Sasha Levin
unread,Sep 9, 2021, 8:18:12 PM9/9/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to linux-...@vger.kernel.org, sta...@vger.kernel.org, Andrey Konovalov, Marco Elver, Alexander Potapenko, Andrey Ryabinin, Dmitry Vyukov, Andrew Morton, Linus Torvalds, Sasha Levin, kasa...@googlegroups.com
From: Andrey Konovalov <
andre...@gmail.com>
[ Upstream commit 1b0668be62cfa394903bb368641c80533bf42d5a ]
The HW_TAGS mode doesn't check memmove for negative size. As a result,
the kmalloc_memmove_invalid_size test corrupts memory, which can result in
a crash.
Disable this test with HW_TAGS KASAN.
Link:
https://lkml.kernel.org/r/088733a06ac21eba29aa85b6f769d2abd...@gmail.com
Signed-off-by: Andrey Konovalov <
andre...@gmail.com>
Reviewed-by: Marco Elver <
el...@google.com>
Cc: Alexander Potapenko <
gli...@google.com>
Cc: Andrey Ryabinin <
arya...@virtuozzo.com>
Cc: Dmitry Vyukov <
dvy...@google.com>
Signed-off-by: Andrew Morton <
ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <
torv...@linux-foundation.org>
Signed-off-by: Sasha Levin <
sas...@kernel.org>
---
lib/test_kasan.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index b298edb325ab..c149675300bd 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -485,11 +485,17 @@ static void kmalloc_memmove_invalid_size(struct kunit *test)
size_t size = 64;
volatile size_t invalid_size = -2;
+ /*
+ * Hardware tag-based mode doesn't check memmove for negative size.
+ * As a result, this test introduces a side-effect memory corruption,
+ * which can result in a crash.
+ */
+ KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
+
ptr = kmalloc(size, GFP_KERNEL);
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
memset((char *)ptr, 0, 64);
-
KUNIT_EXPECT_KASAN_FAIL(test,
memmove((char *)ptr, (char *)ptr + 4, invalid_size));
kfree(ptr);
--
2.30.2