1
2
3
4
5
6
7
8#define pr_fmt(fmt) "kasan test: %s " fmt, __func__
9
10#include <linux/bitops.h>
11#include <linux/delay.h>
12#include <linux/kasan.h>
13#include <linux/kernel.h>
14#include <linux/mm.h>
15#include <linux/mman.h>
16#include <linux/module.h>
17#include <linux/printk.h>
18#include <linux/slab.h>
19#include <linux/string.h>
20#include <linux/uaccess.h>
21#include <linux/io.h>
22#include <linux/vmalloc.h>
23
24#include <asm/page.h>
25
26
27
28
29
30
31static noinline void __init kmalloc_oob_right(void)
32{
33 char *ptr;
34 size_t size = 123;
35
36 pr_info("out-of-bounds to right\n");
37 ptr = kmalloc(size, GFP_KERNEL);
38 if (!ptr) {
39 pr_err("Allocation failed\n");
40 return;
41 }
42
43 ptr[size] = 'x';
44 kfree(ptr);
45}
46
47static noinline void __init kmalloc_oob_left(void)
48{
49 char *ptr;
50 size_t size = 15;
51
52 pr_info("out-of-bounds to left\n");
53 ptr = kmalloc(size, GFP_KERNEL);
54 if (!ptr) {
55 pr_err("Allocation failed\n");
56 return;
57 }
58
59 *ptr = *(ptr - 1);
60 kfree(ptr);
61}
62
63static noinline void __init kmalloc_node_oob_right(void)
64{
65 char *ptr;
66 size_t size = 4096;
67
68 pr_info("kmalloc_node(): out-of-bounds to right\n");
69 ptr = kmalloc_node(size, GFP_KERNEL, 0);
70 if (!ptr) {
71 pr_err("Allocation failed\n");
72 return;
73 }
74
75 ptr[size] = 0;
76 kfree(ptr);
77}
78
79#ifdef CONFIG_SLUB
80static noinline void __init kmalloc_pagealloc_oob_right(void)
81{
82 char *ptr;
83 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
84
85
86
87
88 pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
89 ptr = kmalloc(size, GFP_KERNEL);
90 if (!ptr) {
91 pr_err("Allocation failed\n");
92 return;
93 }
94
95 ptr[size] = 0;
96 kfree(ptr);
97}
98
99static noinline void __init kmalloc_pagealloc_uaf(void)
100{
101 char *ptr;
102 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
103
104 pr_info("kmalloc pagealloc allocation: use-after-free\n");
105 ptr = kmalloc(size, GFP_KERNEL);
106 if (!ptr) {
107 pr_err("Allocation failed\n");
108 return;
109 }
110
111 kfree(ptr);
112 ptr[0] = 0;
113}
114
115static noinline void __init kmalloc_pagealloc_invalid_free(void)
116{
117 char *ptr;
118 size_t size = KMALLOC_MAX_CACHE_SIZE + 10;
119
120 pr_info("kmalloc pagealloc allocation: invalid-free\n");
121 ptr = kmalloc(size, GFP_KERNEL);
122 if (!ptr) {
123 pr_err("Allocation failed\n");
124 return;
125 }
126
127 kfree(ptr + 1);
128}
129#endif
130
131static noinline void __init kmalloc_large_oob_right(void)
132{
133 char *ptr;
134 size_t size = KMALLOC_MAX_CACHE_SIZE - 256;
135
136
137
138 pr_info("kmalloc large allocation: out-of-bounds to right\n");
139 ptr = kmalloc(size, GFP_KERNEL);
140 if (!ptr) {
141 pr_err("Allocation failed\n");
142 return;
143 }
144
145 ptr[size] = 0;
146 kfree(ptr);
147}
148
149static noinline void __init kmalloc_oob_krealloc_more(void)
150{
151 char *ptr1, *ptr2;
152 size_t size1 = 17;
153 size_t size2 = 19;
154
155 pr_info("out-of-bounds after krealloc more\n");
156 ptr1 = kmalloc(size1, GFP_KERNEL);
157 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
158 if (!ptr1 || !ptr2) {
159 pr_err("Allocation failed\n");
160 kfree(ptr1);
161 kfree(ptr2);
162 return;
163 }
164
165 ptr2[size2] = 'x';
166 kfree(ptr2);
167}
168
169static noinline void __init kmalloc_oob_krealloc_less(void)
170{
171 char *ptr1, *ptr2;
172 size_t size1 = 17;
173 size_t size2 = 15;
174
175 pr_info("out-of-bounds after krealloc less\n");
176 ptr1 = kmalloc(size1, GFP_KERNEL);
177 ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
178 if (!ptr1 || !ptr2) {
179 pr_err("Allocation failed\n");
180 kfree(ptr1);
181 return;
182 }
183 ptr2[size2] = 'x';
184 kfree(ptr2);
185}
186
187static noinline void __init kmalloc_oob_16(void)
188{
189 struct {
190 u64 words[2];
191 } *ptr1, *ptr2;
192
193 pr_info("kmalloc out-of-bounds for 16-bytes access\n");
194 ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
195 ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
196 if (!ptr1 || !ptr2) {
197 pr_err("Allocation failed\n");
198 kfree(ptr1);
199 kfree(ptr2);
200 return;
201 }
202 *ptr1 = *ptr2;
203 kfree(ptr1);
204 kfree(ptr2);
205}
206
207static noinline void __init kmalloc_oob_memset_2(void)
208{
209 char *ptr;
210 size_t size = 8;
211
212 pr_info("out-of-bounds in memset2\n");
213 ptr = kmalloc(size, GFP_KERNEL);
214 if (!ptr) {
215 pr_err("Allocation failed\n");
216 return;
217 }
218
219 memset(ptr+7, 0, 2);
220 kfree(ptr);
221}
222
223static noinline void __init kmalloc_oob_memset_4(void)
224{
225 char *ptr;
226 size_t size = 8;
227
228 pr_info("out-of-bounds in memset4\n");
229 ptr = kmalloc(size, GFP_KERNEL);
230 if (!ptr) {
231 pr_err("Allocation failed\n");
232 return;
233 }
234
235 memset(ptr+5, 0, 4);
236 kfree(ptr);
237}
238
239
240static noinline void __init kmalloc_oob_memset_8(void)
241{
242 char *ptr;
243 size_t size = 8;
244
245 pr_info("out-of-bounds in memset8\n");
246 ptr = kmalloc(size, GFP_KERNEL);
247 if (!ptr) {
248 pr_err("Allocation failed\n");
249 return;
250 }
251
252 memset(ptr+1, 0, 8);
253 kfree(ptr);
254}
255
256static noinline void __init kmalloc_oob_memset_16(void)
257{
258 char *ptr;
259 size_t size = 16;
260
261 pr_info("out-of-bounds in memset16\n");
262 ptr = kmalloc(size, GFP_KERNEL);
263 if (!ptr) {
264 pr_err("Allocation failed\n");
265 return;
266 }
267
268 memset(ptr+1, 0, 16);
269 kfree(ptr);
270}
271
272static noinline void __init kmalloc_oob_in_memset(void)
273{
274 char *ptr;
275 size_t size = 666;
276
277 pr_info("out-of-bounds in memset\n");
278 ptr = kmalloc(size, GFP_KERNEL);
279 if (!ptr) {
280 pr_err("Allocation failed\n");
281 return;
282 }
283
284 memset(ptr, 0, size+5);
285 kfree(ptr);
286}
287
288static noinline void __init kmalloc_uaf(void)
289{
290 char *ptr;
291 size_t size = 10;
292
293 pr_info("use-after-free\n");
294 ptr = kmalloc(size, GFP_KERNEL);
295 if (!ptr) {
296 pr_err("Allocation failed\n");
297 return;
298 }
299
300 kfree(ptr);
301 *(ptr + 8) = 'x';
302}
303
304static noinline void __init kmalloc_uaf_memset(void)
305{
306 char *ptr;
307 size_t size = 33;
308
309 pr_info("use-after-free in memset\n");
310 ptr = kmalloc(size, GFP_KERNEL);
311 if (!ptr) {
312 pr_err("Allocation failed\n");
313 return;
314 }
315
316 kfree(ptr);
317 memset(ptr, 0, size);
318}
319
320static noinline void __init kmalloc_uaf2(void)
321{
322 char *ptr1, *ptr2;
323 size_t size = 43;
324
325 pr_info("use-after-free after another kmalloc\n");
326 ptr1 = kmalloc(size, GFP_KERNEL);
327 if (!ptr1) {
328 pr_err("Allocation failed\n");
329 return;
330 }
331
332 kfree(ptr1);
333 ptr2 = kmalloc(size, GFP_KERNEL);
334 if (!ptr2) {
335 pr_err("Allocation failed\n");
336 return;
337 }
338
339 ptr1[40] = 'x';
340 if (ptr1 == ptr2)
341 pr_err("Could not detect use-after-free: ptr1 == ptr2\n");
342 kfree(ptr2);
343}
344
345static noinline void __init kfree_via_page(void)
346{
347 char *ptr;
348 size_t size = 8;
349 struct page *page;
350 unsigned long offset;
351
352 pr_info("invalid-free false positive (via page)\n");
353 ptr = kmalloc(size, GFP_KERNEL);
354 if (!ptr) {
355 pr_err("Allocation failed\n");
356 return;
357 }
358
359 page = virt_to_page(ptr);
360 offset = offset_in_page(ptr);
361 kfree(page_address(page) + offset);
362}
363
364static noinline void __init kfree_via_phys(void)
365{
366 char *ptr;
367 size_t size = 8;
368 phys_addr_t phys;
369
370 pr_info("invalid-free false positive (via phys)\n");
371 ptr = kmalloc(size, GFP_KERNEL);
372 if (!ptr) {
373 pr_err("Allocation failed\n");
374 return;
375 }
376
377 phys = virt_to_phys(ptr);
378 kfree(phys_to_virt(phys));
379}
380
381static noinline void __init kmem_cache_oob(void)
382{
383 char *p;
384 size_t size = 200;
385 struct kmem_cache *cache = kmem_cache_create("test_cache",
386 size, 0,
387 0, NULL);
388 if (!cache) {
389 pr_err("Cache allocation failed\n");
390 return;
391 }
392 pr_info("out-of-bounds in kmem_cache_alloc\n");
393 p = kmem_cache_alloc(cache, GFP_KERNEL);
394 if (!p) {
395 pr_err("Allocation failed\n");
396 kmem_cache_destroy(cache);
397 return;
398 }
399
400 *p = p[size];
401 kmem_cache_free(cache, p);
402 kmem_cache_destroy(cache);
403}
404
405static noinline void __init memcg_accounted_kmem_cache(void)
406{
407 int i;
408 char *p;
409 size_t size = 200;
410 struct kmem_cache *cache;
411
412 cache = kmem_cache_create("test_cache", size, 0, SLAB_ACCOUNT, NULL);
413 if (!cache) {
414 pr_err("Cache allocation failed\n");
415 return;
416 }
417
418 pr_info("allocate memcg accounted object\n");
419
420
421
422
423 for (i = 0; i < 5; i++) {
424 p = kmem_cache_alloc(cache, GFP_KERNEL);
425 if (!p)
426 goto free_cache;
427
428 kmem_cache_free(cache, p);
429 msleep(100);
430 }
431
432free_cache:
433 kmem_cache_destroy(cache);
434}
435
436static char global_array[10];
437
438static noinline void __init kasan_global_oob(void)
439{
440 volatile int i = 3;
441 char *p = &global_array[ARRAY_SIZE(global_array) + i];
442
443 pr_info("out-of-bounds global variable\n");
444 *(volatile char *)p;
445}
446
447static noinline void __init kasan_stack_oob(void)
448{
449 char stack_array[10];
450 volatile int i = 0;
451 char *p = &stack_array[ARRAY_SIZE(stack_array) + i];
452
453 pr_info("out-of-bounds on stack\n");
454 *(volatile char *)p;
455}
456
457static noinline void __init ksize_unpoisons_memory(void)
458{
459 char *ptr;
460 size_t size = 123, real_size;
461
462 pr_info("ksize() unpoisons the whole allocated chunk\n");
463 ptr = kmalloc(size, GFP_KERNEL);
464 if (!ptr) {
465 pr_err("Allocation failed\n");
466 return;
467 }
468 real_size = ksize(ptr);
469
470 ptr[size] = 'x';
471
472 ptr[real_size] = 'y';
473 kfree(ptr);
474}
475
476static noinline void __init copy_user_test(void)
477{
478 char *kmem;
479 char __user *usermem;
480 size_t size = 10;
481 int unused;
482
483 kmem = kmalloc(size, GFP_KERNEL);
484 if (!kmem)
485 return;
486
487 usermem = (char __user *)vm_mmap(NULL, 0, PAGE_SIZE,
488 PROT_READ | PROT_WRITE | PROT_EXEC,
489 MAP_ANONYMOUS | MAP_PRIVATE, 0);
490 if (IS_ERR(usermem)) {
491 pr_err("Failed to allocate user memory\n");
492 kfree(kmem);
493 return;
494 }
495
496 pr_info("out-of-bounds in copy_from_user()\n");
497 unused = copy_from_user(kmem, usermem, size + 1);
498
499 pr_info("out-of-bounds in copy_to_user()\n");
500 unused = copy_to_user(usermem, kmem, size + 1);
501
502 pr_info("out-of-bounds in __copy_from_user()\n");
503 unused = __copy_from_user(kmem, usermem, size + 1);
504
505 pr_info("out-of-bounds in __copy_to_user()\n");
506 unused = __copy_to_user(usermem, kmem, size + 1);
507
508 pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
509 unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
510
511 pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
512 unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
513
514 pr_info("out-of-bounds in strncpy_from_user()\n");
515 unused = strncpy_from_user(kmem, usermem, size + 1);
516
517 vm_munmap((unsigned long)usermem, PAGE_SIZE);
518 kfree(kmem);
519}
520
521static noinline void __init kasan_alloca_oob_left(void)
522{
523 volatile int i = 10;
524 char alloca_array[i];
525 char *p = alloca_array - 1;
526
527 pr_info("out-of-bounds to left on alloca\n");
528 *(volatile char *)p;
529}
530
531static noinline void __init kasan_alloca_oob_right(void)
532{
533 volatile int i = 10;
534 char alloca_array[i];
535 char *p = alloca_array + i;
536
537 pr_info("out-of-bounds to right on alloca\n");
538 *(volatile char *)p;
539}
540
541static noinline void __init kmem_cache_double_free(void)
542{
543 char *p;
544 size_t size = 200;
545 struct kmem_cache *cache;
546
547 cache = kmem_cache_create("test_cache", size, 0, 0, NULL);
548 if (!cache) {
549 pr_err("Cache allocation failed\n");
550 return;
551 }
552 pr_info("double-free on heap object\n");
553 p = kmem_cache_alloc(cache, GFP_KERNEL);
554 if (!p) {
555 pr_err("Allocation failed\n");
556 kmem_cache_destroy(cache);
557 return;
558 }
559
560 kmem_cache_free(cache, p);
561 kmem_cache_free(cache, p);
562 kmem_cache_destroy(cache);
563}
564
565static noinline void __init kmem_cache_invalid_free(void)
566{
567 char *p;
568 size_t size = 200;
569 struct kmem_cache *cache;
570
571 cache = kmem_cache_create("test_cache", size, 0, SLAB_TYPESAFE_BY_RCU,
572 NULL);
573 if (!cache) {
574 pr_err("Cache allocation failed\n");
575 return;
576 }
577 pr_info("invalid-free of heap object\n");
578 p = kmem_cache_alloc(cache, GFP_KERNEL);
579 if (!p) {
580 pr_err("Allocation failed\n");
581 kmem_cache_destroy(cache);
582 return;
583 }
584
585
586 kmem_cache_free(cache, p + 1);
587
588
589
590
591
592 kmem_cache_free(cache, p);
593
594 kmem_cache_destroy(cache);
595}
596
597static noinline void __init kasan_memchr(void)
598{
599 char *ptr;
600 size_t size = 24;
601
602 pr_info("out-of-bounds in memchr\n");
603 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
604 if (!ptr)
605 return;
606
607 memchr(ptr, '1', size + 1);
608 kfree(ptr);
609}
610
611static noinline void __init kasan_memcmp(void)
612{
613 char *ptr;
614 size_t size = 24;
615 int arr[9];
616
617 pr_info("out-of-bounds in memcmp\n");
618 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
619 if (!ptr)
620 return;
621
622 memset(arr, 0, sizeof(arr));
623 memcmp(ptr, arr, size+1);
624 kfree(ptr);
625}
626
627static noinline void __init kasan_strings(void)
628{
629 char *ptr;
630 size_t size = 24;
631
632 pr_info("use-after-free in strchr\n");
633 ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
634 if (!ptr)
635 return;
636
637 kfree(ptr);
638
639
640
641
642
643
644
645 ptr += 16;
646 strchr(ptr, '1');
647
648 pr_info("use-after-free in strrchr\n");
649 strrchr(ptr, '1');
650
651 pr_info("use-after-free in strcmp\n");
652 strcmp(ptr, "2");
653
654 pr_info("use-after-free in strncmp\n");
655 strncmp(ptr, "2", 1);
656
657 pr_info("use-after-free in strlen\n");
658 strlen(ptr);
659
660 pr_info("use-after-free in strnlen\n");
661 strnlen(ptr, 1);
662}
663
664static noinline void __init kasan_bitops(void)
665{
666
667
668
669
670 long *bits = kzalloc(sizeof(*bits) + 1, GFP_KERNEL);
671 if (!bits)
672 return;
673
674
675
676
677
678
679 pr_info("out-of-bounds in set_bit\n");
680 set_bit(BITS_PER_LONG, bits);
681
682 pr_info("out-of-bounds in __set_bit\n");
683 __set_bit(BITS_PER_LONG, bits);
684
685 pr_info("out-of-bounds in clear_bit\n");
686 clear_bit(BITS_PER_LONG, bits);
687
688 pr_info("out-of-bounds in __clear_bit\n");
689 __clear_bit(BITS_PER_LONG, bits);
690
691 pr_info("out-of-bounds in clear_bit_unlock\n");
692 clear_bit_unlock(BITS_PER_LONG, bits);
693
694 pr_info("out-of-bounds in __clear_bit_unlock\n");
695 __clear_bit_unlock(BITS_PER_LONG, bits);
696
697 pr_info("out-of-bounds in change_bit\n");
698 change_bit(BITS_PER_LONG, bits);
699
700 pr_info("out-of-bounds in __change_bit\n");
701 __change_bit(BITS_PER_LONG, bits);
702
703
704
705
706 pr_info("out-of-bounds in test_and_set_bit\n");
707 test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
708
709 pr_info("out-of-bounds in __test_and_set_bit\n");
710 __test_and_set_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
711
712 pr_info("out-of-bounds in test_and_set_bit_lock\n");
713 test_and_set_bit_lock(BITS_PER_LONG + BITS_PER_BYTE, bits);
714
715 pr_info("out-of-bounds in test_and_clear_bit\n");
716 test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
717
718 pr_info("out-of-bounds in __test_and_clear_bit\n");
719 __test_and_clear_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
720
721 pr_info("out-of-bounds in test_and_change_bit\n");
722 test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
723
724 pr_info("out-of-bounds in __test_and_change_bit\n");
725 __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
726
727 pr_info("out-of-bounds in test_bit\n");
728 (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
729
730#if defined(clear_bit_unlock_is_negative_byte)
731 pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
732 clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
733#endif
734 kfree(bits);
735}
736
737static noinline void __init kmalloc_double_kzfree(void)
738{
739 char *ptr;
740 size_t size = 16;
741
742 pr_info("double-free (kzfree)\n");
743 ptr = kmalloc(size, GFP_KERNEL);
744 if (!ptr) {
745 pr_err("Allocation failed\n");
746 return;
747 }
748
749 kzfree(ptr);
750 kzfree(ptr);
751}
752
753#ifdef CONFIG_KASAN_VMALLOC
754static noinline void __init vmalloc_oob(void)
755{
756 void *area;
757
758 pr_info("vmalloc out-of-bounds\n");
759
760
761
762
763
764 area = vmalloc(3000);
765 if (!area) {
766 pr_err("Allocation failed\n");
767 return;
768 }
769
770 ((volatile char *)area)[3100];
771 vfree(area);
772}
773#else
774static void __init vmalloc_oob(void) {}
775#endif
776
777static int __init kmalloc_tests_init(void)
778{
779
780
781
782
783 bool multishot = kasan_save_enable_multi_shot();
784
785 kmalloc_oob_right();
786 kmalloc_oob_left();
787 kmalloc_node_oob_right();
788#ifdef CONFIG_SLUB
789 kmalloc_pagealloc_oob_right();
790 kmalloc_pagealloc_uaf();
791 kmalloc_pagealloc_invalid_free();
792#endif
793 kmalloc_large_oob_right();
794 kmalloc_oob_krealloc_more();
795 kmalloc_oob_krealloc_less();
796 kmalloc_oob_16();
797 kmalloc_oob_in_memset();
798 kmalloc_oob_memset_2();
799 kmalloc_oob_memset_4();
800 kmalloc_oob_memset_8();
801 kmalloc_oob_memset_16();
802 kmalloc_uaf();
803 kmalloc_uaf_memset();
804 kmalloc_uaf2();
805 kfree_via_page();
806 kfree_via_phys();
807 kmem_cache_oob();
808 memcg_accounted_kmem_cache();
809 kasan_stack_oob();
810 kasan_global_oob();
811 kasan_alloca_oob_left();
812 kasan_alloca_oob_right();
813 ksize_unpoisons_memory();
814 copy_user_test();
815 kmem_cache_double_free();
816 kmem_cache_invalid_free();
817 kasan_memchr();
818 kasan_memcmp();
819 kasan_strings();
820 kasan_bitops();
821 kmalloc_double_kzfree();
822 vmalloc_oob();
823
824 kasan_restore_multi_shot(multishot);
825
826 return -EAGAIN;
827}
828
829module_init(kmalloc_tests_init);
830MODULE_LICENSE("GPL");
831
