1 // SPDX-License-Identifier: GPL-2.0-only
4 * Copyright (c) 2014 Samsung Electronics Co., Ltd.
5 * Author: Andrey Ryabinin <a.ryabinin@samsung.com>
8 #include <linux/bitops.h>
9 #include <linux/delay.h>
10 #include <linux/kasan.h>
11 #include <linux/kernel.h>
13 #include <linux/mman.h>
14 #include <linux/module.h>
15 #include <linux/printk.h>
16 #include <linux/random.h>
17 #include <linux/slab.h>
18 #include <linux/string.h>
19 #include <linux/uaccess.h>
21 #include <linux/vmalloc.h>
25 #include <kunit/test.h>
27 #include "../mm/kasan/kasan.h"
29 #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
32 * Some tests use these global variables to store return values from function
33 * calls that could otherwise be eliminated by the compiler as dead code.
35 void *kasan_ptr_result;
38 static struct kunit_resource resource;
39 static struct kunit_kasan_expectation fail_data;
40 static bool multishot;
43 * Temporarily enable multi-shot mode. Otherwise, KASAN would only report the
44 * first detected bug and panic the kernel if panic_on_warn is enabled. For
45 * hardware tag-based KASAN also allow tag checking to be reenabled for each
46 * test, see the comment for KUNIT_EXPECT_KASAN_FAIL().
48 static int kasan_test_init(struct kunit *test)
50 if (!kasan_enabled()) {
51 kunit_err(test, "can't run KASAN tests with KASAN disabled");
55 multishot = kasan_save_enable_multi_shot();
56 kasan_set_tagging_report_once(false);
57 fail_data.report_found = false;
58 kunit_add_named_resource(test, NULL, NULL, &resource,
59 "kasan_data", &fail_data);
63 static void kasan_test_exit(struct kunit *test)
65 kasan_set_tagging_report_once(true);
66 kasan_restore_multi_shot(multishot);
67 KUNIT_EXPECT_FALSE(test, fail_data.report_found);
71 * KUNIT_EXPECT_KASAN_FAIL() - check that the executed expression produces a
72 * KASAN report; causes a test failure otherwise. This relies on a KUnit
73 * resource named "kasan_data". Do not use this name for KUnit resources
74 * outside of KASAN tests.
76 * For hardware tag-based KASAN in sync mode, when a tag fault happens, tag
77 * checking is auto-disabled. When this happens, this test handler reenables
78 * tag checking. As tag checking can be only disabled or enabled per CPU,
79 * this handler disables migration (preemption).
81 * Since the compiler doesn't see that the expression can change the fail_data
82 * fields, it can reorder or optimize away the accesses to those fields.
83 * Use READ/WRITE_ONCE() for the accesses and compiler barriers around the
84 * expression to prevent that.
86 * In between KUNIT_EXPECT_KASAN_FAIL checks, fail_data.report_found is kept as
87 * false. This allows detecting KASAN reports that happen outside of the checks
88 * by asserting !fail_data.report_found at the start of KUNIT_EXPECT_KASAN_FAIL
89 * and in kasan_test_exit.
91 #define KUNIT_EXPECT_KASAN_FAIL(test, expression) do { \
92 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS) && \
93 !kasan_async_mode_enabled()) \
95 KUNIT_EXPECT_FALSE(test, READ_ONCE(fail_data.report_found)); \
99 if (!READ_ONCE(fail_data.report_found)) { \
100 KUNIT_FAIL(test, KUNIT_SUBTEST_INDENT "KASAN failure " \
101 "expected in \"" #expression \
102 "\", but none occurred"); \
104 if (IS_ENABLED(CONFIG_KASAN_HW_TAGS)) { \
105 if (READ_ONCE(fail_data.report_found)) \
106 kasan_enable_tagging_sync(); \
109 WRITE_ONCE(fail_data.report_found, false); \
112 #define KASAN_TEST_NEEDS_CONFIG_ON(test, config) do { \
113 if (!IS_ENABLED(config)) { \
114 kunit_info((test), "skipping, " #config " required"); \
119 #define KASAN_TEST_NEEDS_CONFIG_OFF(test, config) do { \
120 if (IS_ENABLED(config)) { \
121 kunit_info((test), "skipping, " #config " enabled"); \
126 static void kmalloc_oob_right(struct kunit *test)
131 ptr = kmalloc(size, GFP_KERNEL);
132 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
134 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
138 static void kmalloc_oob_left(struct kunit *test)
143 ptr = kmalloc(size, GFP_KERNEL);
144 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
146 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = *(ptr - 1));
150 static void kmalloc_node_oob_right(struct kunit *test)
155 ptr = kmalloc_node(size, GFP_KERNEL, 0);
156 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
158 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
163 * These kmalloc_pagealloc_* tests try allocating a memory chunk that doesn't
164 * fit into a slab cache and therefore is allocated via the page allocator
165 * fallback. Since this kind of fallback is only implemented for SLUB, these
166 * tests are limited to that allocator.
168 static void kmalloc_pagealloc_oob_right(struct kunit *test)
171 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
173 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
175 ptr = kmalloc(size, GFP_KERNEL);
176 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
178 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 0);
183 static void kmalloc_pagealloc_uaf(struct kunit *test)
186 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
188 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
190 ptr = kmalloc(size, GFP_KERNEL);
191 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
194 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
197 static void kmalloc_pagealloc_invalid_free(struct kunit *test)
200 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
202 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
204 ptr = kmalloc(size, GFP_KERNEL);
205 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
207 KUNIT_EXPECT_KASAN_FAIL(test, kfree(ptr + 1));
210 static void pagealloc_oob_right(struct kunit *test)
215 size_t size = (1UL << (PAGE_SHIFT + order));
218 * With generic KASAN page allocations have no redzones, thus
219 * out-of-bounds detection is not guaranteed.
220 * See https://bugzilla.kernel.org/show_bug.cgi?id=210503.
222 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
224 pages = alloc_pages(GFP_KERNEL, order);
225 ptr = page_address(pages);
226 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
228 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
229 free_pages((unsigned long)ptr, order);
232 static void pagealloc_uaf(struct kunit *test)
238 pages = alloc_pages(GFP_KERNEL, order);
239 ptr = page_address(pages);
240 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
241 free_pages((unsigned long)ptr, order);
243 KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0);
246 static void kmalloc_large_oob_right(struct kunit *test)
249 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
252 * Allocate a chunk that is large enough, but still fits into a slab
253 * and does not trigger the page allocator fallback in SLUB.
255 ptr = kmalloc(size, GFP_KERNEL);
256 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
258 KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0);
262 static void krealloc_more_oob_helper(struct kunit *test,
263 size_t size1, size_t size2)
268 KUNIT_ASSERT_LT(test, size1, size2);
269 middle = size1 + (size2 - size1) / 2;
271 ptr1 = kmalloc(size1, GFP_KERNEL);
272 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
274 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
275 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
277 /* All offsets up to size2 must be accessible. */
278 ptr2[size1 - 1] = 'x';
281 ptr2[size2 - 1] = 'x';
283 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
284 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
285 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
287 /* For all modes first aligned offset after size2 must be inaccessible. */
288 KUNIT_EXPECT_KASAN_FAIL(test,
289 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
294 static void krealloc_less_oob_helper(struct kunit *test,
295 size_t size1, size_t size2)
300 KUNIT_ASSERT_LT(test, size2, size1);
301 middle = size2 + (size1 - size2) / 2;
303 ptr1 = kmalloc(size1, GFP_KERNEL);
304 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
306 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
307 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
309 /* Must be accessible for all modes. */
310 ptr2[size2 - 1] = 'x';
312 /* Generic mode is precise, so unaligned size2 must be inaccessible. */
313 if (IS_ENABLED(CONFIG_KASAN_GENERIC))
314 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size2] = 'x');
316 /* For all modes first aligned offset after size2 must be inaccessible. */
317 KUNIT_EXPECT_KASAN_FAIL(test,
318 ptr2[round_up(size2, KASAN_GRANULE_SIZE)] = 'x');
321 * For all modes all size2, middle, and size1 should land in separate
322 * granules and thus the latter two offsets should be inaccessible.
324 KUNIT_EXPECT_LE(test, round_up(size2, KASAN_GRANULE_SIZE),
325 round_down(middle, KASAN_GRANULE_SIZE));
326 KUNIT_EXPECT_LE(test, round_up(middle, KASAN_GRANULE_SIZE),
327 round_down(size1, KASAN_GRANULE_SIZE));
328 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[middle] = 'x');
329 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1 - 1] = 'x');
330 KUNIT_EXPECT_KASAN_FAIL(test, ptr2[size1] = 'x');
335 static void krealloc_more_oob(struct kunit *test)
337 krealloc_more_oob_helper(test, 201, 235);
340 static void krealloc_less_oob(struct kunit *test)
342 krealloc_less_oob_helper(test, 235, 201);
345 static void krealloc_pagealloc_more_oob(struct kunit *test)
347 /* page_alloc fallback in only implemented for SLUB. */
348 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
350 krealloc_more_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 201,
351 KMALLOC_MAX_CACHE_SIZE + 235);
354 static void krealloc_pagealloc_less_oob(struct kunit *test)
356 /* page_alloc fallback in only implemented for SLUB. */
357 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_SLUB);
359 krealloc_less_oob_helper(test, KMALLOC_MAX_CACHE_SIZE + 235,
360 KMALLOC_MAX_CACHE_SIZE + 201);
364 * Check that krealloc() detects a use-after-free, returns NULL,
365 * and doesn't unpoison the freed object.
367 static void krealloc_uaf(struct kunit *test)
373 ptr1 = kmalloc(size1, GFP_KERNEL);
374 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
377 KUNIT_EXPECT_KASAN_FAIL(test, ptr2 = krealloc(ptr1, size2, GFP_KERNEL));
378 KUNIT_ASSERT_PTR_EQ(test, (void *)ptr2, NULL);
379 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)ptr1);
382 static void kmalloc_oob_16(struct kunit *test)
388 /* This test is specifically crafted for the generic mode. */
389 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
391 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
392 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
394 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
395 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
397 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
402 static void kmalloc_uaf_16(struct kunit *test)
408 ptr1 = kmalloc(sizeof(*ptr1), GFP_KERNEL);
409 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
411 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
412 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
415 KUNIT_EXPECT_KASAN_FAIL(test, *ptr1 = *ptr2);
419 static void kmalloc_oob_memset_2(struct kunit *test)
424 ptr = kmalloc(size, GFP_KERNEL);
425 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
427 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 7 + OOB_TAG_OFF, 0, 2));
431 static void kmalloc_oob_memset_4(struct kunit *test)
436 ptr = kmalloc(size, GFP_KERNEL);
437 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
439 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 5 + OOB_TAG_OFF, 0, 4));
444 static void kmalloc_oob_memset_8(struct kunit *test)
449 ptr = kmalloc(size, GFP_KERNEL);
450 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
452 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 8));
456 static void kmalloc_oob_memset_16(struct kunit *test)
461 ptr = kmalloc(size, GFP_KERNEL);
462 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
464 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr + 1 + OOB_TAG_OFF, 0, 16));
468 static void kmalloc_oob_in_memset(struct kunit *test)
473 ptr = kmalloc(size, GFP_KERNEL);
474 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
476 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size + 5 + OOB_TAG_OFF));
480 static void kmalloc_memmove_invalid_size(struct kunit *test)
484 volatile size_t invalid_size = -2;
486 ptr = kmalloc(size, GFP_KERNEL);
487 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
489 memset((char *)ptr, 0, 64);
491 KUNIT_EXPECT_KASAN_FAIL(test,
492 memmove((char *)ptr, (char *)ptr + 4, invalid_size));
496 static void kmalloc_uaf(struct kunit *test)
501 ptr = kmalloc(size, GFP_KERNEL);
502 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
505 KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x');
508 static void kmalloc_uaf_memset(struct kunit *test)
513 ptr = kmalloc(size, GFP_KERNEL);
514 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
517 KUNIT_EXPECT_KASAN_FAIL(test, memset(ptr, 0, size));
520 static void kmalloc_uaf2(struct kunit *test)
527 ptr1 = kmalloc(size, GFP_KERNEL);
528 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);
532 ptr2 = kmalloc(size, GFP_KERNEL);
533 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);
536 * For tag-based KASAN ptr1 and ptr2 tags might happen to be the same.
537 * Allow up to 16 attempts at generating different tags.
539 if (!IS_ENABLED(CONFIG_KASAN_GENERIC) && ptr1 == ptr2 && counter++ < 16) {
544 KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x');
545 KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2);
550 static void kfree_via_page(struct kunit *test)
555 unsigned long offset;
557 ptr = kmalloc(size, GFP_KERNEL);
558 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
560 page = virt_to_page(ptr);
561 offset = offset_in_page(ptr);
562 kfree(page_address(page) + offset);
565 static void kfree_via_phys(struct kunit *test)
571 ptr = kmalloc(size, GFP_KERNEL);
572 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
574 phys = virt_to_phys(ptr);
575 kfree(phys_to_virt(phys));
578 static void kmem_cache_oob(struct kunit *test)
582 struct kmem_cache *cache;
584 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
585 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
587 p = kmem_cache_alloc(cache, GFP_KERNEL);
589 kunit_err(test, "Allocation failed: %s\n", __func__);
590 kmem_cache_destroy(cache);
594 KUNIT_EXPECT_KASAN_FAIL(test, *p = p[size + OOB_TAG_OFF]);
596 kmem_cache_free(cache, p);
597 kmem_cache_destroy(cache);
600 static void kmem_cache_accounted(struct kunit *test)
605 struct kmem_cache *cache;
607 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
608 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
611 * Several allocations with a delay to allow for lazy per memcg kmem
614 for (i = 0; i < 5; i++) {
615 p = kmem_cache_alloc(cache, GFP_KERNEL);
619 kmem_cache_free(cache, p);
624 kmem_cache_destroy(cache);
627 static void kmem_cache_bulk(struct kunit *test)
629 struct kmem_cache *cache;
635 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
636 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
638 ret = kmem_cache_alloc_bulk(cache, GFP_KERNEL, ARRAY_SIZE(p), (void **)&p);
640 kunit_err(test, "Allocation failed: %s\n", __func__);
641 kmem_cache_destroy(cache);
645 for (i = 0; i < ARRAY_SIZE(p); i++)
646 p[i][0] = p[i][size - 1] = 42;
648 kmem_cache_free_bulk(cache, ARRAY_SIZE(p), (void **)&p);
649 kmem_cache_destroy(cache);
652 static char global_array[10];
654 static void kasan_global_oob(struct kunit *test)
657 * Deliberate out-of-bounds access. To prevent CONFIG_UBSAN_LOCAL_BOUNDS
658 * from failing here and panicing the kernel, access the array via a
659 * volatile pointer, which will prevent the compiler from being able to
660 * determine the array bounds.
662 * This access uses a volatile pointer to char (char *volatile) rather
663 * than the more conventional pointer to volatile char (volatile char *)
664 * because we want to prevent the compiler from making inferences about
665 * the pointer itself (i.e. its array bounds), not the data that it
668 char *volatile array = global_array;
669 char *p = &array[ARRAY_SIZE(global_array) + 3];
671 /* Only generic mode instruments globals. */
672 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
674 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
677 /* Check that ksize() makes the whole object accessible. */
678 static void ksize_unpoisons_memory(struct kunit *test)
681 size_t size = 123, real_size;
683 ptr = kmalloc(size, GFP_KERNEL);
684 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
685 real_size = ksize(ptr);
687 /* This access shouldn't trigger a KASAN report. */
691 KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y');
697 * Check that a use-after-free is detected by ksize() and via normal accesses
700 static void ksize_uaf(struct kunit *test)
703 int size = 128 - KASAN_GRANULE_SIZE;
705 ptr = kmalloc(size, GFP_KERNEL);
706 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
709 KUNIT_EXPECT_KASAN_FAIL(test, ksize(ptr));
710 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = *ptr);
711 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = *(ptr + size));
714 static void kasan_stack_oob(struct kunit *test)
716 char stack_array[10];
717 /* See comment in kasan_global_oob. */
718 char *volatile array = stack_array;
719 char *p = &array[ARRAY_SIZE(stack_array) + OOB_TAG_OFF];
721 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
723 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
726 static void kasan_alloca_oob_left(struct kunit *test)
729 char alloca_array[i];
730 /* See comment in kasan_global_oob. */
731 char *volatile array = alloca_array;
734 /* Only generic mode instruments dynamic allocas. */
735 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
736 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
738 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
741 static void kasan_alloca_oob_right(struct kunit *test)
744 char alloca_array[i];
745 /* See comment in kasan_global_oob. */
746 char *volatile array = alloca_array;
749 /* Only generic mode instruments dynamic allocas. */
750 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
751 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_STACK);
753 KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p);
756 static void kmem_cache_double_free(struct kunit *test)
760 struct kmem_cache *cache;
762 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
763 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
765 p = kmem_cache_alloc(cache, GFP_KERNEL);
767 kunit_err(test, "Allocation failed: %s\n", __func__);
768 kmem_cache_destroy(cache);
772 kmem_cache_free(cache, p);
773 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p));
774 kmem_cache_destroy(cache);
777 static void kmem_cache_invalid_free(struct kunit *test)
781 struct kmem_cache *cache;
783 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
785 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
787 p = kmem_cache_alloc(cache, GFP_KERNEL);
789 kunit_err(test, "Allocation failed: %s\n", __func__);
790 kmem_cache_destroy(cache);
794 /* Trigger invalid free, the object doesn't get freed. */
795 KUNIT_EXPECT_KASAN_FAIL(test, kmem_cache_free(cache, p + 1));
798 * Properly free the object to prevent the "Objects remaining in
799 * test_cache on __kmem_cache_shutdown" BUG failure.
801 kmem_cache_free(cache, p);
803 kmem_cache_destroy(cache);
806 static void kasan_memchr(struct kunit *test)
812 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
813 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
815 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
818 size = round_up(size, OOB_TAG_OFF);
820 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
821 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
823 KUNIT_EXPECT_KASAN_FAIL(test,
824 kasan_ptr_result = memchr(ptr, '1', size + 1));
829 static void kasan_memcmp(struct kunit *test)
836 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
837 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
839 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
842 size = round_up(size, OOB_TAG_OFF);
844 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
845 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
846 memset(arr, 0, sizeof(arr));
848 KUNIT_EXPECT_KASAN_FAIL(test,
849 kasan_int_result = memcmp(ptr, arr, size+1));
853 static void kasan_strings(struct kunit *test)
859 * str* functions are not instrumented with CONFIG_AMD_MEM_ENCRYPT.
860 * See https://bugzilla.kernel.org/show_bug.cgi?id=206337 for details.
862 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_AMD_MEM_ENCRYPT);
864 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
865 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
870 * Try to cause only 1 invalid access (less spam in dmesg).
871 * For that we need ptr to point to zeroed byte.
872 * Skip metadata that could be stored in freed object so ptr
873 * will likely point to zeroed byte.
876 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strchr(ptr, '1'));
878 KUNIT_EXPECT_KASAN_FAIL(test, kasan_ptr_result = strrchr(ptr, '1'));
880 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strcmp(ptr, "2"));
882 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strncmp(ptr, "2", 1));
884 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strlen(ptr));
886 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = strnlen(ptr, 1));
889 static void kasan_bitops_modify(struct kunit *test, int nr, void *addr)
891 KUNIT_EXPECT_KASAN_FAIL(test, set_bit(nr, addr));
892 KUNIT_EXPECT_KASAN_FAIL(test, __set_bit(nr, addr));
893 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit(nr, addr));
894 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit(nr, addr));
895 KUNIT_EXPECT_KASAN_FAIL(test, clear_bit_unlock(nr, addr));
896 KUNIT_EXPECT_KASAN_FAIL(test, __clear_bit_unlock(nr, addr));
897 KUNIT_EXPECT_KASAN_FAIL(test, change_bit(nr, addr));
898 KUNIT_EXPECT_KASAN_FAIL(test, __change_bit(nr, addr));
901 static void kasan_bitops_test_and_modify(struct kunit *test, int nr, void *addr)
903 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit(nr, addr));
904 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_set_bit(nr, addr));
905 KUNIT_EXPECT_KASAN_FAIL(test, test_and_set_bit_lock(nr, addr));
906 KUNIT_EXPECT_KASAN_FAIL(test, test_and_clear_bit(nr, addr));
907 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_clear_bit(nr, addr));
908 KUNIT_EXPECT_KASAN_FAIL(test, test_and_change_bit(nr, addr));
909 KUNIT_EXPECT_KASAN_FAIL(test, __test_and_change_bit(nr, addr));
910 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result = test_bit(nr, addr));
912 #if defined(clear_bit_unlock_is_negative_byte)
913 KUNIT_EXPECT_KASAN_FAIL(test, kasan_int_result =
914 clear_bit_unlock_is_negative_byte(nr, addr));
918 static void kasan_bitops_generic(struct kunit *test)
922 /* This test is specifically crafted for the generic mode. */
923 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_GENERIC);
926 * Allocate 1 more byte, which causes kzalloc to round up to 16 bytes;
927 * this way we do not actually corrupt other memory.
929 bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
930 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
933 * Below calls try to access bit within allocated memory; however, the
934 * below accesses are still out-of-bounds, since bitops are defined to
935 * operate on the whole long the bit is in.
937 kasan_bitops_modify(test, BITS_PER_LONG, bits);
940 * Below calls try to access bit beyond allocated memory.
942 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, bits);
947 static void kasan_bitops_tags(struct kunit *test)
951 /* This test is specifically crafted for tag-based modes. */
952 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
954 /* kmalloc-64 cache will be used and the last 16 bytes will be the redzone. */
955 bits = kzalloc(48, GFP_KERNEL);
956 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, bits);
958 /* Do the accesses past the 48 allocated bytes, but within the redone. */
959 kasan_bitops_modify(test, BITS_PER_LONG, (void *)bits + 48);
960 kasan_bitops_test_and_modify(test, BITS_PER_LONG + BITS_PER_BYTE, (void *)bits + 48);
965 static void kmalloc_double_kzfree(struct kunit *test)
970 ptr = kmalloc(size, GFP_KERNEL);
971 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
973 kfree_sensitive(ptr);
974 KUNIT_EXPECT_KASAN_FAIL(test, kfree_sensitive(ptr));
977 static void vmalloc_oob(struct kunit *test)
981 KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_KASAN_VMALLOC);
984 * We have to be careful not to hit the guard page.
985 * The MMU will catch that and crash us.
987 area = vmalloc(3000);
988 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, area);
990 KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)area)[3100]);
995 * Check that the assigned pointer tag falls within the [KASAN_TAG_MIN,
996 * KASAN_TAG_KERNEL) range (note: excluding the match-all tag) for tag-based
999 static void match_all_not_assigned(struct kunit *test)
1005 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1007 for (i = 0; i < 256; i++) {
1008 size = (get_random_int() % 1024) + 1;
1009 ptr = kmalloc(size, GFP_KERNEL);
1010 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1011 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1012 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1016 for (i = 0; i < 256; i++) {
1017 order = (get_random_int() % 4) + 1;
1018 pages = alloc_pages(GFP_KERNEL, order);
1019 ptr = page_address(pages);
1020 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1021 KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
1022 KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1023 free_pages((unsigned long)ptr, order);
1027 /* Check that 0xff works as a match-all pointer tag for tag-based modes. */
1028 static void match_all_ptr_tag(struct kunit *test)
1033 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1035 ptr = kmalloc(128, GFP_KERNEL);
1036 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1038 /* Backup the assigned tag. */
1040 KUNIT_EXPECT_NE(test, tag, (u8)KASAN_TAG_KERNEL);
1042 /* Reset the tag to 0xff.*/
1043 ptr = set_tag(ptr, KASAN_TAG_KERNEL);
1045 /* This access shouldn't trigger a KASAN report. */
1048 /* Recover the pointer tag and free. */
1049 ptr = set_tag(ptr, tag);
1053 /* Check that there are no match-all memory tags for tag-based modes. */
1054 static void match_all_mem_tag(struct kunit *test)
1059 KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);
1061 ptr = kmalloc(128, GFP_KERNEL);
1062 KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
1063 KUNIT_EXPECT_NE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
1065 /* For each possible tag value not matching the pointer tag. */
1066 for (tag = KASAN_TAG_MIN; tag <= KASAN_TAG_KERNEL; tag++) {
1067 if (tag == get_tag(ptr))
1070 /* Mark the first memory granule with the chosen memory tag. */
1071 kasan_poison(ptr, KASAN_GRANULE_SIZE, (u8)tag, false);
1073 /* This access must cause a KASAN report. */
1074 KUNIT_EXPECT_KASAN_FAIL(test, *ptr = 0);
1077 /* Recover the memory tag and free. */
1078 kasan_poison(ptr, KASAN_GRANULE_SIZE, get_tag(ptr), false);
1082 static struct kunit_case kasan_kunit_test_cases[] = {
1083 KUNIT_CASE(kmalloc_oob_right),
1084 KUNIT_CASE(kmalloc_oob_left),
1085 KUNIT_CASE(kmalloc_node_oob_right),
1086 KUNIT_CASE(kmalloc_pagealloc_oob_right),
1087 KUNIT_CASE(kmalloc_pagealloc_uaf),
1088 KUNIT_CASE(kmalloc_pagealloc_invalid_free),
1089 KUNIT_CASE(pagealloc_oob_right),
1090 KUNIT_CASE(pagealloc_uaf),
1091 KUNIT_CASE(kmalloc_large_oob_right),
1092 KUNIT_CASE(krealloc_more_oob),
1093 KUNIT_CASE(krealloc_less_oob),
1094 KUNIT_CASE(krealloc_pagealloc_more_oob),
1095 KUNIT_CASE(krealloc_pagealloc_less_oob),
1096 KUNIT_CASE(krealloc_uaf),
1097 KUNIT_CASE(kmalloc_oob_16),
1098 KUNIT_CASE(kmalloc_uaf_16),
1099 KUNIT_CASE(kmalloc_oob_in_memset),
1100 KUNIT_CASE(kmalloc_oob_memset_2),
1101 KUNIT_CASE(kmalloc_oob_memset_4),
1102 KUNIT_CASE(kmalloc_oob_memset_8),
1103 KUNIT_CASE(kmalloc_oob_memset_16),
1104 KUNIT_CASE(kmalloc_memmove_invalid_size),
1105 KUNIT_CASE(kmalloc_uaf),
1106 KUNIT_CASE(kmalloc_uaf_memset),
1107 KUNIT_CASE(kmalloc_uaf2),
1108 KUNIT_CASE(kfree_via_page),
1109 KUNIT_CASE(kfree_via_phys),
1110 KUNIT_CASE(kmem_cache_oob),
1111 KUNIT_CASE(kmem_cache_accounted),
1112 KUNIT_CASE(kmem_cache_bulk),
1113 KUNIT_CASE(kasan_global_oob),
1114 KUNIT_CASE(kasan_stack_oob),
1115 KUNIT_CASE(kasan_alloca_oob_left),
1116 KUNIT_CASE(kasan_alloca_oob_right),
1117 KUNIT_CASE(ksize_unpoisons_memory),
1118 KUNIT_CASE(ksize_uaf),
1119 KUNIT_CASE(kmem_cache_double_free),
1120 KUNIT_CASE(kmem_cache_invalid_free),
1121 KUNIT_CASE(kasan_memchr),
1122 KUNIT_CASE(kasan_memcmp),
1123 KUNIT_CASE(kasan_strings),
1124 KUNIT_CASE(kasan_bitops_generic),
1125 KUNIT_CASE(kasan_bitops_tags),
1126 KUNIT_CASE(kmalloc_double_kzfree),
1127 KUNIT_CASE(vmalloc_oob),
1128 KUNIT_CASE(match_all_not_assigned),
1129 KUNIT_CASE(match_all_ptr_tag),
1130 KUNIT_CASE(match_all_mem_tag),
1134 static struct kunit_suite kasan_kunit_test_suite = {
1136 .init = kasan_test_init,
1137 .test_cases = kasan_kunit_test_cases,
1138 .exit = kasan_test_exit,
1141 kunit_test_suite(kasan_kunit_test_suite);
1143 MODULE_LICENSE("GPL");
projects / linux-2.6-microblaze.git / blob