Commit 34b592ce authored by Andrey Konovalov's avatar Andrey Konovalov Committed by Andrew Morton
Browse files

kasan: add another use-after-free test 

Add a new use-after-free test that checks that KASAN detects
use-after-free when another object was allocated in the same slot.

This test is mainly relevant for the tag-based modes, which do not use
quarantine.

Once [1] is resolved, this test can be extended to check that the stack
traces in the report point to the proper kmalloc/kfree calls.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=212203

Link: https://lkml.kernel.org/r/0659cfa15809dd38faa02bc0a59d0b5dbbd81211.1662411800.git.andreyknvl@google.com


Signed-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Acked-by: default avatarMarco Elver <elver@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Evgenii Stepanov <eugenis@google.com>
Cc: Peter Collingbourne <pcc@google.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
parent 1f538e1f

lib/test_kasan.c

+24 −0
Original line number Diff line number Diff line
@@ -612,6 +612,29 @@ static void kmalloc_uaf2(struct kunit *test) 
	kfree(ptr2);

}



/*

 * Check that KASAN detects use-after-free when another object was allocated in

 * the same slot. Relevant for the tag-based modes, which do not use quarantine.

 */

static void kmalloc_uaf3(struct kunit *test)

{

	char *ptr1, *ptr2;

	size_t size = 100;



	/* This test is specifically crafted for tag-based modes. */

	KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_GENERIC);



	ptr1 = kmalloc(size, GFP_KERNEL);

	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr1);

	kfree(ptr1);



	ptr2 = kmalloc(size, GFP_KERNEL);

	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr2);

	kfree(ptr2);



	KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[8]);

}



static void kfree_via_page(struct kunit *test)

{

	char *ptr;
@@ -1382,6 +1405,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { 
	KUNIT_CASE(kmalloc_uaf),

	KUNIT_CASE(kmalloc_uaf_memset),

	KUNIT_CASE(kmalloc_uaf2),

	KUNIT_CASE(kmalloc_uaf3),

	KUNIT_CASE(kfree_via_page),

	KUNIT_CASE(kfree_via_phys),

	KUNIT_CASE(kmem_cache_oob),