[PATCH] ipe: Fix out-of-bound access of kunit_suite_num_test_cases()
Jinjie Ruan
ruanjinjie at huawei.com
Mon Sep 23 11:52:52 UTC 2024
Currently, there is no terminator entry for ipe_parser_test_cases,
hence facing below KASAN warning,
BUG: KASAN: global-out-of-bounds in kunit_suite_num_test_cases+0xb4/0xcc
Read of size 8 at addr ffffffe21035fec0 by task swapper/0/1
CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G N 6.11.0+ #327
Tainted: [N]=TEST
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x94/0xec
show_stack+0x18/0x24
dump_stack_lvl+0x90/0xd0
print_report+0x1f4/0x5b4
kasan_report+0xc8/0x110
__asan_report_load8_noabort+0x20/0x2c
kunit_suite_num_test_cases+0xb4/0xcc
attr_module_get+0x54/0xc0
kunit_print_attr+0x234/0x358
kunit_run_tests+0x138/0xbf4
__kunit_test_suites_init+0x110/0x1d0
kunit_run_all_tests+0x358/0x394
kernel_init_freeable+0x488/0x61c
kernel_init+0x24/0x1e4
ret_from_fork+0x10/0x20
The buggy address belongs to the variable:
ipe_parser_test_cases+0x60/0x1ba0
The buggy address belongs to the virtual mapping at
[ffffffe20ffe0000, ffffffe2120c1000) created by:
paging_init+0x474/0x60c
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4535f
flags: 0x3fffe0000002000(reserved|node=0|zone=0|lastcpupid=0x1ffff)
raw: 03fffe0000002000 fffffffec014d7c8 fffffffec014d7c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffe21035fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffe21035fe00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
>ffffffe21035fe80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
^
ffffffe21035ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffe21035ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Add a dummy terminator entry at the end to assist
kunit_suite_num_test_cases() in traversing up to the terminator entry
without accessing an out-of-boundary index.
Fixes: 10ca05a76065 ("ipe: kunit test for parser")
Signed-off-by: Jinjie Ruan <ruanjinjie at huawei.com>
---
security/ipe/policy_tests.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c
index 89521f6b9994..0725fe36f8bb 100644
--- a/security/ipe/policy_tests.c
+++ b/security/ipe/policy_tests.c
@@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test)
static struct kunit_case ipe_parser_test_cases[] = {
KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params),
KUNIT_CASE(ipe_parser_widestring_test),
+ {}
};
static struct kunit_suite ipe_parser_test_suite = {
--
2.34.1
More information about the Linux-security-module-archive
mailing list