Received: by 2002:a05:6a10:8a4d:0:0:0:0 with SMTP id dn13csp28528pxb; Thu, 12 Aug 2021 10:03:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxdfyqpXYQOqMv+MLzzzkNWIe8XygVj2a0hAqroDQOt3Qm+NhAivZE9ortseZg8RlhrNo2l X-Received: by 2002:a05:6e02:138b:: with SMTP id d11mr3796135ilo.30.1628787801873; Thu, 12 Aug 2021 10:03:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1628787801; cv=none; d=google.com; s=arc-20160816; b=HJntVSYizA6lEZWlVRfeDLGoK7ktHIkFWH0mgToIuNHkZFW9nl1HexuIB2eIfNnIeZ AlSoA8jItkPJyfeNu+GZco4DEHLxEE8WDKh85XojbALAhAG4evFPbnRYEeIJTLTKwmz0 noUzrIrE8g/L+eTKASOieFddJCMTPl5wKBOU/ibehnjYyCCnHqlugU2Nxg+N7yhuJ2k6 jjvWxpr7suy8sm8MWJZ12TY3ywgWdFMg5NBiuJ+K2NcFzU+C9en4a2Olx92CXld9ekus or+7bgKqOwLrFoj0JfZFc5v6Gmc57ndSfA7a/dLAGWlCBE1HtuDWAy+l6ibnQpbdg9AZ /Pmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=67kYwukmo7Ml3X3ud3b8IvQ8hH4hhd8RmqNx/G1meFc=; b=WrO/hD0WWBRdLgiFf0NTKswM4vLAZg6bBa5c6NZRSqdcudNncYDymTXB0O2/NEpxdT 62y/89lxWbiUe0h/HSsnDaGg2DL/xg+PLuukqQlGkt5NEnYrIFHmdPkjcBIfDpm9sg8H H7lxQI0BRrJfyrM9t68XWidmxTrcdchEFcvhUq1wETB+r+Z7rduOfFiajZUtGJ4O/9GW YKqUY26F1fThcZP93jXD8FgDTdSuFW/LJWrBZtJslZb/fyRWj4xWPVXHNmMbMZ5ZEdFz ZHVNtiD3p7C+uXtpKCT90csHzG5U8Jt9hRHkFJPbl1K834Xut392uRMWN4SPUjjd4THr oM7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=DiwUfvRQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o7si3513930jao.123.2021.08.12.10.03.01; Thu, 12 Aug 2021 10:03:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=DiwUfvRQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238239AbhHLOy0 (ORCPT + 99 others); Thu, 12 Aug 2021 10:54:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237063AbhHLOyT (ORCPT ); Thu, 12 Aug 2021 10:54:19 -0400 Received: from out2.migadu.com (out2.migadu.com [IPv6:2001:41d0:2:aacc::]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4118C061756 for ; Thu, 12 Aug 2021 07:53:53 -0700 (PDT) X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1628780032; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=67kYwukmo7Ml3X3ud3b8IvQ8hH4hhd8RmqNx/G1meFc=; b=DiwUfvRQpdf51zLlSKZyTDPhI+r/kMzhnxdCZB01OkdJA7WuNHCwweGzh31UMx7ja3fs7k /CqjckqAypVIeghCy9GTwMIqvJyoRzC+wqJeEI6bQNoMUX8E5ElmKc51Jai8RyqzBMhDSV CYrv4Z9N27MtfjOuURRJUnsRiAozGvU= From: andrey.konovalov@linux.dev To: Andrew Morton Cc: Andrey Konovalov , Andrey Ryabinin , Marco Elver , Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/8] kasan: test: avoid writing invalid memory Date: Thu, 12 Aug 2021 16:53:29 +0200 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: andrey.konovalov@linux.dev Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrey Konovalov Multiple KASAN tests do writes past the allocated objects or writes to freed memory. Turn these writes into reads to avoid corrupting memory. Otherwise, these tests might lead to crashes with the HW_TAGS mode, as it neither uses quarantine nor redzones. Signed-off-by: Andrey Konovalov --- lib/test_kasan.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 1bc3cdd2957f..c82a82eb5393 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -167,7 +167,7 @@ static void kmalloc_node_oob_right(struct kunit *test) ptr = kmalloc_node(size, GFP_KERNEL, 0); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]); kfree(ptr); } @@ -203,7 +203,7 @@ static void kmalloc_pagealloc_uaf(struct kunit *test) KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); - KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0); + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); } static void kmalloc_pagealloc_invalid_free(struct kunit *test) @@ -237,7 +237,7 @@ static void pagealloc_oob_right(struct kunit *test) ptr = page_address(pages); KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); - KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 0); + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = ptr[size]); free_pages((unsigned long)ptr, order); } @@ -252,7 +252,7 @@ static void pagealloc_uaf(struct kunit *test) KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); free_pages((unsigned long)ptr, order); - KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] = 0); + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[0]); } static void kmalloc_large_oob_right(struct kunit *test) @@ -514,7 +514,7 @@ static void kmalloc_uaf(struct kunit *test) KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); kfree(ptr); - KUNIT_EXPECT_KASAN_FAIL(test, *(ptr + 8) = 'x'); + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[8]); } static void kmalloc_uaf_memset(struct kunit *test) @@ -553,7 +553,7 @@ static void kmalloc_uaf2(struct kunit *test) goto again; } - KUNIT_EXPECT_KASAN_FAIL(test, ptr1[40] = 'x'); + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr1)[40]); KUNIT_EXPECT_PTR_NE(test, ptr1, ptr2); kfree(ptr2); @@ -700,7 +700,7 @@ static void ksize_unpoisons_memory(struct kunit *test) ptr[size] = 'x'; /* This one must. */ - KUNIT_EXPECT_KASAN_FAIL(test, ptr[real_size] = 'y'); + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size]); kfree(ptr); } -- 2.25.1