This source file includes following definitions.
- kmalloc_oob_right
- kmalloc_oob_left
- kmalloc_node_oob_right
- kmalloc_pagealloc_oob_right
- kmalloc_pagealloc_uaf
- kmalloc_pagealloc_invalid_free
- kmalloc_large_oob_right
- kmalloc_oob_krealloc_more
- kmalloc_oob_krealloc_less
- kmalloc_oob_16
- kmalloc_oob_memset_2
- kmalloc_oob_memset_4
- kmalloc_oob_memset_8
- kmalloc_oob_memset_16
- kmalloc_oob_in_memset
- kmalloc_uaf
- kmalloc_uaf_memset
- kmalloc_uaf2
- kfree_via_page
- kfree_via_phys
- kmem_cache_oob
- memcg_accounted_kmem_cache
- kasan_global_oob
- kasan_stack_oob
- ksize_unpoisons_memory
- copy_user_test
- kasan_alloca_oob_left
- kasan_alloca_oob_right
- kmem_cache_double_free
- kmem_cache_invalid_free
- kasan_memchr
- kasan_memcmp
- kasan_strings
- kasan_bitops
- kmalloc_double_kzfree
- kmalloc_tests_init
1
2
3
4
5
6
7
8 #define pr_fmt(fmt) "kasan test: %s " fmt, __func__
9
10 #include <linux/bitops.h>
11 #include <linux/delay.h>
12 #include <linux/kasan.h>
13 #include <linux/kernel.h>
14 #include <linux/mm.h>
15 #include <linux/mman.h>
16 #include <linux/module.h>
17 #include <linux/printk.h>
18 #include <linux/slab.h>
19 #include <linux/string.h>
20 #include <linux/uaccess.h>
21 #include <linux/io.h>
22
23 #include <asm/page.h>
24
25
26
27
28
29
30 static noinline void __init kmalloc_oob_right(void)
31 {
32 char *ptr;
33 size_t size = 123;
34
35 pr_info("out-of-bounds to right\n");
36 ptr = kmalloc(size, GFP_KERNEL);
37 if (!ptr) {
38 pr_err("Allocation failed\n");
39 return;
40 }
41
42 ptr[size] = 'x';
43 kfree(ptr);
44 }
45
46 static noinline void __init kmalloc_oob_left(void)
47 {
48 char *ptr;
49 size_t size = 15;
50
51 pr_info("out-of-bounds to left\n");
52 ptr = kmalloc(size, GFP_KERNEL);
53 if (!ptr) {
54 pr_err("Allocation failed\n");
55 return;
56 }
57
58 *ptr = *(ptr - 1);
59 kfree(ptr);
60 }
61
62 static noinline void __init kmalloc_node_oob_right(void)
63 {
64 char *ptr;
65 size_t size = 4096;
66
67 pr_info("kmalloc_node(): out-of-bounds to right\n");
68 ptr = kmalloc_node(size, GFP_KERNEL, 0);
69 if (!ptr) {
70 pr_err("Allocation failed\n");
71 return;
72 }
73
74 ptr[size] = 0;
75 kfree(ptr);
76 }
77
78 #ifdef CONFIG_SLUB
79 static noinline void __init kmalloc_pagealloc_oob_right(void)
80 {
81 char *ptr;
82 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
83
84
85
86
87 pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
88 ptr = kmalloc(size, GFP_KERNEL);
89 if (!ptr) {
90 pr_err("Allocation failed\n");
91 return;
92 }
93
94 ptr[size] = 0;
95 kfree(ptr);
96 }
97
98 static noinline void __init kmalloc_pagealloc_uaf(void)
99 {
100 char *ptr;
101 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
102
103 pr_info("kmalloc pagealloc allocation: use-after-free\n");
104 ptr = kmalloc(size, GFP_KERNEL);
105 if (!ptr) {
106 pr_err("Allocation failed\n");
107 return;
108 }
109
110 kfree(ptr);
111 ptr[0] = 0;
112 }
113
114 static noinline void __init kmalloc_pagealloc_invalid_free(void)
115 {
116 char *ptr;
117 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
118
119 pr_info("kmalloc pagealloc allocation: invalid-free\n");
120 ptr = kmalloc(size, GFP_KERNEL);
121 if (!ptr) {
122 pr_err("Allocation failed\n");
123 return;
124 }
125
126 kfree(ptr + 1);
127 }
128 #endif
129
130 static noinline void __init kmalloc_large_oob_right(void)
131 {
132 char *ptr;
133 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
134
135
136
137 pr_info("kmalloc large allocation: out-of-bounds to right\n");
138 ptr = kmalloc(size, GFP_KERNEL);
139 if (!ptr) {
140 pr_err("Allocation failed\n");
141 return;
142 }
143
144 ptr[size] = 0;
145 kfree(ptr);
146 }
147
148 static noinline void __init kmalloc_oob_krealloc_more(void)
149 {
150 char *ptr1, *ptr2;
151 size_t size1 = 17;
152 size_t size2 = 19;
153
154 pr_info("out-of-bounds after krealloc more\n");
155 ptr1 = kmalloc(size1, GFP_KERNEL);
156 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
157 if (!ptr1 || !ptr2) {
158 pr_err("Allocation failed\n");
159 kfree(ptr1);
160 kfree(ptr2);
161 return;
162 }
163
164 ptr2[size2] = 'x';
165 kfree(ptr2);
166 }
167
168 static noinline void __init kmalloc_oob_krealloc_less(void)
169 {
170 char *ptr1, *ptr2;
171 size_t size1 = 17;
172 size_t size2 = 15;
173
174 pr_info("out-of-bounds after krealloc less\n");
175 ptr1 = kmalloc(size1, GFP_KERNEL);
176 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
177 if (!ptr1 || !ptr2) {
178 pr_err("Allocation failed\n");
179 kfree(ptr1);
180 return;
181 }
182 ptr2[size2] = 'x';
183 kfree(ptr2);
184 }
185
186 static noinline void __init kmalloc_oob_16(void)
187 {
188 struct {
189 u64 words[2];
190 } *ptr1, *ptr2;
191
192 pr_info("kmalloc out-of-bounds for 16-bytes access\n");
193 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
194 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
195 if (!ptr1 || !ptr2) {
196 pr_err("Allocation failed\n");
197 kfree(ptr1);
198 kfree(ptr2);
199 return;
200 }
201 *ptr1 = *ptr2;
202 kfree(ptr1);
203 kfree(ptr2);
204 }
205
206 static noinline void __init kmalloc_oob_memset_2(void)
207 {
208 char *ptr;
209 size_t size = 8;
210
211 pr_info("out-of-bounds in memset2\n");
212 ptr = kmalloc(size, GFP_KERNEL);
213 if (!ptr) {
214 pr_err("Allocation failed\n");
215 return;
216 }
217
218 memset(ptr+7, 0, 2);
219 kfree(ptr);
220 }
221
222 static noinline void __init kmalloc_oob_memset_4(void)
223 {
224 char *ptr;
225 size_t size = 8;
226
227 pr_info("out-of-bounds in memset4\n");
228 ptr = kmalloc(size, GFP_KERNEL);
229 if (!ptr) {
230 pr_err("Allocation failed\n");
231 return;
232 }
233
234 memset(ptr+5, 0, 4);
235 kfree(ptr);
236 }
237
238
239 static noinline void __init kmalloc_oob_memset_8(void)
240 {
241 char *ptr;
242 size_t size = 8;
243
244 pr_info("out-of-bounds in memset8\n");
245 ptr = kmalloc(size, GFP_KERNEL);
246 if (!ptr) {
247 pr_err("Allocation failed\n");
248 return;
249 }
250
251 memset(ptr+1, 0, 8);
252 kfree(ptr);
253 }
254
255 static noinline void __init kmalloc_oob_memset_16(void)
256 {
257 char *ptr;
258 size_t size = 16;
259
260 pr_info("out-of-bounds in memset16\n");
261 ptr = kmalloc(size, GFP_KERNEL);
262 if (!ptr) {
263 pr_err("Allocation failed\n");
264 return;
265 }
266
267 memset(ptr+1, 0, 16);
268 kfree(ptr);
269 }
270
271 static noinline void __init kmalloc_oob_in_memset(void)
272 {
273 char *ptr;
274 size_t size = 666;
275
276 pr_info("out-of-bounds in memset\n");
277 ptr = kmalloc(size, GFP_KERNEL);
278 if (!ptr) {
279 pr_err("Allocation failed\n");
280 return;
281 }
282
283 memset(ptr, 0, size+5);
284 kfree(ptr);
285 }
286
287 static noinline void __init kmalloc_uaf(void)
288 {
289 char *ptr;
290 size_t size = 10;
291
292 pr_info("use-after-free\n");
293 ptr = kmalloc(size, GFP_KERNEL);
294 if (!ptr) {
295 pr_err("Allocation failed\n");
296 return;
297 }
298
299 kfree(ptr);
300 *(ptr + 8) = 'x';
301 }
302
303 static noinline void __init kmalloc_uaf_memset(void)
304 {
305 char *ptr;
306 size_t size = 33;
307
308 pr_info("use-after-free in memset\n");
309 ptr = kmalloc(size, GFP_KERNEL);
310 if (!ptr) {
311 pr_err("Allocation failed\n");
312 return;
313 }
314
315 kfree(ptr);
316 memset(ptr, 0, size);
317 }
318
319 static noinline void __init kmalloc_uaf2(void)
320 {
321 char *ptr1, *ptr2;
322 size_t size = 43;
323
324 pr_info("use-after-free after another kmalloc\n");
325 ptr1 = kmalloc(size, GFP_KERNEL);
326 if (!ptr1) {
327 pr_err("Allocation failed\n");
328 return;
329 }
330
331 kfree(ptr1);
332 ptr2 = kmalloc(size, GFP_KERNEL);
333 if (!ptr2) {
334 pr_err("Allocation failed\n");
335 return;
336 }
337
338 ptr1[40] = 'x';
339 if (ptr1 == ptr2)
340 pr_err("Could not detect use-after-free: ptr1 == ptr2\n");
341 kfree(ptr2);
342 }
343
344 static noinline void __init kfree_via_page(void)
345 {
346 char *ptr;
347 size_t size = 8;
348 struct page *page;
349 unsigned long offset;
350
351 pr_info("invalid-free false positive (via page)\n");
352 ptr = kmalloc(size, GFP_KERNEL);
353 if (!ptr) {
354 pr_err("Allocation failed\n");
355 return;
356 }
357
358 page = virt_to_page(ptr);
359 offset = offset_in_page(ptr);
360 kfree(page_address(page) + offset);
361 }
362
363 static noinline void __init kfree_via_phys(void)
364 {
365 char *ptr;
366 size_t size = 8;
367 phys_addr_t phys;
368
369 pr_info("invalid-free false positive (via phys)\n");
370 ptr = kmalloc(size, GFP_KERNEL);
371 if (!ptr) {
372 pr_err("Allocation failed\n");
373 return;
374 }
375
376 phys = virt_to_phys(ptr);
377 kfree(phys_to_virt(phys));
378 }
379
380 static noinline void __init kmem_cache_oob(void)
381 {
382 char *p;
383 size_t size = 200;
384 struct kmem_cache *cache = kmem_cache_create("test_cache",
385 size, 0,
386 0, NULL);
387 if (!cache) {
388 pr_err("Cache allocation failed\n");
389 return;
390 }
391 pr_info("out-of-bounds in kmem_cache_alloc\n");
392 p = kmem_cache_alloc(cache, GFP_KERNEL);
393 if (!p) {
394 pr_err("Allocation failed\n");
395 kmem_cache_destroy(cache);
396 return;
397 }
398
399 *p = p[size];
400 kmem_cache_free(cache, p);
401 kmem_cache_destroy(cache);
402 }
403
404 static noinline void __init memcg_accounted_kmem_cache(void)
405 {
406 int i;
407 char *p;
408 size_t size = 200;
409 struct kmem_cache *cache;
410
411 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
412 if (!cache) {
413 pr_err("Cache allocation failed\n");
414 return;
415 }
416
417 pr_info("allocate memcg accounted object\n");
418
419
420
421
422 for (i = 0; i < 5; i++) {
423 p = kmem_cache_alloc(cache, GFP_KERNEL);
424 if (!p)
425 goto free_cache;
426
427 kmem_cache_free(cache, p);
428 msleep(100);
429 }
430
431 free_cache:
432 kmem_cache_destroy(cache);
433 }
434
435 static char global_array[10];
436
437 static noinline void __init kasan_global_oob(void)
438 {
439 volatile int i = 3;
440 char *p = &global_array[ARRAY_SIZE(global_array) + i];
441
442 pr_info("out-of-bounds global variable\n");
443 *(volatile char *)p;
444 }
445
446 static noinline void __init kasan_stack_oob(void)
447 {
448 char stack_array[10];
449 volatile int i = 0;
450 char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
451
452 pr_info("out-of-bounds on stack\n");
453 *(volatile char *)p;
454 }
455
456 static noinline void __init ksize_unpoisons_memory(void)
457 {
458 char *ptr;
459 size_t size = 123, real_size;
460
461 pr_info("ksize() unpoisons the whole allocated chunk\n");
462 ptr = kmalloc(size, GFP_KERNEL);
463 if (!ptr) {
464 pr_err("Allocation failed\n");
465 return;
466 }
467 real_size = ksize(ptr);
468
469 ptr[size] = 'x';
470
471 ptr[real_size] = 'y';
472 kfree(ptr);
473 }
474
475 static noinline void __init copy_user_test(void)
476 {
477 char *kmem;
478 char __user *usermem;
479 size_t size = 10;
480 int unused;
481
482 kmem = kmalloc(size, GFP_KERNEL);
483 if (!kmem)
484 return;
485
486 usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
487 PROT_READ | PROT_WRITE | PROT_EXEC,
488 MAP_ANONYMOUS | MAP_PRIVATE, 0);
489 if (IS_ERR(usermem)) {
490 pr_err("Failed to allocate user memory\n");
491 kfree(kmem);
492 return;
493 }
494
495 pr_info("out-of-bounds in copy_from_user()\n");
496 unused = copy_from_user(kmem, usermem, size + 1);
497
498 pr_info("out-of-bounds in copy_to_user()\n");
499 unused = copy_to_user(usermem, kmem, size + 1);
500
501 pr_info("out-of-bounds in __copy_from_user()\n");
502 unused = __copy_from_user(kmem, usermem, size + 1);
503
504 pr_info("out-of-bounds in __copy_to_user()\n");
505 unused = __copy_to_user(usermem, kmem, size + 1);
506
507 pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
508 unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
509
510 pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
511 unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
512
513 pr_info("out-of-bounds in strncpy_from_user()\n");
514 unused = strncpy_from_user(kmem, usermem, size + 1);
515
516 vm_munmap((unsigned long)usermem, PAGE_SIZE);
517 kfree(kmem);
518 }
519
520 static noinline void __init kasan_alloca_oob_left(void)
521 {
522 volatile int i = 10;
523 char alloca_array[i];
524 char *p = alloca_array - 1;
525
526 pr_info("out-of-bounds to left on alloca\n");
527 *(volatile char *)p;
528 }
529
530 static noinline void __init kasan_alloca_oob_right(void)
531 {
532 volatile int i = 10;
533 char alloca_array[i];
534 char *p = alloca_array + i;
535
536 pr_info("out-of-bounds to right on alloca\n");
537 *(volatile char *)p;
538 }
539
540 static noinline void __init kmem_cache_double_free(void)
541 {
542 char *p;
543 size_t size = 200;
544 struct kmem_cache *cache;
545
546 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
547 if (!cache) {
548 pr_err("Cache allocation failed\n");
549 return;
550 }
551 pr_info("double-free on heap object\n");
552 p = kmem_cache_alloc(cache, GFP_KERNEL);
553 if (!p) {
554 pr_err("Allocation failed\n");
555 kmem_cache_destroy(cache);
556 return;
557 }
558
559 kmem_cache_free(cache, p);
560 kmem_cache_free(cache, p);
561 kmem_cache_destroy(cache);
562 }
563
564 static noinline void __init kmem_cache_invalid_free(void)
565 {
566 char *p;
567 size_t size = 200;
568 struct kmem_cache *cache;
569
570 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
571 NULL);
572 if (!cache) {
573 pr_err("Cache allocation failed\n");
574 return;
575 }
576 pr_info("invalid-free of heap object\n");
577 p = kmem_cache_alloc(cache, GFP_KERNEL);
578 if (!p) {
579 pr_err("Allocation failed\n");
580 kmem_cache_destroy(cache);
581 return;
582 }
583
584
585 kmem_cache_free(cache, p + 1);
586
587
588
589
590
591 kmem_cache_free(cache, p);
592
593 kmem_cache_destroy(cache);
594 }
595
596 static noinline void __init kasan_memchr(void)
597 {
598 char *ptr;
599 size_t size = 24;
600
601 pr_info("out-of-bounds in memchr\n");
602 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
603 if (!ptr)
604 return;
605
606 memchr(ptr, '1', size + 1);
607 kfree(ptr);
608 }
609
610 static noinline void __init kasan_memcmp(void)
611 {
612 char *ptr;
613 size_t size = 24;
614 int arr[9];
615
616 pr_info("out-of-bounds in memcmp\n");
617 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
618 if (!ptr)
619 return;
620
621 memset(arr, 0, sizeof(arr));
622 memcmp(ptr, arr, size+1);
623 kfree(ptr);
624 }
625
626 static noinline void __init kasan_strings(void)
627 {
628 char *ptr;
629 size_t size = 24;
630
631 pr_info("use-after-free in strchr\n");
632 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
633 if (!ptr)
634 return;
635
636 kfree(ptr);
637
638
639
640
641
642
643
644 ptr += 16;
645 strchr(ptr, '1');
646
647 pr_info("use-after-free in strrchr\n");
648 strrchr(ptr, '1');
649
650 pr_info("use-after-free in strcmp\n");
651 strcmp(ptr, "2");
652
653 pr_info("use-after-free in strncmp\n");
654 strncmp(ptr, "2", 1);
655
656 pr_info("use-after-free in strlen\n");
657 strlen(ptr);
658
659 pr_info("use-after-free in strnlen\n");
660 strnlen(ptr, 1);
661 }
662
663 static noinline void __init kasan_bitops(void)
664 {
665
666
667
668
669 long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
670 if (!bits)
671 return;
672
673
674
675
676
677
678 pr_info("out-of-bounds in set_bit\n");
679 set_bit(BITS_PER_LONG, bits);
680
681 pr_info("out-of-bounds in __set_bit\n");
682 __set_bit(BITS_PER_LONG, bits);
683
684 pr_info("out-of-bounds in clear_bit\n");
685 clear_bit(BITS_PER_LONG, bits);
686
687 pr_info("out-of-bounds in __clear_bit\n");
688 __clear_bit(BITS_PER_LONG, bits);
689
690 pr_info("out-of-bounds in clear_bit_unlock\n");
691 clear_bit_unlock(BITS_PER_LONG, bits);
692
693 pr_info("out-of-bounds in __clear_bit_unlock\n");
694 __clear_bit_unlock(BITS_PER_LONG, bits);
695
696 pr_info("out-of-bounds in change_bit\n");
697 change_bit(BITS_PER_LONG, bits);
698
699 pr_info("out-of-bounds in __change_bit\n");
700 __change_bit(BITS_PER_LONG, bits);
701
702
703
704
705 pr_info("out-of-bounds in test_and_set_bit\n");
706 test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
707
708 pr_info("out-of-bounds in __test_and_set_bit\n");
709 __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
710
711 pr_info("out-of-bounds in test_and_set_bit_lock\n");
712 test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
713
714 pr_info("out-of-bounds in test_and_clear_bit\n");
715 test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
716
717 pr_info("out-of-bounds in __test_and_clear_bit\n");
718 __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
719
720 pr_info("out-of-bounds in test_and_change_bit\n");
721 test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
722
723 pr_info("out-of-bounds in __test_and_change_bit\n");
724 __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
725
726 pr_info("out-of-bounds in test_bit\n");
727 (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
728
729 #if defined(clear_bit_unlock_is_negative_byte)
730 pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
731 clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
732 #endif
733 kfree(bits);
734 }
735
736 static noinline void __init kmalloc_double_kzfree(void)
737 {
738 char *ptr;
739 size_t size = 16;
740
741 pr_info("double-free (kzfree)\n");
742 ptr = kmalloc(size, GFP_KERNEL);
743 if (!ptr) {
744 pr_err("Allocation failed\n");
745 return;
746 }
747
748 kzfree(ptr);
749 kzfree(ptr);
750 }
751
752 static int __init kmalloc_tests_init(void)
753 {
754
755
756
757
758 bool multishot = kasan_save_enable_multi_shot();
759
760 kmalloc_oob_right();
761 kmalloc_oob_left();
762 kmalloc_node_oob_right();
763 #ifdef CONFIG_SLUB
764 kmalloc_pagealloc_oob_right();
765 kmalloc_pagealloc_uaf();
766 kmalloc_pagealloc_invalid_free();
767 #endif
768 kmalloc_large_oob_right();
769 kmalloc_oob_krealloc_more();
770 kmalloc_oob_krealloc_less();
771 kmalloc_oob_16();
772 kmalloc_oob_in_memset();
773 kmalloc_oob_memset_2();
774 kmalloc_oob_memset_4();
775 kmalloc_oob_memset_8();
776 kmalloc_oob_memset_16();
777 kmalloc_uaf();
778 kmalloc_uaf_memset();
779 kmalloc_uaf2();
780 kfree_via_page();
781 kfree_via_phys();
782 kmem_cache_oob();
783 memcg_accounted_kmem_cache();
784 kasan_stack_oob();
785 kasan_global_oob();
786 kasan_alloca_oob_left();
787 kasan_alloca_oob_right();
788 ksize_unpoisons_memory();
789 copy_user_test();
790 kmem_cache_double_free();
791 kmem_cache_invalid_free();
792 kasan_memchr();
793 kasan_memcmp();
794 kasan_strings();
795 kasan_bitops();
796 kmalloc_double_kzfree();
797
798 kasan_restore_multi_shot(multishot);
799
800 return -EAGAIN;
801 }
802
803 module_init(kmalloc_tests_init);
804 MODULE_LICENSE("GPL");