[PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Ivan Orlov]

The 'device_name' array doesn't exist out of the
'overflow_allocation_test' function scope. However, it is being used as
a driver name when calling 'kunit_driver_create' from
'kunit_device_register'. It produces the kernel panic with KASAN
enabled.

Since this variable is used in one place only, remove it and pass the
device name into kunit_device_register directly as an ascii string.

Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
---
 lib/overflow_kunit.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
index f314a0c15a6d..2abc78367dd1 100644
--- a/lib/overflow_kunit.c
+++ b/lib/overflow_kunit.c
@@ -668,7 +668,6 @@ DEFINE_TEST_ALLOC(devm_kzalloc,  devm_kfree, 1, 1, 0);
 
 static void overflow_allocation_test(struct kunit *test)
 {
-	const char device_name[] = "overflow-test";
 	struct device *dev;
 	int count = 0;
 
@@ -678,7 +677,7 @@ static void overflow_allocation_test(struct kunit *test)
 } while (0)
 
 	/* Create dummy device for devm_kmalloc()-family tests. */
-	dev = kunit_device_register(test, device_name);
+	dev = kunit_device_register(test, "overflow-test");
 	KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev),
 			       "Cannot register test device\n");
 
-- 
2.34.1

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Erhard Furtner]

On Thu, 15 Aug 2024 01:04:31 +0100
Ivan Orlov <ivan.orlov0322@gmail.com> wrote:

> The 'device_name' array doesn't exist out of the
> 'overflow_allocation_test' function scope. However, it is being used as
> a driver name when calling 'kunit_driver_create' from
> 'kunit_device_register'. It produces the kernel panic with KASAN
> enabled.
> 
> Since this variable is used in one place only, remove it and pass the
> device name into kunit_device_register directly as an ascii string.
> 
> Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
> ---
>  lib/overflow_kunit.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f314a0c15a6d..2abc78367dd1 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -668,7 +668,6 @@ DEFINE_TEST_ALLOC(devm_kzalloc,  devm_kfree, 1, 1, 0);
>  
>  static void overflow_allocation_test(struct kunit *test)
>  {
> -	const char device_name[] = "overflow-test";
>  	struct device *dev;
>  	int count = 0;
>  
> @@ -678,7 +677,7 @@ static void overflow_allocation_test(struct kunit *test)
>  } while (0)
>  
>  	/* Create dummy device for devm_kmalloc()-family tests. */
> -	dev = kunit_device_register(test, device_name);
> +	dev = kunit_device_register(test, "overflow-test");
>  	KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev),
>  			       "Cannot register test device\n");
>  
> -- 
> 2.34.1

Thanks Ivan!

I can confirm that your patch fixes the KASAN hit on ppc32 when the overflow_kunit test is built as a module and modprobed later.

Regards,
Erhard

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[David Gow]

[-- Attachment #1: Type: text/plain, Size: 1751 bytes --]

On Thu, 15 Aug 2024 at 08:04, Ivan Orlov <ivan.orlov0322@gmail.com> wrote:
>
> The 'device_name' array doesn't exist out of the
> 'overflow_allocation_test' function scope. However, it is being used as
> a driver name when calling 'kunit_driver_create' from
> 'kunit_device_register'. It produces the kernel panic with KASAN
> enabled.
>
> Since this variable is used in one place only, remove it and pass the
> device name into kunit_device_register directly as an ascii string.
>
> Signed-off-by: Ivan Orlov <ivan.orlov0322@gmail.com>
> ---

Thanks -- we've got plans to add support for non-constant strings
here, but the first version had some issues, and (Kees -- correct me
if I'm wrong) there doesn't seem to be any need to have this be
dynamically allocated.

Reviewed-by: David Gow <davidgow@google.com>

Cheers,
-- David

>  lib/overflow_kunit.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c
> index f314a0c15a6d..2abc78367dd1 100644
> --- a/lib/overflow_kunit.c
> +++ b/lib/overflow_kunit.c
> @@ -668,7 +668,6 @@ DEFINE_TEST_ALLOC(devm_kzalloc,  devm_kfree, 1, 1, 0);
>
>  static void overflow_allocation_test(struct kunit *test)
>  {
> -       const char device_name[] = "overflow-test";
>         struct device *dev;
>         int count = 0;
>
> @@ -678,7 +677,7 @@ static void overflow_allocation_test(struct kunit *test)
>  } while (0)
>
>         /* Create dummy device for devm_kmalloc()-family tests. */
> -       dev = kunit_device_register(test, device_name);
> +       dev = kunit_device_register(test, "overflow-test");
>         KUNIT_ASSERT_FALSE_MSG(test, IS_ERR(dev),
>                                "Cannot register test device\n");
>
> --
> 2.34.1
>

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4014 bytes --]

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Kees Cook]

On Thu, 15 Aug 2024 01:04:31 +0100, Ivan Orlov wrote:
> The 'device_name' array doesn't exist out of the
> 'overflow_allocation_test' function scope. However, it is being used as
> a driver name when calling 'kunit_driver_create' from
> 'kunit_device_register'. It produces the kernel panic with KASAN
> enabled.
> 
> Since this variable is used in one place only, remove it and pass the
> device name into kunit_device_register directly as an ascii string.
> 
> [...]

Applied to for-linus/hardening, thanks!

[1/1] kunit/overflow: Fix UB in overflow_allocation_test
      https://git.kernel.org/kees/c/92e9bac18124

Take care,

-- 
Kees Cook

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Andrew Morton]

On Thu, 15 Aug 2024 01:04:31 +0100 Ivan Orlov <ivan.orlov0322@gmail.com> wrote:

> The 'device_name' array doesn't exist out of the
> 'overflow_allocation_test' function scope. However, it is being used as
> a driver name when calling 'kunit_driver_create' from
> 'kunit_device_register'. It produces the kernel panic with KASAN
> enabled.
> 
> Since this variable is used in one place only, remove it and pass the
> device name into kunit_device_register directly as an ascii string.

Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests")
Cc: <stable@vger.kernel.org>

yes?


I'll grab it now, but perhaps Kees will handle this.

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Andrew Morton]

On Thu, 15 Aug 2024 01:04:31 +0100 Ivan Orlov <ivan.orlov0322@gmail.com> wrote:

> Subject: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

What's "UB", btw?

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Ivan Orlov]

On 8/16/24 00:01, Andrew Morton wrote:
> On Thu, 15 Aug 2024 01:04:31 +0100 Ivan Orlov <ivan.orlov0322@gmail.com> wrote:
> 
>> The 'device_name' array doesn't exist out of the
>> 'overflow_allocation_test' function scope. However, it is being used as
>> a driver name when calling 'kunit_driver_create' from
>> 'kunit_device_register'. It produces the kernel panic with KASAN
>> enabled.
>>
>> Since this variable is used in one place only, remove it and pass the
>> device name into kunit_device_register directly as an ascii string.
> 
> Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests")
> Cc: <stable@vger.kernel.org>
> 
> yes?
> 

Ah, yes, sorry, I should've specified the fixes tag in the patch :(

> 
> I'll grab it now, but perhaps Kees will handle this.
> 

Thanks!

-- 
Kind regards,
Ivan Orlov

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Ivan Orlov]

On 8/16/24 00:04, Andrew Morton wrote:
> On Thu, 15 Aug 2024 01:04:31 +0100 Ivan Orlov <ivan.orlov0322@gmail.com> wrote:
> 
>> Subject: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test
> 
> What's "UB", btw?

UB in the patch title stands for "undefined behavior", since passing a 
pointer with such a short lifetime to kunit_device_register causes one.

I was not sure about how to call this type of issues (misallocation, 
probably?), so I decided to give it a generic name :)

-- 
Kind regards,
Ivan Orlov

Re: [PATCH] kunit/overflow: Fix UB in overflow_allocation_test

[Kees Cook]

On August 15, 2024 4:01:48 PM PDT, Andrew Morton <akpm@linux-foundation.org> wrote:
>On Thu, 15 Aug 2024 01:04:31 +0100 Ivan Orlov <ivan.orlov0322@gmail.com> wrote:
>
>> The 'device_name' array doesn't exist out of the
>> 'overflow_allocation_test' function scope. However, it is being used as
>> a driver name when calling 'kunit_driver_create' from
>> 'kunit_device_register'. It produces the kernel panic with KASAN
>> enabled.
>> 
>> Since this variable is used in one place only, remove it and pass the
>> device name into kunit_device_register directly as an ascii string.
>
>Fixes: ca90800a91ba ("test_overflow: Add memory allocation overflow tests")
>Cc: <stable@vger.kernel.org>
>
>yes?
>
>
>I'll grab it now, but perhaps Kees will handle this.

I already grabbed it:
https://lore.kernel.org/lkml/172373928009.559695.8528767427266408069.b4-ty@kernel.org/

But I'll update the tags. Thanks!

-- 
Kees Cook