path: root/lib/test_kasan.c (plain)
blob: 7cde4c1e859a3e4284cefd90205cab844a6ca2a7

1	/*
2	*
3	* Copyright (c) 2014 Samsung Electronics Co., Ltd.
4	* Author: Andrey Ryabinin <a.ryabinin@samsung.com>
5	*
6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License version 2 as
8	* published by the Free Software Foundation.
9	*
10	*/
11
12	#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
13
14	#include <linux/kernel.h>
15	#include <linux/mman.h>
16	#include <linux/mm.h>
17	#include <linux/printk.h>
18	#include <linux/slab.h>
19	#include <linux/string.h>
20	#include <linux/uaccess.h>
21	#include <linux/module.h>
22	#include <linux/kasan.h>
23
24	/*
25	* Note: test functions are marked noinline so that their names appear in
26	* reports.
27	*/
28
29	static noinline void __init kmalloc_oob_right(void)
30	{
31	char *ptr;
32	size_t size = 123;
33
34	pr_info("out-of-bounds to right\n");
35	ptr = kmalloc(size, GFP_KERNEL);
36	if (!ptr) {
37	pr_err("Allocation failed\n");
38	return;
39	}
40
41	ptr[size] = 'x';
42	kfree(ptr);
43	}
44
45	static noinline void __init kmalloc_oob_left(void)
46	{
47	char *ptr;
48	size_t size = 15;
49
50	pr_info("out-of-bounds to left\n");
51	ptr = kmalloc(size, GFP_KERNEL);
52	if (!ptr) {
53	pr_err("Allocation failed\n");
54	return;
55	}
56
57	*ptr = *(ptr - 1);
58	kfree(ptr);
59	}
60
61	static noinline void __init kmalloc_node_oob_right(void)
62	{
63	char *ptr;
64	size_t size = 4096;
65
66	pr_info("kmalloc_node(): out-of-bounds to right\n");
67	ptr = kmalloc_node(size, GFP_KERNEL, 0);
68	if (!ptr) {
69	pr_err("Allocation failed\n");
70	return;
71	}
72
73	ptr[size] = 0;
74	kfree(ptr);
75	}
76
77	#ifdef CONFIG_SLUB
78	static noinline void __init kmalloc_pagealloc_oob_right(void)
79	{
80	char *ptr;
81	size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
82
83	/* Allocate a chunk that does not fit into a SLUB cache to trigger
84	* the page allocator fallback.
85	*/
86	pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
87	ptr = kmalloc(size, GFP_KERNEL);
88	if (!ptr) {
89	pr_err("Allocation failed\n");
90	return;
91	}
92
93	ptr[size] = 0;
94	kfree(ptr);
95	}
96	#endif
97
98	static noinline void __init kmalloc_large_oob_right(void)
99	{
100	char *ptr;
101	size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
102	/* Allocate a chunk that is large enough, but still fits into a slab
103	* and does not trigger the page allocator fallback in SLUB.
104	*/
105	pr_info("kmalloc large allocation: out-of-bounds to right\n");
106	ptr = kmalloc(size, GFP_KERNEL);
107	if (!ptr) {
108	pr_err("Allocation failed\n");
109	return;
110	}
111
112	ptr[size] = 0;
113	kfree(ptr);
114	}
115
116	static noinline void __init kmalloc_oob_krealloc_more(void)
117	{
118	char *ptr1, *ptr2;
119	size_t size1 = 17;
120	size_t size2 = 19;
121
122	pr_info("out-of-bounds after krealloc more\n");
123	ptr1 = kmalloc(size1, GFP_KERNEL);
124	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
125	if (!ptr1 || !ptr2) {
126	pr_err("Allocation failed\n");
127	kfree(ptr1);
128	return;
129	}
130
131	ptr2[size2] = 'x';
132	kfree(ptr2);
133	}
134
135	static noinline void __init kmalloc_oob_krealloc_less(void)
136	{
137	char *ptr1, *ptr2;
138	size_t size1 = 17;
139	size_t size2 = 15;
140
141	pr_info("out-of-bounds after krealloc less\n");
142	ptr1 = kmalloc(size1, GFP_KERNEL);
143	ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
144	if (!ptr1 || !ptr2) {
145	pr_err("Allocation failed\n");
146	kfree(ptr1);
147	return;
148	}
149	ptr2[size2] = 'x';
150	kfree(ptr2);
151	}
152
153	static noinline void __init kmalloc_oob_16(void)
154	{
155	struct {
156	u64 words[2];
157	} *ptr1, *ptr2;
158
159	pr_info("kmalloc out-of-bounds for 16-bytes access\n");
160	ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
161	ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
162	if (!ptr1 || !ptr2) {
163	pr_err("Allocation failed\n");
164	kfree(ptr1);
165	kfree(ptr2);
166	return;
167	}
168	*ptr1 = *ptr2;
169	kfree(ptr1);
170	kfree(ptr2);
171	}
172
173	static noinline void __init kmalloc_oob_memset_2(void)
174	{
175	char *ptr;
176	size_t size = 8;
177
178	pr_info("out-of-bounds in memset2\n");
179	ptr = kmalloc(size, GFP_KERNEL);
180	if (!ptr) {
181	pr_err("Allocation failed\n");
182	return;
183	}
184
185	memset(ptr+7, 0, 2);
186	kfree(ptr);
187	}
188
189	static noinline void __init kmalloc_oob_memset_4(void)
190	{
191	char *ptr;
192	size_t size = 8;
193
194	pr_info("out-of-bounds in memset4\n");
195	ptr = kmalloc(size, GFP_KERNEL);
196	if (!ptr) {
197	pr_err("Allocation failed\n");
198	return;
199	}
200
201	memset(ptr+5, 0, 4);
202	kfree(ptr);
203	}
204
205
206	static noinline void __init kmalloc_oob_memset_8(void)
207	{
208	char *ptr;
209	size_t size = 8;
210
211	pr_info("out-of-bounds in memset8\n");
212	ptr = kmalloc(size, GFP_KERNEL);
213	if (!ptr) {
214	pr_err("Allocation failed\n");
215	return;
216	}
217
218	memset(ptr+1, 0, 8);
219	kfree(ptr);
220	}
221
222	static noinline void __init kmalloc_oob_memset_16(void)
223	{
224	char *ptr;
225	size_t size = 16;
226
227	pr_info("out-of-bounds in memset16\n");
228	ptr = kmalloc(size, GFP_KERNEL);
229	if (!ptr) {
230	pr_err("Allocation failed\n");
231	return;
232	}
233
234	memset(ptr+1, 0, 16);
235	kfree(ptr);
236	}
237
238	static noinline void __init kmalloc_oob_in_memset(void)
239	{
240	char *ptr;
241	size_t size = 666;
242
243	pr_info("out-of-bounds in memset\n");
244	ptr = kmalloc(size, GFP_KERNEL);
245	if (!ptr) {
246	pr_err("Allocation failed\n");
247	return;
248	}
249
250	memset(ptr, 0, size+5);
251	kfree(ptr);
252	}
253
254	static noinline void __init kmalloc_uaf(void)
255	{
256	char *ptr;
257	size_t size = 10;
258
259	pr_info("use-after-free\n");
260	ptr = kmalloc(size, GFP_KERNEL);
261	if (!ptr) {
262	pr_err("Allocation failed\n");
263	return;
264	}
265
266	kfree(ptr);
267	*(ptr + 8) = 'x';
268	}
269
270	static noinline void __init kmalloc_uaf_memset(void)
271	{
272	char *ptr;
273	size_t size = 33;
274
275	pr_info("use-after-free in memset\n");
276	ptr = kmalloc(size, GFP_KERNEL);
277	if (!ptr) {
278	pr_err("Allocation failed\n");
279	return;
280	}
281
282	kfree(ptr);
283	memset(ptr, 0, size);
284	}
285
286	static noinline void __init kmalloc_uaf2(void)
287	{
288	char *ptr1, *ptr2;
289	size_t size = 43;
290
291	pr_info("use-after-free after another kmalloc\n");
292	ptr1 = kmalloc(size, GFP_KERNEL);
293	if (!ptr1) {
294	pr_err("Allocation failed\n");
295	return;
296	}
297
298	kfree(ptr1);
299	ptr2 = kmalloc(size, GFP_KERNEL);
300	if (!ptr2) {
301	pr_err("Allocation failed\n");
302	return;
303	}
304
305	ptr1[40] = 'x';
306	if (ptr1 == ptr2)
307	pr_err("Could not detect use-after-free: ptr1 == ptr2\n");
308	kfree(ptr2);
309	}
310
311	static noinline void __init kmem_cache_oob(void)
312	{
313	char *p;
314	size_t size = 200;
315	struct kmem_cache *cache = kmem_cache_create("test_cache",
316	size, 0,
317	0, NULL);
318	if (!cache) {
319	pr_err("Cache allocation failed\n");
320	return;
321	}
322	pr_info("out-of-bounds in kmem_cache_alloc\n");
323	p = kmem_cache_alloc(cache, GFP_KERNEL);
324	if (!p) {
325	pr_err("Allocation failed\n");
326	kmem_cache_destroy(cache);
327	return;
328	}
329
330	*p = p[size];
331	kmem_cache_free(cache, p);
332	kmem_cache_destroy(cache);
333	}
334
335	static char global_array[10];
336
337	static noinline void __init kasan_global_oob(void)
338	{
339	volatile int i = 3;
340	char *p = &global_array[ARRAY_SIZE(global_array) + i];
341
342	pr_info("out-of-bounds global variable\n");
343	*(volatile char *)p;
344	}
345
346	static noinline void __init kasan_stack_oob(void)
347	{
348	char stack_array[10];
349	volatile int i = 0;
350	char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
351
352	pr_info("out-of-bounds on stack\n");
353	*(volatile char *)p;
354	}
355
356	static noinline void __init ksize_unpoisons_memory(void)
357	{
358	char *ptr;
359	size_t size = 123, real_size;
360
361	pr_info("ksize() unpoisons the whole allocated chunk\n");
362	ptr = kmalloc(size, GFP_KERNEL);
363	if (!ptr) {
364	pr_err("Allocation failed\n");
365	return;
366	}
367	real_size = ksize(ptr);
368	/* This access doesn't trigger an error. */
369	ptr[size] = 'x';
370	/* This one does. */
371	ptr[real_size] = 'y';
372	kfree(ptr);
373	}
374
375	static noinline void __init copy_user_test(void)
376	{
377	char *kmem;
378	char __user *usermem;
379	size_t size = 10;
380	int unused;
381
382	kmem = kmalloc(size, GFP_KERNEL);
383	if (!kmem)
384	return;
385
386	usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
387	PROT_READ | PROT_WRITE | PROT_EXEC,
388	MAP_ANONYMOUS | MAP_PRIVATE, 0);
389	if (IS_ERR(usermem)) {
390	pr_err("Failed to allocate user memory\n");
391	kfree(kmem);
392	return;
393	}
394
395	pr_info("out-of-bounds in copy_from_user()\n");
396	unused = copy_from_user(kmem, usermem, size + 1);
397
398	pr_info("out-of-bounds in copy_to_user()\n");
399	unused = copy_to_user(usermem, kmem, size + 1);
400
401	pr_info("out-of-bounds in __copy_from_user()\n");
402	unused = __copy_from_user(kmem, usermem, size + 1);
403
404	pr_info("out-of-bounds in __copy_to_user()\n");
405	unused = __copy_to_user(usermem, kmem, size + 1);
406
407	pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
408	unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
409
410	pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
411	unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
412
413	pr_info("out-of-bounds in strncpy_from_user()\n");
414	unused = strncpy_from_user(kmem, usermem, size + 1);
415
416	vm_munmap((unsigned long)usermem, PAGE_SIZE);
417	kfree(kmem);
418	}
419
420	static noinline void __init use_after_scope_test(void)
421	{
422	volatile char *volatile p;
423
424	pr_info("use-after-scope on int\n");
425	{
426	int local = 0;
427
428	p = (char *)&local;
429	}
430	p[0] = 1;
431	p[3] = 1;
432
433	pr_info("use-after-scope on array\n");
434	{
435	char local[1024] = {0};
436
437	p = local;
438	}
439	p[0] = 1;
440	p[1023] = 1;
441	}
442
443	static noinline void __init kasan_alloca_oob_left(void)
444	{
445	volatile int i = 10;
446	char alloca_array[i];
447	char *p = alloca_array - 1;
448
449	pr_info("out-of-bounds to left on alloca\n");
450	*(volatile char *)p;
451	}
452
453	static noinline void __init kasan_alloca_oob_right(void)
454	{
455	volatile int i = 10;
456	char alloca_array[i];
457	char *p = alloca_array + i;
458
459	pr_info("out-of-bounds to right on alloca\n");
460	*(volatile char *)p;
461	}
462
463	static int __init kmalloc_tests_init(void)
464	{
465	/*
466	* Temporarily enable multi-shot mode. Otherwise, we'd only get a
467	* report for the first case.
468	*/
469	bool multishot = kasan_save_enable_multi_shot();
470
471	kmalloc_oob_right();
472	kmalloc_oob_left();
473	kmalloc_node_oob_right();
474	#ifdef CONFIG_SLUB
475	kmalloc_pagealloc_oob_right();
476	#endif
477	kmalloc_large_oob_right();
478	kmalloc_oob_krealloc_more();
479	kmalloc_oob_krealloc_less();
480	kmalloc_oob_16();
481	kmalloc_oob_in_memset();
482	kmalloc_oob_memset_2();
483	kmalloc_oob_memset_4();
484	kmalloc_oob_memset_8();
485	kmalloc_oob_memset_16();
486	kmalloc_uaf();
487	kmalloc_uaf_memset();
488	kmalloc_uaf2();
489	kmem_cache_oob();
490	kasan_stack_oob();
491	kasan_global_oob();
492	kasan_alloca_oob_left();
493	kasan_alloca_oob_right();
494	ksize_unpoisons_memory();
495	copy_user_test();
496	use_after_scope_test();
497
498	kasan_restore_multi_shot(multishot);
499
500	return -EAGAIN;
501	}
502
503	module_init(kmalloc_tests_init);
504	MODULE_LICENSE("GPL");
505