04 Sep, 2021
2 commits
-
kasan_rcu_uaf() writes to freed memory via kasan_rcu_reclaim(), which is
only safe with the GENERIC mode (as it uses quarantine). For other modes,
this test corrupts kernel memory, which might result in a crash.Turn the write into a read.
Link: https://lkml.kernel.org/r/b6f2c3bf712d2457c783fa59498225b66a634f62.1628779805.git.andreyknvl@gmail.com
Signed-off-by: Andrey Konovalov
Reviewed-by: Marco Elver
Cc: Alexander Potapenko
Cc: Andrey Ryabinin
Cc: Dmitry Vyukov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
copy_user_test() does writes past the allocated object. As the result, it
corrupts kernel memory, which might lead to crashes with the HW_TAGS mode,
as it neither uses quarantine nor redzones.(Technically, this test can't yet be enabled with the HW_TAGS mode, but
this will be implemented in the future.)Adjust the test to only write memory within the aligned kmalloc object.
Link: https://lkml.kernel.org/r/19bf3a5112ee65b7db88dc731643b657b816c5e8.1628779805.git.andreyknvl@gmail.com
Signed-off-by: Andrey Konovalov
Reviewed-by: Marco Elver
Cc: Alexander Potapenko
Cc: Andrey Ryabinin
Cc: Dmitry Vyukov
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
10 Apr, 2021
1 commit
-
Local `unused' is intentionally unused - it is there to suppress
__must_check warnings.Reported-by: kernel test robot
Link: https://lkml.kernel.org/r/202104050216.HflRxfJm-lkp@intel.com
Cc: Marco Elver
Cc: Alexander Potapenko
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
25 Feb, 2021
1 commit
-
Clarify and update comments in KASAN tests.
Link: https://linux-review.googlesource.com/id/I6c816c51fa1e0eb7aa3dead6bda1f339d2af46c8
Link: https://lkml.kernel.org/r/ba6db104d53ae0e3796f80ef395f6873c1c1282f.1610733117.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov
Reviewed-by: Marco Elver
Reviewed-by: Alexander Potapenko
Cc: Andrey Ryabinin
Cc: Branislav Rankov
Cc: Catalin Marinas
Cc: Dmitry Vyukov
Cc: Evgenii Stepanov
Cc: Kevin Brodsky
Cc: Peter Collingbourne
Cc: Vincenzo Frascino
Cc: Will Deacon
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
23 Dec, 2020
1 commit
-
This is a preparatory commit for the upcoming addition of a new hardware
tag-based (MTE-based) KASAN mode.The new mode won't be using shadow memory, but will still use the concept
of memory granules. Each memory granule maps to a single metadata entry:
8 bytes per one shadow byte for generic mode, 16 bytes per one shadow byte
for software tag-based mode, and 16 bytes per one allocation tag for
hardware tag-based mode.Rename KASAN_SHADOW_SCALE_SIZE to KASAN_GRANULE_SIZE, and
KASAN_SHADOW_MASK to KASAN_GRANULE_MASK.Also use MASK when used as a mask, otherwise use SIZE.
No functional changes.
Link: https://lkml.kernel.org/r/939b5754e47f528a6e6a6f28ffc5815d8d128033.1606161801.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov
Signed-off-by: Vincenzo Frascino
Reviewed-by: Marco Elver
Reviewed-by: Alexander Potapenko
Tested-by: Vincenzo Frascino
Cc: Andrey Ryabinin
Cc: Branislav Rankov
Cc: Catalin Marinas
Cc: Dmitry Vyukov
Cc: Evgenii Stepanov
Cc: Kevin Brodsky
Cc: Vasily Gorbik
Cc: Will Deacon
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
16 Dec, 2020
1 commit
-
Adds a test to verify workqueue stack recording and print it in
KASAN report.The KASAN report was as follows(cleaned up slightly):
BUG: KASAN: use-after-free in kasan_workqueue_uaf
Freed by task 54:
kasan_save_stack+0x24/0x50
kasan_set_track+0x24/0x38
kasan_set_free_info+0x20/0x40
__kasan_slab_free+0x10c/0x170
kasan_slab_free+0x10/0x18
kfree+0x98/0x270
kasan_workqueue_work+0xc/0x18Last potentially related work creation:
kasan_save_stack+0x24/0x50
kasan_record_wq_stack+0xa8/0xb8
insert_work+0x48/0x288
__queue_work+0x3e8/0xc40
queue_work_on+0xf4/0x118
kasan_workqueue_uaf+0xfc/0x190Link: https://lkml.kernel.org/r/20201203022748.30681-1-walter-zh.wu@mediatek.com
Signed-off-by: Walter Wu
Acked-by: Marco Elver
Reviewed-by: Dmitry Vyukov
Reviewed-by: Andrey Konovalov
Cc: Andrey Ryabinin
Cc: Alexander Potapenko
Cc: Matthias Brugger
Cc: Jonathan Corbet
Cc: Lai Jiangshan
Cc: Tejun Heo
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
14 Oct, 2020
1 commit
-
Transfer all previous tests for KASAN to KUnit so they can be run more
easily. Using kunit_tool, developers can run these tests with their other
KUnit tests and see "pass" or "fail" with the appropriate KASAN report
instead of needing to parse each KASAN report to test KASAN
functionalities. All KASAN reports are still printed to dmesg.Stack tests do not work properly when KASAN_STACK is enabled so those
tests use a check for "if IS_ENABLED(CONFIG_KASAN_STACK)" so they only run
if stack instrumentation is enabled. If KASAN_STACK is not enabled, KUnit
will print a statement to let the user know this test was not run with
KASAN_STACK enabled.copy_user_test and kasan_rcu_uaf cannot be run in KUnit so there is a
separate test file for those tests, which can be run as before as a
module.[trishalfonso@google.com: v14]
Link: https://lkml.kernel.org/r/20200915035828.570483-4-davidgow@google.comSigned-off-by: Patricia Alfonso
Signed-off-by: David Gow
Signed-off-by: Andrew Morton
Tested-by: Andrey Konovalov
Reviewed-by: Brendan Higgins
Reviewed-by: Andrey Konovalov
Reviewed-by: Dmitry Vyukov
Cc: Andrey Ryabinin
Cc: Ingo Molnar
Cc: Juri Lelli
Cc: Peter Zijlstra
Cc: Shuah Khan
Cc: Vincent Guittot
Link: https://lkml.kernel.org/r/20200910070331.3358048-4-davidgow@google.com
Signed-off-by: Linus Torvalds