1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
8 #include <linux/bitops.h>
9 #include <linux/delay.h>
10 #include <linux/kasan.h>
11 #include <linux/kernel.h>
13 #include <linux/mman.h>
14 #include <linux/module.h>
15 #include <linux/printk.h>
16 #include <linux/random.h>
17 #include <linux/slab.h>
18 #include <linux/string.h>
19 #include <linux/uaccess.h>
21 #include <linux/vmalloc.h>
25 #include <kunit/test.h>
27 #include "../mm/kasan/kasan.h"
29 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
32 * Some tests use these global variables to store return values from function
33 * calls that could otherwise be eliminated by the compiler as dead code.
35 void *kasan_ptr_result;
38 static struct kunit_resource resource;
39 static struct kunit_kasan_expectation fail_data;
40 static bool multishot;
43 * Temporarily enable multi-shot mode. Otherwise, KASAN would only report the
44 * first detected bug and panic the kernel if panic_on_warn is enabled. For
45 * hardware tag-based KASAN also allow tag checking to be reenabled for each
46 * test, see the comment for KUNIT_EXPECT_KASAN_FAIL().
48 static int kasan_test_init(struct kunit *test)
50 multishot = kasan_save_enable_multi_shot();
51 kasan_set_tagging_report_once(false);
55 static void kasan_test_exit(struct kunit *test)
57 kasan_set_tagging_report_once(true);
58 kasan_restore_multi_shot(multishot);
62 * KUNIT_EXPECT_KASAN_FAIL() - check that the executed expression produces a
63 * KASAN report; causes a test failure otherwise. This relies on a KUnit
64 * resource named "kasan_data". Do not use this name for KUnit resources
65 * outside of KASAN tests.
67 * For hardware tag-based KASAN, when a tag fault happens, tag checking is
68 * normally auto-disabled. When this happens, this test handler reenables
69 * tag checking. As tag checking can be only disabled or enabled per CPU, this
70 * handler disables migration (preemption).
72 * Since the compiler doesn't see that the expression can change the fail_data
73 * fields, it can reorder or optimize away the accesses to those fields.
74 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
75 * expression to prevent that.
77 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
78 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) \
80 WRITE_ONCE(fail_data.report_expected, true); \
81 WRITE_ONCE(fail_data.report_found, false); \
82 kunit_add_named_resource(test, \
86 "kasan_data", &fail_data); \
90 KUNIT_EXPECT_EQ(test, \
91 READ_ONCE(fail_data.report_expected), \
92 READ_ONCE(fail_data.report_found)); \
93 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) { \
94 if (READ_ONCE(fail_data.report_found)) \
95 kasan_enable_tagging(); \
100 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
101 if (!IS_ENABLED(config)) { \
102 kunit_info((test), "skipping, " #config " required"); \
107 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
108 if (IS_ENABLED(config)) { \
109 kunit_info((test), "skipping, " #config " enabled"); \
114 static void kmalloc_oob_right(struct kunit *test)
119 ptr = kmalloc(size, GFP_KERNEL);
120 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
122 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
126 static void kmalloc_oob_left(struct kunit *test)
131 ptr = kmalloc(size, GFP_KERNEL);
132 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
134 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
138 static void kmalloc_node_oob_right(struct kunit *test)
143 ptr = kmalloc_node(size, GFP_KERNEL, 0);
144 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
146 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
150 static void kmalloc_pagealloc_oob_right(struct kunit *test)
153 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
155 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
158 * Allocate a chunk that does not fit into a SLUB cache to trigger
159 * the page allocator fallback.
161 ptr = kmalloc(size, GFP_KERNEL);
162 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
164 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
168 static void kmalloc_pagealloc_uaf(struct kunit *test)
171 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
173 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
175 ptr = kmalloc(size, GFP_KERNEL);
176 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
179 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
182 static void kmalloc_pagealloc_invalid_free(struct kunit *test)
185 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
187 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
189 ptr = kmalloc(size, GFP_KERNEL);
190 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
192 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
195 static void kmalloc_large_oob_right(struct kunit *test)
198 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
201 * Allocate a chunk that is large enough, but still fits into a slab
202 * and does not trigger the page allocator fallback in SLUB.
204 ptr = kmalloc(size, GFP_KERNEL);
205 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
207 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
211 static void kmalloc_oob_krealloc_more(struct kunit *test)
217 ptr1 = kmalloc(size1, GFP_KERNEL);
218 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
220 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
221 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
223 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
227 static void kmalloc_oob_krealloc_less(struct kunit *test)
233 ptr1 = kmalloc(size1, GFP_KERNEL);
234 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
236 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
237 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
239 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2 + OOB_TAG_OFF] = 'x');
243 static void kmalloc_oob_16(struct kunit *test)
249 /* This test is specifically crafted for the generic mode. */
250 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
252 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
253 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
255 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
256 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
258 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
263 static void kmalloc_uaf_16(struct kunit *test)
269 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
270 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
272 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
273 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
276 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
280 static void kmalloc_oob_memset_2(struct kunit *test)
285 ptr = kmalloc(size, GFP_KERNEL);
286 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
288 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
292 static void kmalloc_oob_memset_4(struct kunit *test)
297 ptr = kmalloc(size, GFP_KERNEL);
298 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
300 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
305 static void kmalloc_oob_memset_8(struct kunit *test)
310 ptr = kmalloc(size, GFP_KERNEL);
311 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
313 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
317 static void kmalloc_oob_memset_16(struct kunit *test)
322 ptr = kmalloc(size, GFP_KERNEL);
323 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
325 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
329 static void kmalloc_oob_in_memset(struct kunit *test)
334 ptr = kmalloc(size, GFP_KERNEL);
335 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
337 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
341 static void kmalloc_memmove_invalid_size(struct kunit *test)
345 volatile size_t invalid_size = -2;
347 ptr = kmalloc(size, GFP_KERNEL);
348 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
350 memset((char *)ptr, 0, 64);
352 KUNIT_EXPECT_KASAN_FAIL(test,
353 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
357 static void kmalloc_uaf(struct kunit *test)
362 ptr = kmalloc(size, GFP_KERNEL);
363 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
366 KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
369 static void kmalloc_uaf_memset(struct kunit *test)
374 ptr = kmalloc(size, GFP_KERNEL);
375 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
378 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
381 static void kmalloc_uaf2(struct kunit *test)
388 ptr1 = kmalloc(size, GFP_KERNEL);
389 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
393 ptr2 = kmalloc(size, GFP_KERNEL);
394 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
397 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
398 * Allow up to 16 attempts at generating different tags.
400 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
405 KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
406 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
411 static void kfree_via_page(struct kunit *test)
416 unsigned long offset;
418 ptr = kmalloc(size, GFP_KERNEL);
419 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
421 page = virt_to_page(ptr);
422 offset = offset_in_page(ptr);
423 kfree(page_address(page) + offset);
426 static void kfree_via_phys(struct kunit *test)
432 ptr = kmalloc(size, GFP_KERNEL);
433 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
435 phys = virt_to_phys(ptr);
436 kfree(phys_to_virt(phys));
439 static void kmem_cache_oob(struct kunit *test)
443 struct kmem_cache *cache = kmem_cache_create("test_cache",
446 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
447 p = kmem_cache_alloc(cache, GFP_KERNEL);
449 kunit_err(test, "Allocation failed: %s\n", __func__);
450 kmem_cache_destroy(cache);
454 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
455 kmem_cache_free(cache, p);
456 kmem_cache_destroy(cache);
459 static void memcg_accounted_kmem_cache(struct kunit *test)
464 struct kmem_cache *cache;
466 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
467 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
470 * Several allocations with a delay to allow for lazy per memcg kmem
473 for (i = 0; i < 5; i++) {
474 p = kmem_cache_alloc(cache, GFP_KERNEL);
478 kmem_cache_free(cache, p);
483 kmem_cache_destroy(cache);
486 static char global_array[10];
488 static void kasan_global_oob(struct kunit *test)
491 char *p = &global_array[ARRAY_SIZE(global_array) + i];
493 /* Only generic mode instruments globals. */
494 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
496 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
499 static void ksize_unpoisons_memory(struct kunit *test)
502 size_t size = 123, real_size;
504 ptr = kmalloc(size, GFP_KERNEL);
505 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
506 real_size = ksize(ptr);
508 /* This access shouldn't trigger a KASAN report. */
512 KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y');
517 static void kasan_stack_oob(struct kunit *test)
519 char stack_array[10];
520 volatile int i = OOB_TAG_OFF;
521 char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
523 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
525 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
528 static void kasan_alloca_oob_left(struct kunit *test)
531 char alloca_array[i];
532 char *p = alloca_array - 1;
534 /* Only generic mode instruments dynamic allocas. */
535 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
536 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
538 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
541 static void kasan_alloca_oob_right(struct kunit *test)
544 char alloca_array[i];
545 char *p = alloca_array + i;
547 /* Only generic mode instruments dynamic allocas. */
548 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
549 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
551 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
554 static void kmem_cache_double_free(struct kunit *test)
558 struct kmem_cache *cache;
560 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
561 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
563 p = kmem_cache_alloc(cache, GFP_KERNEL);
565 kunit_err(test, "Allocation failed: %s\n", __func__);
566 kmem_cache_destroy(cache);
570 kmem_cache_free(cache, p);
571 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
572 kmem_cache_destroy(cache);
575 static void kmem_cache_invalid_free(struct kunit *test)
579 struct kmem_cache *cache;
581 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
583 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
585 p = kmem_cache_alloc(cache, GFP_KERNEL);
587 kunit_err(test, "Allocation failed: %s\n", __func__);
588 kmem_cache_destroy(cache);
592 /* Trigger invalid free, the object doesn't get freed. */
593 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
596 * Properly free the object to prevent the "Objects remaining in
597 * test_cache on __kmem_cache_shutdown" BUG failure.
599 kmem_cache_free(cache, p);
601 kmem_cache_destroy(cache);
604 static void kasan_memchr(struct kunit *test)
610 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
611 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
613 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
616 size = round_up(size, OOB_TAG_OFF);
618 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
619 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
621 KUNIT_EXPECT_KASAN_FAIL(test,
622 kasan_ptr_result = memchr(ptr, '1', size + 1));
627 static void kasan_memcmp(struct kunit *test)
634 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
635 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
637 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
640 size = round_up(size, OOB_TAG_OFF);
642 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
643 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
644 memset(arr, 0, sizeof(arr));
646 KUNIT_EXPECT_KASAN_FAIL(test,
647 kasan_int_result = memcmp(ptr, arr, size+1));
651 static void kasan_strings(struct kunit *test)
657 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
658 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
660 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
662 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
663 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
668 * Try to cause only 1 invalid access (less spam in dmesg).
669 * For that we need ptr to point to zeroed byte.
670 * Skip metadata that could be stored in freed object so ptr
671 * will likely point to zeroed byte.
674 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
676 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
678 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
680 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
682 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
684 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
687 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
689 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
690 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
691 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
692 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
693 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
694 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
695 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
696 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
699 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
701 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
702 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
703 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
704 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
705 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
706 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
707 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
708 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
710 #if defined(clear_bit_unlock_is_negative_byte)
711 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
712 clear_bit_unlock_is_negative_byte(nr, addr));
716 static void kasan_bitops_generic(struct kunit *test)
720 /* This test is specifically crafted for the generic mode. */
721 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
724 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
725 * this way we do not actually corrupt other memory.
727 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
728 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
731 * Below calls try to access bit within allocated memory; however, the
732 * below accesses are still out-of-bounds, since bitops are defined to
733 * operate on the whole long the bit is in.
735 kasan_bitops_modify(test, BITS_PER_LONG, bits);
738 * Below calls try to access bit beyond allocated memory.
740 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
745 static void kasan_bitops_tags(struct kunit *test)
749 /* This test is specifically crafted for tag-based modes. */
750 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
752 /* Allocation size will be rounded to up granule size, which is 16. */
753 bits = kzalloc(sizeof(*bits), GFP_KERNEL);
754 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
756 /* Do the accesses past the 16 allocated bytes. */
757 kasan_bitops_modify(test, BITS_PER_LONG, &bits[1]);
758 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, &bits[1]);
763 static void kmalloc_double_kzfree(struct kunit *test)
768 ptr = kmalloc(size, GFP_KERNEL);
769 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
771 kfree_sensitive(ptr);
772 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
775 static void vmalloc_oob(struct kunit *test)
779 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
782 * We have to be careful not to hit the guard page.
783 * The MMU will catch that and crash us.
785 area = vmalloc(3000);
786 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
788 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
793 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
794 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
797 static void match_all_not_assigned(struct kunit *test)
803 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
805 for (i = 0; i < 256; i++) {
806 size = (get_random_int() % 1024) + 1;
807 ptr = kmalloc(size, GFP_KERNEL);
808 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
809 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
810 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
814 for (i = 0; i < 256; i++) {
815 order = (get_random_int() % 4) + 1;
816 pages = alloc_pages(GFP_KERNEL, order);
817 ptr = page_address(pages);
818 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
819 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
820 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
821 free_pages((unsigned long)ptr, order);
825 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
826 static void match_all_ptr_tag(struct kunit *test)
831 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
833 ptr = kmalloc(128, GFP_KERNEL);
834 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
836 /* Backup the assigned tag. */
838 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
840 /* Reset the tag to 0xff.*/
841 ptr = set_tag(ptr, KASAN_TAG_KERNEL);
843 /* This access shouldn't trigger a KASAN report. */
846 /* Recover the pointer tag and free. */
847 ptr = set_tag(ptr, tag);
851 /* Check that there are no match-all memory tags for tag-based modes. */
852 static void match_all_mem_tag(struct kunit *test)
857 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
859 ptr = kmalloc(128, GFP_KERNEL);
860 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
861 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
863 /* For each possible tag value not matching the pointer tag. */
864 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
865 if (tag == get_tag(ptr))
868 /* Mark the first memory granule with the chosen memory tag. */
869 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag);
871 /* This access must cause a KASAN report. */
872 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
875 /* Recover the memory tag and free. */
876 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr));
880 static struct kunit_case kasan_kunit_test_cases[] = {
881 KUNIT_CASE(kmalloc_oob_right),
882 KUNIT_CASE(kmalloc_oob_left),
883 KUNIT_CASE(kmalloc_node_oob_right),
884 KUNIT_CASE(kmalloc_pagealloc_oob_right),
885 KUNIT_CASE(kmalloc_pagealloc_uaf),
886 KUNIT_CASE(kmalloc_pagealloc_invalid_free),
887 KUNIT_CASE(kmalloc_large_oob_right),
888 KUNIT_CASE(kmalloc_oob_krealloc_more),
889 KUNIT_CASE(kmalloc_oob_krealloc_less),
890 KUNIT_CASE(kmalloc_oob_16),
891 KUNIT_CASE(kmalloc_uaf_16),
892 KUNIT_CASE(kmalloc_oob_in_memset),
893 KUNIT_CASE(kmalloc_oob_memset_2),
894 KUNIT_CASE(kmalloc_oob_memset_4),
895 KUNIT_CASE(kmalloc_oob_memset_8),
896 KUNIT_CASE(kmalloc_oob_memset_16),
897 KUNIT_CASE(kmalloc_memmove_invalid_size),
898 KUNIT_CASE(kmalloc_uaf),
899 KUNIT_CASE(kmalloc_uaf_memset),
900 KUNIT_CASE(kmalloc_uaf2),
901 KUNIT_CASE(kfree_via_page),
902 KUNIT_CASE(kfree_via_phys),
903 KUNIT_CASE(kmem_cache_oob),
904 KUNIT_CASE(memcg_accounted_kmem_cache),
905 KUNIT_CASE(kasan_global_oob),
906 KUNIT_CASE(kasan_stack_oob),
907 KUNIT_CASE(kasan_alloca_oob_left),
908 KUNIT_CASE(kasan_alloca_oob_right),
909 KUNIT_CASE(ksize_unpoisons_memory),
910 KUNIT_CASE(kmem_cache_double_free),
911 KUNIT_CASE(kmem_cache_invalid_free),
912 KUNIT_CASE(kasan_memchr),
913 KUNIT_CASE(kasan_memcmp),
914 KUNIT_CASE(kasan_strings),
915 KUNIT_CASE(kasan_bitops_generic),
916 KUNIT_CASE(kasan_bitops_tags),
917 KUNIT_CASE(kmalloc_double_kzfree),
918 KUNIT_CASE(vmalloc_oob),
919 KUNIT_CASE(match_all_not_assigned),
920 KUNIT_CASE(match_all_ptr_tag),
921 KUNIT_CASE(match_all_mem_tag),
925 static struct kunit_suite kasan_kunit_test_suite = {
927 .init = kasan_test_init,
928 .test_cases = kasan_kunit_test_cases,
929 .exit = kasan_test_exit,
932 kunit_test_suite(kasan_kunit_test_suite);
934 MODULE_LICENSE("GPL");
projects / linux-2.6-microblaze.git / blob