[PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN

[Walter Wu]

We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
memory access. They need to be fixed.

With tag-based KASAN, the state of each 16 aligned bytes of memory is
encoded in one shadow byte and the shadow value is tag of pointer, so
we need to read next shadow byte, the shadow value is not equal to tag
value of pointer, so that tag-based KASAN will detect out-of-bounds
memory access.

Signed-off-by: Walter Wu <walter...@mediatek.com>
Cc: Andrey Ryabinin <arya...@virtuozzo.com>
Cc: Dmitry Vyukov <dvy...@google.com>
Cc: Alexander Potapenko <gli...@google.com>
Cc: Matthias Brugger <matthi...@gmail.com>
Cc: Andrey Konovalov <andre...@google.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
---

changes since v1:
- Reduce amount of non-compiled code.
- KUnit-KASAN Integration patchset are not merged yet. My patch should
have conflict with it, if needed, we can continue to wait it.

---

lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
1 file changed, 64 insertions(+), 17 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index e3087d90e00d..660664439d52 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
return;
}

- ptr[size] = 'x';
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr[size] = 'x';
+ else
+ ptr[size + 5] = 'x';
+
kfree(ptr);
}

@@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
return;
}

- ptr[size] = 0;
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr[size] = 0;
+ else
+ ptr[size + 6] = 0;
+
kfree(ptr);
}

@@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
return;
}

- ptr2[size2] = 'x';
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr2[size2] = 'x';
+ else
+ ptr2[size2 + 13] = 'x';
+
kfree(ptr2);
}

@@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
kfree(ptr1);
return;
}
- ptr2[size2] = 'x';
+
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ ptr2[size2] = 'x';
+ else
+ ptr2[size2 + 2] = 'x';
+
kfree(ptr2);
}

@@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
return;
}

- memset(ptr+7, 0, 2);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+7, 0, 2);
+ else
+ memset(ptr+15, 0, 2);
+
kfree(ptr);
}

@@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
return;
}

- memset(ptr+5, 0, 4);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+5, 0, 4);
+ else
+ memset(ptr+15, 0, 4);
+
kfree(ptr);
}

@@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
return;
}

- memset(ptr+1, 0, 8);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+1, 0, 8);
+ else
+ memset(ptr+15, 0, 8);
+
kfree(ptr);
}

@@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
return;
}

- memset(ptr+1, 0, 16);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr+1, 0, 16);
+ else
+ memset(ptr+15, 0, 16);
+
kfree(ptr);
}

@@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
return;
}

- memset(ptr, 0, size+5);
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ memset(ptr, 0, size+5);
+ else
+ memset(ptr, 0, size+7);
+
kfree(ptr);
}

@@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
return;
}

- *p = p[size];
+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ *p = p[size];
+ else
+ *p = p[size + 8];
+
kmem_cache_free(cache, p);
kmem_cache_destroy(cache);
}
@@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
char __user *usermem;
size_t size = 10;
int unused;
+ size_t oob_size;

kmem = kmalloc(size, GFP_KERNEL);
if (!kmem)
@@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
return;
}

+ if (IS_ENABLED(CONFIG_KASAN_GENERIC))
+ oob_size = 1;
+ else
+ oob_size = 7;
+
pr_info("out-of-bounds in copy_from_user()\n");
- unused = copy_from_user(kmem, usermem, size + 1);
+ unused = copy_from_user(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in copy_to_user()\n");
- unused = copy_to_user(usermem, kmem, size + 1);
+ unused = copy_to_user(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in __copy_from_user()\n");
- unused = __copy_from_user(kmem, usermem, size + 1);
+ unused = __copy_from_user(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in __copy_to_user()\n");
- unused = __copy_to_user(usermem, kmem, size + 1);
+ unused = __copy_to_user(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
- unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
+ unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);

pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
- unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
+ unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);

pr_info("out-of-bounds in strncpy_from_user()\n");
- unused = strncpy_from_user(kmem, usermem, size + 1);
+ unused = strncpy_from_user(kmem, usermem, size + oob_size);

vm_munmap((unsigned long)usermem, PAGE_SIZE);
kfree(kmem);
--
2.18.0

[Dmitry Vyukov]

Hi Walter,

Would if be possible to introduce something like:

#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 8)

and then add it throughout as

ptr[size + OOB_TAG_OFF] = 'x';

?
The current version results in quite some amount of additional code
that needs to be read, extended and maintained in the future. So I am
thinking if it's possible to minimize it somehow...

> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu%40mediatek.com.

[Walter Wu]

It is good suggestion. Thanks.

> and then add it throughout as
>
> ptr[size + OOB_TAG_OFF] = 'x';
>
> ?
> The current version results in quite some amount of additional code
> that needs to be read, extended and maintained in the future. So I am
> thinking if it's possible to minimize it somehow...
>

Ok, I will send next patch by your suggestion.

Thanks.

> > To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu*40mediatek.com__;JQ!!CTRNKA9wMg0ARbw!zqGS_g-oLI7o6850GjV_P7YQPr8SufdeC8fbnt27o4WtvhX5PZ8-eZ6BWyF3bwm7Tizipw$ .

[Walter Wu]

We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
memory access. They need to be fixed.

With tag-based KASAN, the state of each 16 aligned bytes of memory is
encoded in one shadow byte and the shadow value is tag of pointer, so
we need to read next shadow byte, the shadow value is not equal to tag
value of pointer, so that tag-based KASAN will detect out-of-bounds
memory access.

Signed-off-by: Walter Wu <walter...@mediatek.com>

Suggested-by: Dmitry Vyukov <dvy...@google.com>

Cc: Andrey Ryabinin <arya...@virtuozzo.com>
Cc: Dmitry Vyukov <dvy...@google.com>
Cc: Alexander Potapenko <gli...@google.com>
Cc: Matthias Brugger <matthi...@gmail.com>
Cc: Andrey Konovalov <andre...@google.com>
Cc: Andrew Morton <ak...@linux-foundation.org>
---

changes since v1:
- Reduce amount of non-compiled code.

- KUnit-KASAN Integration patchset is not merged yet. My patch should

have conflict with it, if needed, we can continue to wait it.

changes since v2:
- Add one marco to make unit tests more readability.

---
lib/test_kasan.c | 47 ++++++++++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 17 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index e3087d90e00d..b5049a807e25 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -23,6 +23,8 @@

#include <asm/page.h>

+#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 13)
+
/*
* Note: test functions are marked noinline so that their names appear in
* reports.
@@ -40,7 +42,8 @@ static noinline void __init kmalloc_oob_right(void)

return;
}

- ptr[size] = 'x';

+ ptr[size + OOB_TAG_OFF] = 'x';
+
kfree(ptr);
}

@@ -92,7 +95,8 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)

return;
}

- ptr[size] = 0;

+ ptr[size + OOB_TAG_OFF] = 0;
+
kfree(ptr);
}

@@ -162,7 +166,8 @@ static noinline void __init kmalloc_oob_krealloc_more(void)

return;
}

- ptr2[size2] = 'x';

+ ptr2[size2 + OOB_TAG_OFF] = 'x';
+
kfree(ptr2);
}

@@ -180,7 +185,9 @@ static noinline void __init kmalloc_oob_krealloc_less(void)

kfree(ptr1);
return;
}
- ptr2[size2] = 'x';
+

+ ptr2[size2 + OOB_TAG_OFF] = 'x';
+
kfree(ptr2);
}

@@ -216,7 +223,8 @@ static noinline void __init kmalloc_oob_memset_2(void)

return;
}

- memset(ptr+7, 0, 2);

+ memset(ptr + 7 + OOB_TAG_OFF, 0, 2);
+
kfree(ptr);
}

@@ -232,7 +240,8 @@ static noinline void __init kmalloc_oob_memset_4(void)

return;
}

- memset(ptr+5, 0, 4);

+ memset(ptr + 5 + OOB_TAG_OFF, 0, 4);
+
kfree(ptr);
}

@@ -249,7 +258,8 @@ static noinline void __init kmalloc_oob_memset_8(void)

return;
}

- memset(ptr+1, 0, 8);

+ memset(ptr + 1 + OOB_TAG_OFF, 0, 8);
+
kfree(ptr);
}

@@ -265,7 +275,8 @@ static noinline void __init kmalloc_oob_memset_16(void)

return;
}

- memset(ptr+1, 0, 16);

+ memset(ptr + 1 + OOB_TAG_OFF, 0, 16);
+
kfree(ptr);
}

@@ -281,7 +292,8 @@ static noinline void __init kmalloc_oob_in_memset(void)

return;
}

- memset(ptr, 0, size+5);

+ memset(ptr, 0, size + 5 + OOB_TAG_OFF);
+
kfree(ptr);
}

@@ -415,7 +427,8 @@ static noinline void __init kmem_cache_oob(void)

return;
}

- *p = p[size];

+ *p = p[size + OOB_TAG_OFF];
+
kmem_cache_free(cache, p);
kmem_cache_destroy(cache);
}
@@ -512,25 +525,25 @@ static noinline void __init copy_user_test(void)

}

pr_info("out-of-bounds in copy_from_user()\n");
- unused = copy_from_user(kmem, usermem, size + 1);

+ unused = copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in copy_to_user()\n");
- unused = copy_to_user(usermem, kmem, size + 1);

+ unused = copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in __copy_from_user()\n");
- unused = __copy_from_user(kmem, usermem, size + 1);

+ unused = __copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in __copy_to_user()\n");
- unused = __copy_to_user(usermem, kmem, size + 1);

+ unused = __copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
- unused = __copy_from_user_inatomic(kmem, usermem, size + 1);

+ unused = __copy_from_user_inatomic(kmem, usermem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
- unused = __copy_to_user_inatomic(usermem, kmem, size + 1);

+ unused = __copy_to_user_inatomic(usermem, kmem, size + 1 + OOB_TAG_OFF);

pr_info("out-of-bounds in strncpy_from_user()\n");
- unused = strncpy_from_user(kmem, usermem, size + 1);

+ unused = strncpy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF);

[Dmitry Vyukov]

On Mon, Jul 6, 2020 at 1:50 PM Walter Wu <walter...@mediatek.com> wrote:
>
> We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
> memory access. They need to be fixed.
>
> With tag-based KASAN, the state of each 16 aligned bytes of memory is
> encoded in one shadow byte and the shadow value is tag of pointer, so
> we need to read next shadow byte, the shadow value is not equal to tag
> value of pointer, so that tag-based KASAN will detect out-of-bounds
> memory access.
>
> Signed-off-by: Walter Wu <walter...@mediatek.com>
> Suggested-by: Dmitry Vyukov <dvy...@google.com>
> Cc: Andrey Ryabinin <arya...@virtuozzo.com>
> Cc: Dmitry Vyukov <dvy...@google.com>
> Cc: Alexander Potapenko <gli...@google.com>
> Cc: Matthias Brugger <matthi...@gmail.com>
> Cc: Andrey Konovalov <andre...@google.com>
> Cc: Andrew Morton <ak...@linux-foundation.org>

Acked-by: Dmitry Vyukov <dvy...@google.com>

Thanks for fixing these tests!

> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200706115039.16750-1-walter-zh.wu%40mediatek.com.

[Andrey Konovalov]

On Mon, Jul 6, 2020 at 1:50 PM Walter Wu <walter...@mediatek.com> wrote:
>

Let's use KASAN_SHADOW_SCALE_SIZE instead of 13 to make sure the
access always lands in the next memory granule.

With that:

Reviewed-by: Andrey Konovalov <andre...@google.com>

[Walter Wu]

We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
memory access. They need to be fixed.

With tag-based KASAN, the state of each 16 aligned bytes of memory is
encoded in one shadow byte and the shadow value is tag of pointer, so
we need to read next shadow byte, the shadow value is not equal to tag
value of pointer, so that tag-based KASAN will detect out-of-bounds
memory access.

Signed-off-by: Walter Wu <walter...@mediatek.com>
Suggested-by: Dmitry Vyukov <dvy...@google.com>

Acked-by: Dmitry Vyukov <dvy...@google.com>
Reviewed-by: Andrey Konovalov <andre...@google.com>
Cc: Andrey Ryabinin <arya...@virtuozzo.com>

Cc: Alexander Potapenko <gli...@google.com>
Cc: Matthias Brugger <matthi...@gmail.com>

Cc: Andrew Morton <ak...@linux-foundation.org>
---

changes since v1:
- Reduce amount of non-compiled code.
- KUnit-KASAN Integration patchset is not merged yet. My patch should
have conflict with it, if needed, we can continue to wait it.

changes since v2:
- Add one marco to make unit tests more readability.

changes since v3:
- use KASAN_SHADOW_SCALE_SIZE instead of 13.

---
lib/test_kasan.c | 49 +++++++++++++++++++++++++++++++-----------------
1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 61a3cc11556f..003ea5b49f4c 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -23,6 +23,10 @@

#include <asm/page.h>

+#include "../mm/kasan/kasan.h"
+
+#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_SHADOW_SCALE_SIZE)

+
/*
* Note: test functions are marked noinline so that their names appear in
* reports.

@@ -40,7 +44,8 @@ static noinline void __init kmalloc_oob_right(void)

return;
}

- ptr[size] = 'x';
+ ptr[size + OOB_TAG_OFF] = 'x';
+
kfree(ptr);
}

@@ -92,7 +97,8 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)

return;
}

- ptr[size] = 0;
+ ptr[size + OOB_TAG_OFF] = 0;
+
kfree(ptr);
}

@@ -162,7 +168,8 @@ static noinline void __init kmalloc_oob_krealloc_more(void)

return;
}

- ptr2[size2] = 'x';
+ ptr2[size2 + OOB_TAG_OFF] = 'x';
+
kfree(ptr2);
}

@@ -180,7 +187,9 @@ static noinline void __init kmalloc_oob_krealloc_less(void)

kfree(ptr1);
return;
}
- ptr2[size2] = 'x';
+
+ ptr2[size2 + OOB_TAG_OFF] = 'x';
+
kfree(ptr2);
}

@@ -216,7 +225,8 @@ static noinline void __init kmalloc_oob_memset_2(void)

return;
}

- memset(ptr+7, 0, 2);
+ memset(ptr + 7 + OOB_TAG_OFF, 0, 2);
+
kfree(ptr);
}

@@ -232,7 +242,8 @@ static noinline void __init kmalloc_oob_memset_4(void)

return;
}

- memset(ptr+5, 0, 4);
+ memset(ptr + 5 + OOB_TAG_OFF, 0, 4);
+
kfree(ptr);
}

@@ -249,7 +260,8 @@ static noinline void __init kmalloc_oob_memset_8(void)

return;
}

- memset(ptr+1, 0, 8);
+ memset(ptr + 1 + OOB_TAG_OFF, 0, 8);
+
kfree(ptr);
}

@@ -265,7 +277,8 @@ static noinline void __init kmalloc_oob_memset_16(void)

return;
}

- memset(ptr+1, 0, 16);
+ memset(ptr + 1 + OOB_TAG_OFF, 0, 16);
+
kfree(ptr);
}

@@ -281,7 +294,8 @@ static noinline void __init kmalloc_oob_in_memset(void)

return;
}

- memset(ptr, 0, size+5);
+ memset(ptr, 0, size + 5 + OOB_TAG_OFF);
+
kfree(ptr);
}

@@ -415,7 +429,8 @@ static noinline void __init kmem_cache_oob(void)

return;
}

- *p = p[size];
+ *p = p[size + OOB_TAG_OFF];
+
kmem_cache_free(cache, p);
kmem_cache_destroy(cache);
}

@@ -512,25 +527,25 @@ static noinline void __init copy_user_test(void)