From patchwork Wed Aug 21 15:39:27 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Rutland <mark.rutland@arm.com>
X-Patchwork-Id: 171978
Delivered-To: patch@linaro.org
Received: by 2002:a92:d204:0:0:0:0:0 with SMTP id y4csp1138470ily;
 Wed, 21 Aug 2019 08:39:39 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz3OQ7xTU7pB/7WR6e/P0CxYFIq8wdRZDlZpGu3KpWBaJIkVAbNFjtKpg9ldtB6n6zDrGKU
X-Received: by 2002:a17:90a:8a11:: with SMTP id
 w17mr560327pjn.139.1566401979542; 
 Wed, 21 Aug 2019 08:39:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566401979; cv=none;
 d=google.com; s=arc-20160816;
 b=FYqLN0bqhC3IJuKs9qqF19PPTVomyFiXjL4lWGfTJ386iRJtYpmFVEKBM8/VuKl2yo
 hSYh8htMdJOxE4daqdcu96L1GWMAaxaeUUf3JQcL1iPf6uLvYHWVfbfZHGiWC/NCFDv0
 2D4K9/rSS7MB1KQ3hu+Echm5YNCihv3mSV3fRYysu52IJG5y4LHQufEKfIVnpPP5lt+7
 sFgRP5p9Hbd7IDaussASZWXNZez0qv48Tu0pjgkeFj1kkPrQm04rJ+u9LOJQq8S4bf4X
 02I2dtOQRh1syC33Lkt70vnCKupkGXfU5my/v+G3AjzzD8IpeD1kRvTj7hJ3h7bjFqrZ
 +rzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:message-id:date:subject:cc:to:from;
 bh=y6/FSXxrc5U56FwLQkRJ44yfv6TUtt8xgUNJEysrwfk=;
 b=IRb3nfIzB1x1hpMYg20v5UnbWOY+9/ljp1HMtOg82zgCjy20894yHHcckwBd5DkoFh
 HFdJmN9wLvTDxT2hGafnU2r1vmIMy1hgR4qTH61HS83nPSVR9R0LkbIhjbYbRvLR1JTb
 YvaQKC8oa3ySPdvF8e2RwawCHyeNAoXeIqNByQvFzKInUwre9oy2LMMkPNrx/yht3Ni4
 KQq7fb/9f1qpPBg49ukhq6PzqN0viy8HlYqShOjy448dy/qaS2dgwO1HwH94/xYX3Gyk
 AtbWfnjI8KyGM/r/VLYrC9VRzp3tDNUxWkcB9IKula9gRUKzoahIf8LseXC1jhxA7Ew4
 BexA==
ARC-Authentication-Results: i=1; mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 e3si14509471pgv.153.2019.08.21.08.39.39; 
 Wed, 21 Aug 2019 08:39:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1728008AbfHUPjh (ORCPT <rfc822;mike.holmes@linaro.org>
 + 28 others); Wed, 21 Aug 2019 11:39:37 -0400
Received: from foss.arm.com ([217.140.110.172]:60692 "EHLO foss.arm.com"
 rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
 id S1727037AbfHUPjh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
 Wed, 21 Aug 2019 11:39:37 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 2CA15337;
 Wed, 21 Aug 2019 08:39:37 -0700 (PDT)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com
 [10.121.207.14])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id
 0EBA83F718; Wed, 21 Aug 2019 08:39:35 -0700 (PDT)
From: Mark Rutland <mark.rutland@arm.com>
To: linux-kernel@vger.kernel.org
Cc: akpm@linux-foundation.org, andreyknvl@google.com,
 aryabinin@virtuozzo.com, dvyukov@google.com, glider@google.com,
 mark.rutland@arm.com, will.deacon@arm.com
Subject: [PATCHv3] lib/test_kasan: add roundtrip tests
Date: Wed, 21 Aug 2019 16:39:27 +0100
Message-Id: <20190821153927.28630-1-mark.rutland@arm.com>
X-Mailer: git-send-email 2.11.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In several places we need to be able to operate on pointers which have
gone via a roundtrip:

	virt -> {phys,page} -> virt

With KASAN_SW_TAGS, we can't preserve the tag for SLUB objects, and the
{phys,page} -> virt conversion will use KASAN_TAG_KERNEL.

This patch adds tests to ensure that this works as expected, without
false positives which have recently been spotted [1,2] in testing.

[1] https://lore.kernel.org/linux-arm-kernel/20190819114420.2535-1-walter-zh.wu@mediatek.com/
[2] https://lore.kernel.org/linux-arm-kernel/20190819132347.GB9927@lakrids.cambridge.arm.com/

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Will Deacon <will.deacon@arm.com>
---
 lib/test_kasan.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

Since v1:
* Spin as a separate patch
* Fix typo
* Note examples in commit message
Since v2:
* Fold Andrey Ryabinin's ack
* Include <asm/io.h> for virt_to_phys() and phys_to_virt()

Mark.

-- 
2.11.0

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index b63b367a94e8..91a2ec4b87f9 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -19,6 +19,9 @@
 #include <linux/string.h>
 #include <linux/uaccess.h>
 
+#include <asm/io.h>
+#include <asm/page.h>
+
 /*
  * Note: test functions are marked noinline so that their names appear in
  * reports.
@@ -337,6 +340,42 @@ static noinline void __init kmalloc_uaf2(void)
 	kfree(ptr2);
 }
 
+static noinline void __init kfree_via_page(void)
+{
+	char *ptr;
+	size_t size = 8;
+	struct page *page;
+	unsigned long offset;
+
+	pr_info("invalid-free false positive (via page)\n");
+	ptr = kmalloc(size, GFP_KERNEL);
+	if (!ptr) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+
+	page = virt_to_page(ptr);
+	offset = offset_in_page(ptr);
+	kfree(page_address(page) + offset);
+}
+
+static noinline void __init kfree_via_phys(void)
+{
+	char *ptr;
+	size_t size = 8;
+	phys_addr_t phys;
+
+	pr_info("invalid-free false positive (via phys)\n");
+	ptr = kmalloc(size, GFP_KERNEL);
+	if (!ptr) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+
+	phys = virt_to_phys(ptr);
+	kfree(phys_to_virt(phys));
+}
+
 static noinline void __init kmem_cache_oob(void)
 {
 	char *p;
@@ -737,6 +776,8 @@ static int __init kmalloc_tests_init(void)
 	kmalloc_uaf();
 	kmalloc_uaf_memset();
 	kmalloc_uaf2();
+	kfree_via_page();
+	kfree_via_phys();
 	kmem_cache_oob();
 	memcg_accounted_kmem_cache();
 	kasan_stack_oob();