[PATCH v5 2/2] kasan: Add strscpy() test to trigger tag fault on arm64

Wed, 02 Apr 2025 17:09:33 -0700 

From: Vincenzo Frascino <vincenzo.frasc...@arm.com>

When we invoke strscpy() with a maximum size of N bytes, it assumes
that:
- It can always read N bytes from the source.
- It always write N bytes (zero-padded) to the destination.

On aarch64 with Memory Tagging Extension enabled if we pass an N that is
bigger then the source buffer, it would previously trigger an MTE fault.

Implement a KASAN KUnit test that triggers the issue with the previous
implementation of read_word_at_a_time() on aarch64 with MTE enabled.

Cc: Will Deacon <w...@kernel.org>
Signed-off-by: Vincenzo Frascino <vincenzo.frasc...@arm.com>
Signed-off-by: Catalin Marinas <catalin.mari...@arm.com>
Co-developed-by: Peter Collingbourne <p...@google.com>
Signed-off-by: Peter Collingbourne <p...@google.com>
Reviewed-by: Andrey Konovalov <andreyk...@gmail.com>
Link: 
https://linux-review.googlesource.com/id/If88e396b9e7c058c1a4b5a252274120e77b1898a
---
v5:
- add test for unreadable first byte of strscpy() source

v4:
- clarify commit message
- improve comment

v3:
- simplify test case

v2:
- rebased
- fixed test failure

 mm/kasan/kasan_test_c.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
index 59d673400085f..e8d33af634b03 100644
--- a/mm/kasan/kasan_test_c.c
+++ b/mm/kasan/kasan_test_c.c
@@ -1570,6 +1570,7 @@ static void kasan_memcmp(struct kunit *test)
 static void kasan_strings(struct kunit *test)
 {
        char *ptr;
+       char *src;
        size_t size = 24;
 
        /*
@@ -1581,6 +1582,25 @@ static void kasan_strings(struct kunit *test)
        ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
        KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 
+       src = kmalloc(KASAN_GRANULE_SIZE, GFP_KERNEL | __GFP_ZERO);
+       strscpy(src, "f0cacc1a0000000", KASAN_GRANULE_SIZE);
+
+       /*
+        * Make sure that strscpy() does not trigger KASAN if it overreads into
+        * poisoned memory.
+        *
+        * The expected size does not include the terminator '\0'
+        * so it is (KASAN_GRANULE_SIZE - 2) ==
+        * KASAN_GRANULE_SIZE - ("initial removed character" + "\0").
+        */
+       KUNIT_EXPECT_EQ(test, KASAN_GRANULE_SIZE - 2,
+                       strscpy(ptr, src + 1, KASAN_GRANULE_SIZE));
+
+       /* strscpy should fail if the first byte is unreadable. */
+       KUNIT_EXPECT_KASAN_FAIL(test, strscpy(ptr, src + KASAN_GRANULE_SIZE,
+                                             KASAN_GRANULE_SIZE));
+
+       kfree(src);
        kfree(ptr);
 
        /*
-- 
2.49.0.472.ge94155a9ec-goog

Reply via email to