On Wed, 11 Aug 2021 at 21:21, <andrey.konovalov@xxxxxxxxx> wrote:
> From: Andrey Konovalov <andreyknvl@xxxxxxxxx>
>
> Rework kmalloc_oob_right() to do these bad access checks:
>
> 1. An unaligned access one byte past the requested kmalloc size
> (can only be detected by KASAN_GENERIC).
> 2. An aligned access into the first out-of-bounds granule that falls
> within the aligned kmalloc object.
> 3. Out-of-bounds access past the aligned kmalloc object.
>
> Test #3 deliberately uses a read access to avoid corrupting memory.
> Otherwise, this test might lead to crashes with the HW_TAGS mode, as it
> neither uses quarantine nor redzones.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@xxxxxxxxx>
Reviewed-by: Marco Elver <elver@xxxxxxxxxx>
> ---
> lib/test_kasan.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 8f7b0b2f6e11..1bc3cdd2957f 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -122,12 +122,28 @@ static void kasan_test_exit(struct kunit *test)
> static void kmalloc_oob_right(struct kunit *test)
> {
> char *ptr;
> - size_t size = 123;
> + size_t size = 128 - KASAN_GRANULE_SIZE - 5;
>
> ptr = kmalloc(size, GFP_KERNEL);
> KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
>
> - KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + OOB_TAG_OFF] = 'x');
> + /*
> + * An unaligned access past the requested kmalloc size.
> + * Only generic KASAN can precisely detect these.
> + */
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size] = 'x');
> +
> + /*
> + * An aligned access into the first out-of-bounds granule that falls
> + * within the aligned kmalloc object.
> + */
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[size + 5] = 'y');
> +
> + /* Out-of-bounds access past the aligned kmalloc object. */
> + KUNIT_EXPECT_KASAN_FAIL(test, ptr[0] =
> + ptr[size + KASAN_GRANULE_SIZE + 5]);
> +
> kfree(ptr);
> }
>
> --
> 2.25.1
