[PATCH] ipe: Fix out-of-bound access of kunit_suite_num_test_cases()

Jinjie Ruan ruanjinjie at huawei.com
Mon Sep 23 11:52:52 UTC 2024


Currently, there is no terminator entry for ipe_parser_test_cases,
hence facing below KASAN warning,

	BUG: KASAN: global-out-of-bounds in kunit_suite_num_test_cases+0xb4/0xcc
	Read of size 8 at addr ffffffe21035fec0 by task swapper/0/1

	CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G                 N 6.11.0+ #327
	Tainted: [N]=TEST
	Hardware name: linux,dummy-virt (DT)
	Call trace:
	 dump_backtrace+0x94/0xec
	 show_stack+0x18/0x24
	 dump_stack_lvl+0x90/0xd0
	 print_report+0x1f4/0x5b4
	 kasan_report+0xc8/0x110
	 __asan_report_load8_noabort+0x20/0x2c
	 kunit_suite_num_test_cases+0xb4/0xcc
	 attr_module_get+0x54/0xc0
	 kunit_print_attr+0x234/0x358
	 kunit_run_tests+0x138/0xbf4
	 __kunit_test_suites_init+0x110/0x1d0
	 kunit_run_all_tests+0x358/0x394
	 kernel_init_freeable+0x488/0x61c
	 kernel_init+0x24/0x1e4
	 ret_from_fork+0x10/0x20

	The buggy address belongs to the variable:
	 ipe_parser_test_cases+0x60/0x1ba0

	The buggy address belongs to the virtual mapping at
	 [ffffffe20ffe0000, ffffffe2120c1000) created by:
	 paging_init+0x474/0x60c

	The buggy address belongs to the physical page:
	page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4535f
	flags: 0x3fffe0000002000(reserved|node=0|zone=0|lastcpupid=0x1ffff)
	raw: 03fffe0000002000 fffffffec014d7c8 fffffffec014d7c8 0000000000000000
	raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
	page dumped because: kasan: bad access detected

	Memory state around the buggy address:
	 ffffffe21035fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	 ffffffe21035fe00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
	>ffffffe21035fe80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
	                                           ^
	 ffffffe21035ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	 ffffffe21035ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
	==================================================================

Add a dummy terminator entry at the end to assist
kunit_suite_num_test_cases() in traversing up to the terminator entry
without accessing an out-of-boundary index.

Fixes: 10ca05a76065 ("ipe: kunit test for parser")
Signed-off-by: Jinjie Ruan <ruanjinjie at huawei.com>
---
 security/ipe/policy_tests.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c
index 89521f6b9994..0725fe36f8bb 100644
--- a/security/ipe/policy_tests.c
+++ b/security/ipe/policy_tests.c
@@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test)
 static struct kunit_case ipe_parser_test_cases[] = {
 	KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params),
 	KUNIT_CASE(ipe_parser_widestring_test),
+	{}
 };
 
 static struct kunit_suite ipe_parser_test_suite = {
-- 
2.34.1




More information about the Linux-security-module-archive mailing list