugging features like KASAN. + +config TEST_KASAN_USER + tristate "Module testing KASAN for bug detection on copy user tests" + depends on m && KASAN + help + This is a test module for copy_user_tests because these functions + cannot be tested by KUnit so they must be their own module. diff --git a/lib/Makefile b/lib/Makefile index 5d64890d6b6a..e0dc4430e405 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -62,6 +62,7 @@ obj-$(CONFIG_TEST_IDA) += test_ida.o obj-$(CONFIG_TEST_KASAN) += test_kasan.o CFLAGS_test_kasan.o += -fno-builtin CFLAGS_test_kasan.o += $(call cc-disable-warning, vla) +obj-$(CONFIG_TEST_KASAN_USER) += test_kasan_copy_user.o obj-$(CONFIG_TEST_UBSAN) += test_ubsan.o CFLAGS_test_ubsan.o += $(call cc-disable-warning, vla) UBSAN_SANITIZE_test_ubsan.o := y diff --git a/lib/test_kasan.c b/lib/test_kasan.c index cf73c6bee81b..c255495e6ce3 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -5,8 +5,6 @@ * Author: Andrey Ryabinin */ -#define pr_fmt(fmt) "kasan test: %s " fmt, __func__ - #include #include #include @@ -25,8 +23,26 @@ #include +#if IS_BUILTIN(CONFIG_KUNIT) + struct kunit_resource resource; struct kunit_kasan_expectation fail_data; +bool multishot; + +int kasan_multi_shot_init(struct kunit *test) +{ + /* + * Temporarily enable multi-shot mode. Otherwise, we'd only get a + * report for the first case. + */ + multishot = kasan_save_enable_multi_shot(); + return 0; +} + +void kasan_multi_shot_exit(struct kunit *test) +{ + kasan_restore_multi_shot(multishot); +} #define KUNIT_SET_KASAN_DATA(test) do { \ fail_data.report_expected = true; \ @@ -60,61 +76,44 @@ struct kunit_kasan_expectation fail_data; KUNIT_DO_EXPECT_KASAN_FAIL(test, condition); \ } while (0) -/* - * Note: test functions are marked noinline so that their names appear in - * reports. - */ - -static noinline void __init kmalloc_oob_right(void) +static void kmalloc_oob_right(struct kunit *test) { char *ptr; size_t size = 123; - pr_info("out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - ptr[size] = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x'); kfree(ptr); } -static noinline void __init kmalloc_oob_left(void) +static void kmalloc_oob_left(struct kunit *test) { char *ptr; size_t size = 15; - pr_info("out-of-bounds to left\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - *ptr = *(ptr - 1); + KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1)); kfree(ptr); } -static noinline void __init kmalloc_node_oob_right(void) +static void kmalloc_node_oob_right(struct kunit *test) { char *ptr; size_t size = 4096; - pr_info("kmalloc_node(): out-of-bounds to right\n"); ptr = kmalloc_node(size, GFP_KERNEL, 0); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); } #ifdef CONFIG_SLUB -static noinline void __init kmalloc_pagealloc_oob_right(void) +static void kmalloc_pagealloc_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; @@ -122,324 +121,253 @@ static noinline void __init kmalloc_pagealloc_oob_right(void) /* Allocate a chunk that does not fit into a SLUB cache to trigger * the page allocator fallback. */ - pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); } -static noinline void __init kmalloc_pagealloc_uaf(void) +static void kmalloc_pagealloc_uaf(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - pr_info("kmalloc pagealloc allocation: use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); - ptr[0] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0); } -static noinline void __init kmalloc_pagealloc_invalid_free(void) +static void kmalloc_pagealloc_invalid_free(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE + 10; - pr_info("kmalloc pagealloc allocation: invalid-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - kfree(ptr + 1); + KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1)); } -#endif +#endif /* CONFIG_SLUB */ -static noinline void __init kmalloc_large_oob_right(void) +static void kmalloc_large_oob_right(struct kunit *test) { char *ptr; size_t size = KMALLOC_MAX_CACHE_SIZE - 256; /* Allocate a chunk that is large enough, but still fits into a slab * and does not trigger the page allocator fallback in SLUB. */ - pr_info("kmalloc large allocation: out-of-bounds to right\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - ptr[size] = 0; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); kfree(ptr); } -static noinline void __init kmalloc_oob_krealloc_more(void) +static void kmalloc_oob_krealloc_more(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 19; - pr_info("out-of-bounds after krealloc more\n"); ptr1 = kmalloc(size1, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); - ptr2[size2] = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2); } -static noinline void __init kmalloc_oob_krealloc_less(void) +static void kmalloc_oob_krealloc_less(struct kunit *test) { char *ptr1, *ptr2; size_t size1 = 17; size_t size2 = 15; - pr_info("out-of-bounds after krealloc less\n"); ptr1 = kmalloc(size1, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = krealloc(ptr1, size2, GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - return; - } - ptr2[size2] = 'x'; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x'); kfree(ptr2); } -static noinline void __init kmalloc_oob_16(void) +static void kmalloc_oob_16(struct kunit *test) { struct { u64 words[2]; } *ptr1, *ptr2; - pr_info("kmalloc out-of-bounds for 16-bytes access\n"); ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); + ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL); - if (!ptr1 || !ptr2) { - pr_err("Allocation failed\n"); - kfree(ptr1); - kfree(ptr2); - return; - } - *ptr1 = *ptr2; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2); kfree(ptr1); kfree(ptr2); } -static noinline void __init kmalloc_oob_memset_2(void) +static void kmalloc_oob_memset_2(struct kunit *test) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset2\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memset(ptr+7, 0, 2); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+7, 0, 2)); kfree(ptr); } -static noinline void __init kmalloc_oob_memset_4(void) +static void kmalloc_oob_memset_4(struct kunit *test) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset4\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memset(ptr+5, 0, 4); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+5, 0, 4)); kfree(ptr); } -static noinline void __init kmalloc_oob_memset_8(void) +static void kmalloc_oob_memset_8(struct kunit *test) { char *ptr; size_t size = 8; - pr_info("out-of-bounds in memset8\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memset(ptr+1, 0, 8); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 8)); kfree(ptr); } -static noinline void __init kmalloc_oob_memset_16(void) +static void kmalloc_oob_memset_16(struct kunit *test) { char *ptr; size_t size = 16; - pr_info("out-of-bounds in memset16\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memset(ptr+1, 0, 16); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr+1, 0, 16)); kfree(ptr); } -static noinline void __init kmalloc_oob_in_memset(void) +static void kmalloc_oob_in_memset(struct kunit *test) { char *ptr; size_t size = 666; - pr_info("out-of-bounds in memset\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memset(ptr, 0, size+5); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size+5)); kfree(ptr); } -static noinline void __init kmalloc_uaf(void) +static void kmalloc_uaf(struct kunit *test) { char *ptr; size_t size = 10; - pr_info("use-after-free\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); - *(ptr + 8) = 'x'; + KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x'); } -static noinline void __init kmalloc_uaf_memset(void) +static void kmalloc_uaf_memset(struct kunit *test) { char *ptr; size_t size = 33; - pr_info("use-after-free in memset\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); - memset(ptr, 0, size); + KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size)); } -static noinline void __init kmalloc_uaf2(void) +static void kmalloc_uaf2(struct kunit *test) { char *ptr1, *ptr2; size_t size = 43; - pr_info("use-after-free after another kmalloc\n"); ptr1 = kmalloc(size, GFP_KERNEL); - if (!ptr1) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1); kfree(ptr1); + ptr2 = kmalloc(size, GFP_KERNEL); - if (!ptr2) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2); + + KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x'); + KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2); - ptr1[40] = 'x'; - if (ptr1 == ptr2) - pr_err("Could not detect use-after-free: ptr1 == ptr2\n"); kfree(ptr2); } -static noinline void __init kfree_via_page(void) +static void kfree_via_page(struct kunit *test) { char *ptr; size_t size = 8; struct page *page; unsigned long offset; - pr_info("invalid-free false positive (via page)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); page = virt_to_page(ptr); offset = offset_in_page(ptr); kfree(page_address(page) + offset); } -static noinline void __init kfree_via_phys(void) +static void kfree_via_phys(struct kunit *test) { char *ptr; size_t size = 8; phys_addr_t phys; - pr_info("invalid-free false positive (via phys)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); phys = virt_to_phys(ptr); kfree(phys_to_virt(phys)); } -static noinline void __init kmem_cache_oob(void) +static void kmem_cache_oob(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache = kmem_cache_create("test_cache", size, 0, 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("out-of-bounds in kmem_cache_alloc\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } - *p = p[size]; + KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size]); kmem_cache_free(cache, p); kmem_cache_destroy(cache); } -static noinline void __init memcg_accounted_kmem_cache(void) +static void memcg_accounted_kmem_cache(struct kunit *test) { int i; char *p; @@ -447,12 +375,8 @@ static noinline void __init memcg_accounted_kmem_cache(void) struct kmem_cache *cache; cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); - pr_info("allocate memcg accounted object\n"); /* * Several allocations with a delay to allow for lazy per memcg kmem * cache creation. @@ -472,134 +396,80 @@ static noinline void __init memcg_accounted_kmem_cache(void) static char global_array[10]; -static noinline void __init kasan_global_oob(void) +static void kasan_global_oob(struct kunit *test) { volatile int i = 3; char *p = &global_array[ARRAY_SIZE(global_array) + i]; - pr_info("out-of-bounds global variable\n"); - *(volatile char *)p; -} - -static noinline void __init kasan_stack_oob(void) -{ - char stack_array[10]; - volatile int i = 0; - char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - - pr_info("out-of-bounds on stack\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); } -static noinline void __init ksize_unpoisons_memory(void) +static void ksize_unpoisons_memory(struct kunit *test) { char *ptr; size_t size = 123, real_size; - pr_info("ksize() unpoisons the whole allocated chunk\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); real_size = ksize(ptr); /* This access doesn't trigger an error. */ ptr[size] = 'x'; /* This one does. */ - ptr[real_size] = 'y'; + KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); kfree(ptr); } -static noinline void __init copy_user_test(void) +#if (IS_ENABLED(CONFIG_KASAN_STACK)) +static void kasan_stack_oob(struct kunit *test) { - char *kmem; - char __user *usermem; - size_t size = 10; - int unused; - - kmem = kmalloc(size, GFP_KERNEL); - if (!kmem) - return; - - usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, - PROT_READ | PROT_WRITE | PROT_EXEC, - MAP_ANONYMOUS | MAP_PRIVATE, 0); - if (IS_ERR(usermem)) { - pr_err("Failed to allocate user memory\n"); - kfree(kmem); - return; - } - - pr_info("out-of-bounds in copy_from_user()\n"); - unused = copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in copy_to_user()\n"); - unused = copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user()\n"); - unused = __copy_from_user(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user()\n"); - unused = __copy_to_user(usermem, kmem, size + 1); - - pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); - unused = __copy_from_user_inatomic(kmem, usermem, size + 1); - - pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); - unused = __copy_to_user_inatomic(usermem, kmem, size + 1); - - pr_info("out-of-bounds in strncpy_from_user()\n"); - unused = strncpy_from_user(kmem, usermem, size + 1); + char stack_array[10]; + volatile int i = 0; + char *p = &stack_array[ARRAY_SIZE(stack_array) + i]; - vm_munmap((unsigned long)usermem, PAGE_SIZE); - kfree(kmem); + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); } -static noinline void __init kasan_alloca_oob_left(void) +static void kasan_alloca_oob_left(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array - 1; - pr_info("out-of-bounds to left on alloca\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); } -static noinline void __init kasan_alloca_oob_right(void) +static void kasan_alloca_oob_right(struct kunit *test) { volatile int i = 10; char alloca_array[i]; char *p = alloca_array + i; - pr_info("out-of-bounds to right on alloca\n"); - *(volatile char *)p; + KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); } +#endif /* CONFIG_KASAN_STACK */ -static noinline void __init kmem_cache_double_free(void) +static void kmem_cache_double_free(struct kunit *test) { char *p; size_t size = 200; struct kmem_cache *cache; cache = kmem_cache_create("test_cache", size, 0, 0, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("double-free on heap object\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); + p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } kmem_cache_free(cache, p); - kmem_cache_free(cache, p); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p)); kmem_cache_destroy(cache); } -static noinline void __init kmem_cache_invalid_free(void) +static void kmem_cache_invalid_free(struct kunit *test) { char *p; size_t size = 200; @@ -607,20 +477,17 @@ static noinline void __init kmem_cache_invalid_free(void) cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU, NULL); - if (!cache) { - pr_err("Cache allocation failed\n"); - return; - } - pr_info("invalid-free of heap object\n"); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache); + p = kmem_cache_alloc(cache, GFP_KERNEL); if (!p) { - pr_err("Allocation failed\n"); + kunit_err(test, "Allocation failed: %s\n", __func__); kmem_cache_destroy(cache); return; } /* Trigger invalid free, the object doesn't get freed */ - kmem_cache_free(cache, p + 1); + KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1)); /* * Properly free the object to prevent the "Objects remaining in @@ -631,45 +498,39 @@ static noinline void __init kmem_cache_invalid_free(void) kmem_cache_destroy(cache); } -static noinline void __init kasan_memchr(void) +static void kasan_memchr(struct kunit *test) { char *ptr; size_t size = 24; - pr_info("out-of-bounds in memchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - memchr(ptr, '1', size + 1); + KUNIT_EXPECT_KASAN_FAIL(test, memchr(ptr, '1', size + 1)); kfree(ptr); } -static noinline void __init kasan_memcmp(void) +static void kasan_memcmp(struct kunit *test) { char *ptr; size_t size = 24; int arr[9]; - pr_info("out-of-bounds in memcmp\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); memset(arr, 0, sizeof(arr)); - memcmp(ptr, arr, size+1); + KUNIT_EXPECT_KASAN_FAIL(test, memcmp(ptr, arr, size+1)); kfree(ptr); } -static noinline void __init kasan_strings(void) +static void kasan_strings(struct kunit *test) { char *ptr; size_t size = 24; - pr_info("use-after-free in strchr\n"); ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO); - if (!ptr) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); @@ -680,188 +541,167 @@ static noinline void __init kasan_strings(void) * will likely point to zeroed byte. */ ptr += 16; - strchr(ptr, '1'); + KUNIT_EXPECT_KASAN_FAIL(test, strchr(ptr, '1')); - pr_info("use-after-free in strrchr\n"); - strrchr(ptr, '1'); + KUNIT_EXPECT_KASAN_FAIL(test, strrchr(ptr, '1')); - pr_info("use-after-free in strcmp\n"); - strcmp(ptr, "2"); + KUNIT_EXPECT_KASAN_FAIL(test, strcmp(ptr, "2")); - pr_info("use-after-free in strncmp\n"); - strncmp(ptr, "2", 1); + KUNIT_EXPECT_KASAN_FAIL(test, strncmp(ptr, "2", 1)); - pr_info("use-after-free in strlen\n"); - strlen(ptr); + KUNIT_EXPECT_KASAN_FAIL(test, strlen(ptr)); - pr_info("use-after-free in strnlen\n"); - strnlen(ptr, 1); + KUNIT_EXPECT_KASAN_FAIL(test, strnlen(ptr, 1)); } -static noinline void __init kasan_bitops(void) +static void kasan_bitops(struct kunit *test) { /* * Allocate 1 more byte, which causes kzalloc to round up to 16-bytes; * this way we do not actually corrupt other memory. */ long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL); - if (!bits) - return; + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits); /* * Below calls try to access bit within allocated memory; however, the * below accesses are still out-of-bounds, since bitops are defined to * operate on the whole long the bit is in. */ - pr_info("out-of-bounds in set_bit\n"); - set_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, set_bit(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in __set_bit\n"); - __set_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in clear_bit\n"); - clear_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in __clear_bit\n"); - __clear_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in clear_bit_unlock\n"); - clear_bit_unlock(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in __clear_bit_unlock\n"); - __clear_bit_unlock(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in change_bit\n"); - change_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, change_bit(BITS_PER_LONG, bits)); - pr_info("out-of-bounds in __change_bit\n"); - __change_bit(BITS_PER_LONG, bits); + KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(BITS_PER_LONG, bits)); /* * Below calls try to access bit beyond allocated memory. */ - pr_info("out-of-bounds in test_and_set_bit\n"); - test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in __test_and_set_bit\n"); - __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in test_and_set_bit_lock\n"); - test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in test_and_clear_bit\n"); - test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in __test_and_clear_bit\n"); - __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in test_and_change_bit\n"); - test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in __test_and_change_bit\n"); - __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); - pr_info("out-of-bounds in test_bit\n"); - (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits)); #if defined(clear_bit_unlock_is_negative_byte) - pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n"); - clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits); + KUNIT_EXPECT_KASAN_FAIL(test, + clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, + bits)); #endif kfree(bits); } -static noinline void __init kmalloc_double_kzfree(void) +static void kmalloc_double_kzfree(struct kunit *test) { char *ptr; size_t size = 16; - pr_info("double-free (kzfree)\n"); ptr = kmalloc(size, GFP_KERNEL); - if (!ptr) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kzfree(ptr); - kzfree(ptr); + KUNIT_EXPECT_KASAN_FAIL(test, kzfree(ptr)); } #ifdef CONFIG_KASAN_VMALLOC -static noinline void __init vmalloc_oob(void) +static void vmalloc_oob(struct kunit *test) { void *area; - pr_info("vmalloc out-of-bounds\n"); - /* * We have to be careful not to hit the guard page. * The MMU will catch that and crash us. */ area = vmalloc(3000); - if (!area) { - pr_err("Allocation failed\n"); - return; - } + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area); - ((volatile char *)area)[3100]; + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]); vfree(area); } #else -static void __init vmalloc_oob(void) {} +static void vmalloc_oob(struct kunit *test) {} #endif -static int __init kmalloc_tests_init(void) -{ - /* - * Temporarily enable multi-shot mode. Otherwise, we'd only get a - * report for the first case. - */ - bool multishot = kasan_save_enable_multi_shot(); - - kmalloc_oob_right(); - kmalloc_oob_left(); - kmalloc_node_oob_right(); +static struct kunit_case kasan_kunit_test_cases[] = { + KUNIT_CASE(kmalloc_oob_right), + KUNIT_CASE(kmalloc_oob_left), + KUNIT_CASE(kmalloc_node_oob_right), #ifdef CONFIG_SLUB - kmalloc_pagealloc_oob_right(); - kmalloc_pagealloc_uaf(); - kmalloc_pagealloc_invalid_free(); -#endif - kmalloc_large_oob_right(); - kmalloc_oob_krealloc_more(); - kmalloc_oob_krealloc_less(); - kmalloc_oob_16(); - kmalloc_oob_in_memset(); - kmalloc_oob_memset_2(); - kmalloc_oob_memset_4(); - kmalloc_oob_memset_8(); - kmalloc_oob_memset_16(); - kmalloc_uaf(); - kmalloc_uaf_memset(); - kmalloc_uaf2(); - kfree_via_page(); - kfree_via_phys(); - kmem_cache_oob(); - memcg_accounted_kmem_cache(); - kasan_stack_oob(); - kasan_global_oob(); - kasan_alloca_oob_left(); - kasan_alloca_oob_right(); - ksize_unpoisons_memory(); - copy_user_test(); - kmem_cache_double_free(); - kmem_cache_invalid_free(); - kasan_memchr(); - kasan_memcmp(); - kasan_strings(); - kasan_bitops(); - kmalloc_double_kzfree(); - vmalloc_oob(); - - kasan_restore_multi_shot(multishot); - - return -EAGAIN; -} + KUNIT_CASE(kmalloc_pagealloc_oob_right), + KUNIT_CASE(kmalloc_pagealloc_uaf), + KUNIT_CASE(kmalloc_pagealloc_invalid_free), +#endif /* CONFIG_SLUB */ + KUNIT_CASE(kmalloc_large_oob_right), + KUNIT_CASE(kmalloc_oob_krealloc_more), + KUNIT_CASE(kmalloc_oob_krealloc_less), + KUNIT_CASE(kmalloc_oob_16), + KUNIT_CASE(kmalloc_oob_in_memset), + KUNIT_CASE(kmalloc_oob_memset_2), + KUNIT_CASE(kmalloc_oob_memset_4), + KUNIT_CASE(kmalloc_oob_memset_8), + KUNIT_CASE(kmalloc_oob_memset_16), + KUNIT_CASE(kmalloc_uaf), + KUNIT_CASE(kmalloc_uaf_memset), + KUNIT_CASE(kmalloc_uaf2), + KUNIT_CASE(kfree_via_page), + KUNIT_CASE(kfree_via_phys), + KUNIT_CASE(kmem_cache_oob), + KUNIT_CASE(memcg_accounted_kmem_cache), + KUNIT_CASE(kasan_global_oob), +#if (IS_ENABLED(CONFIG_KASAN_STACK)) + KUNIT_CASE(kasan_stack_oob), // need stack protection + KUNIT_CASE(kasan_alloca_oob_left), + KUNIT_CASE(kasan_alloca_oob_right), +#endif /*CONFIG_KASAN_STACK*/ + KUNIT_CASE(ksize_unpoisons_memory), + KUNIT_CASE(kmem_cache_double_free), + KUNIT_CASE(kmem_cache_invalid_free), + KUNIT_CASE(kasan_memchr), + KUNIT_CASE(kasan_memcmp), + KUNIT_CASE(kasan_strings), + KUNIT_CASE(kasan_bitops), + KUNIT_CASE(kmalloc_double_kzfree), + KUNIT_CASE(vmalloc_oob), + {} +}; + +static struct kunit_suite kasan_kunit_test_suite = { + .name = "kasan_kunit_test", + .init = kasan_multi_shot_init, + .test_cases = kasan_kunit_test_cases, + .exit = kasan_multi_shot_exit, +}; + +kunit_test_suite(kasan_kunit_test_suite); + +#endif /* BUILTIN(CONFIG_KUNIT) */ -module_init(kmalloc_tests_init); MODULE_LICENSE("GPL"); diff --git a/lib/test_kasan_copy_user.c b/lib/test_kasan_copy_user.c new file mode 100644 index 000000000000..9523cbc332ec --- /dev/null +++ b/lib/test_kasan_copy_user.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * + * Copyright (c) 2014 Samsung Electronics Co., Ltd. + * Author: Andrey Ryabinin + */ + +#define pr_fmt(fmt) "kasan test: %s " fmt, __func__ + +#include +#include +#include +#include +#include + +static noinline void __init copy_user_test(void) +{ + char *kmem; + char __user *usermem; + size_t size = 10; + int unused; + + kmem = kmalloc(size, GFP_KERNEL); + if (!kmem) + return; + + usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_ANONYMOUS | MAP_PRIVATE, 0); + if (IS_ERR(usermem)) { + pr_err("Failed to allocate user memory\n"); + kfree(kmem); + return; + } + + pr_info("out-of-bounds in copy_from_user()\n"); + unused = copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in copy_to_user()\n"); + unused = copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user()\n"); + unused = __copy_from_user(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user()\n"); + unused = __copy_to_user(usermem, kmem, size + 1); + + pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); + unused = __copy_from_user_inatomic(kmem, usermem, size + 1); + + pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); + unused = __copy_to_user_inatomic(usermem, kmem, size + 1); + + pr_info("out-of-bounds in strncpy_from_user()\n"); + unused = strncpy_from_user(kmem, usermem, size + 1); + + vm_munmap((unsigned long)usermem, PAGE_SIZE); + kfree(kmem); +} + +static int __init copy_user_tests_init(void) +{ + /* + * Temporarily enable multi-shot mode. Otherwise, we'd only get a + * report for the first case. + */ + bool multishot = kasan_save_enable_multi_shot(); + + copy_user_test(); + kasan_restore_multi_shot(multishot); + return -EAGAIN; +} + +module_init(copy_user_tests_init); +MODULE_LICENSE("GPL");