[PATCH] ipe: Fix out-of-bound access of kunit_suite_num_test_cases()
Paul Moore
paul at paul-moore.com
Mon Sep 23 11:49:24 UTC 2024
On Mon, Sep 23, 2024 at 7:42 AM Jinjie Ruan <ruanjinjie at huawei.com> wrote:
>
> Currently, there is no terminator entry for ipe_parser_test_cases,
> hence facing below KASAN warning,
>
> BUG: KASAN: global-out-of-bounds in kunit_suite_num_test_cases+0xb4/0xcc
> Read of size 8 at addr ffffffe21035fec0 by task swapper/0/1
>
> CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Tainted: G N 6.11.0+ #327
> Tainted: [N]=TEST
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace+0x94/0xec
> show_stack+0x18/0x24
> dump_stack_lvl+0x90/0xd0
> print_report+0x1f4/0x5b4
> kasan_report+0xc8/0x110
> __asan_report_load8_noabort+0x20/0x2c
> kunit_suite_num_test_cases+0xb4/0xcc
> attr_module_get+0x54/0xc0
> kunit_print_attr+0x234/0x358
> kunit_run_tests+0x138/0xbf4
> __kunit_test_suites_init+0x110/0x1d0
> kunit_run_all_tests+0x358/0x394
> kernel_init_freeable+0x488/0x61c
> kernel_init+0x24/0x1e4
> ret_from_fork+0x10/0x20
>
> The buggy address belongs to the variable:
> ipe_parser_test_cases+0x60/0x1ba0
>
> The buggy address belongs to the virtual mapping at
> [ffffffe20ffe0000, ffffffe2120c1000) created by:
> paging_init+0x474/0x60c
>
> The buggy address belongs to the physical page:
> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4535f
> flags: 0x3fffe0000002000(reserved|node=0|zone=0|lastcpupid=0x1ffff)
> raw: 03fffe0000002000 fffffffec014d7c8 fffffffec014d7c8 0000000000000000
> raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffffffe21035fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffe21035fe00: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
> >ffffffe21035fe80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
> ^
> ffffffe21035ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffffffe21035ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ==================================================================
>
> Add a dummy terminator entry at the end to assist
> kunit_suite_num_test_cases() in traversing up to the terminator entry
> without accessing an out-of-boundary index.
>
> Fixes: 10ca05a76065 ("ipe: kunit test for parser")
> Signed-off-by: Jinjie Ruan <ruanjinjie at huawei.com>
> ---
> security/ipe/policy_tests.c | 1 +
> 1 file changed, 1 insertion(+)
Thanks, I just saw this reported last night with the same patch/fix,
lore link below. I'm giving it a few hours for Fan to come online and
ACK the patch, but if I don't hear from Fan by this afternoon I'll
merge it and send it up to Linus.
https://lore.kernel.org/linux-security-module/20240922145226.491815-1-linux@roeck-us.net/
> diff --git a/security/ipe/policy_tests.c b/security/ipe/policy_tests.c
> index 89521f6b9994..0725fe36f8bb 100644
> --- a/security/ipe/policy_tests.c
> +++ b/security/ipe/policy_tests.c
> @@ -286,6 +286,7 @@ static void ipe_parser_widestring_test(struct kunit *test)
> static struct kunit_case ipe_parser_test_cases[] = {
> KUNIT_CASE_PARAM(ipe_parser_unsigned_test, ipe_policies_gen_params),
> KUNIT_CASE(ipe_parser_widestring_test),
> + {}
> };
>
> static struct kunit_suite ipe_parser_test_suite = {
> --
> 2.34.1
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list