From patchwork Mon Aug 19 16:14:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 171654 Delivered-To: patch@linaro.org Received: by 2002:a92:d204:0:0:0:0:0 with SMTP id y4csp3201440ily; Mon, 19 Aug 2019 09:14:56 -0700 (PDT) X-Google-Smtp-Source: APXvYqzj4ET/a1i/OQxwODbAcJsC3Zs8g0FsySD7Elk9NZGrKrHYT6UKEOwHOjm2uxgGtHtZf9pj X-Received: by 2002:a17:90a:23d0:: with SMTP id g74mr22247003pje.115.1566231296659; Mon, 19 Aug 2019 09:14:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566231296; cv=none; d=google.com; s=arc-20160816; b=GRQAArvZHnSWgL5ICyhyt1xdNou2pBZ3VrIJblHf5+WPJqfOj9k6Jb4m88q0MvdDnE RfQa8zmvOsMo9wDYg4hD17uzGdXaXTRFbJ4zvGyxigDuiTPaN6qoo5BgMJAB00FTTBAq Sj6VstMkYMWy6sqhkKJYssSFmDH4K5eZIkJZCkrIjKgQ1GuTFYqbVqbJsg/yysVsoeRO GLjmPy1Y3v1GsIdULoxS3UYd/aUBpB3gZ5VfR+IZcROnHE5NtdC/mbvZGpwIgb/tjubj 5dcDcEBeZZZ96FnECS+XgQKjFHPqwlVy6A1vXlVDsjwzLURdWbyTNSBQ346w+GE/F0yI DqMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=iJFPrsA9XwNDCDOiLTYpRVAwUMZTsJJxdjjCT5QLVic=; b=DAHx/NeiqFjXWalu0oRttHSCc2eSZgUiXf2Z9OyGohR6RzcfT7B5UoMfBJ2C4q9Jaz OeCfYG1raQDtcL2GryaxACXss5fKbTnaGHbz9b5xGiE7wCYFWMIn/J1Q2guWlR/44hDW 3/gV5pqMFLI5+DwL/rtmq5u8feqHVV9F2121zWV0ckZ1UXCbzW4LRPoUOKFbwfj+nv0r HZghKOgDyi6ciHcC12JmPm8l/s2PwAlEZ2I1piyHhNaekG03OppZlBIfnDrGVJmztIh5 DJHQ3nmGeZFLRd+XIVdWZtt0Q94aRyzt9J9FN1YD4YydTZUv+xXoS4fBl6/nhw94I+QJ yf8w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5si10164729pln.274.2019.08.19.09.14.56; Mon, 19 Aug 2019 09:14:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727459AbfHSQOy (ORCPT + 28 others); Mon, 19 Aug 2019 12:14:54 -0400 Received: from foss.arm.com ([217.140.110.172]:57012 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726654AbfHSQOy (ORCPT ); Mon, 19 Aug 2019 12:14:54 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A6D44344; Mon, 19 Aug 2019 09:14:53 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id A1B653F718; Mon, 19 Aug 2019 09:14:52 -0700 (PDT) From: Mark Rutland To: linux-kernel@vger.kernel.org Cc: Mark Rutland , Alexander Potapenko , Andrew Morton , Andrey Ryabinin , Dmitry Vyukov , Will Deacon Subject: [PATCHv2] lib/test_kasan: add roundtrip tests Date: Mon, 19 Aug 2019 17:14:49 +0100 Message-Id: <20190819161449.30248-1-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In several places we need to be able to operate on pointers which have gone via a roundtrip: virt -> {phys,page} -> virt With KASAN_SW_TAGS, we can't preserve the tag for SLUB objects, and the {phys,page} -> virt conversion will use KASAN_TAG_KERNEL. This patch adds tests to ensure that this works as expected, without false positives which have recently been spotted [1,2] in testing. [1] https://lore.kernel.org/linux-arm-kernel/20190819114420.2535-1-walter-zh.wu@mediatek.com/ [2] https://lore.kernel.org/linux-arm-kernel/20190819132347.GB9927@lakrids.cambridge.arm.com/ Signed-off-by: Mark Rutland Reviewed-by: Andrey Konovalov Tested-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrew Morton Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Will Deacon --- lib/test_kasan.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) Since v1: * Spin as a separate patch * Fix typo * Note examples in commit message. Mark. -- 2.11.0 Acked-by: Andrey Ryabinin diff --git a/lib/test_kasan.c b/lib/test_kasan.c index b63b367a94e8..cf7b93f0d90c 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -19,6 +19,8 @@ #include #include +#include + /* * Note: test functions are marked noinline so that their names appear in * reports. @@ -337,6 +339,42 @@ static noinline void __init kmalloc_uaf2(void) kfree(ptr2); } +static noinline void __init kfree_via_page(void) +{ + char *ptr; + size_t size = 8; + struct page *page; + unsigned long offset; + + pr_info("invalid-free false positive (via page)\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + page = virt_to_page(ptr); + offset = offset_in_page(ptr); + kfree(page_address(page) + offset); +} + +static noinline void __init kfree_via_phys(void) +{ + char *ptr; + size_t size = 8; + phys_addr_t phys; + + pr_info("invalid-free false positive (via phys)\n"); + ptr = kmalloc(size, GFP_KERNEL); + if (!ptr) { + pr_err("Allocation failed\n"); + return; + } + + phys = virt_to_phys(ptr); + kfree(phys_to_virt(phys)); +} + static noinline void __init kmem_cache_oob(void) { char *p; @@ -737,6 +775,8 @@ static int __init kmalloc_tests_init(void) kmalloc_uaf(); kmalloc_uaf_memset(); kmalloc_uaf2(); + kfree_via_page(); + kfree_via_phys(); kmem_cache_oob(); memcg_accounted_kmem_cache(); kasan_stack_oob();