[PATCH] kunit/fortify: Fix replaced failure path to unbreak __alloc_size

Kees Cook Wed, 01 May 2024 16:30:07 -0700

The __alloc_size annotation for kmemdup() was getting disabled under
KUnit testing because the replaced fortify_panic macro implementation
was using "return NULL" as a way to survive the sanity checking. But
having the chance to return NULL invalidated __alloc_size, so kmemdup
was not passing the __builtin_dynamic_object_size() tests any more:


[23:26:18] [PASSED] fortify_test_alloc_size_kmalloc_const
[23:26:19]     # fortify_test_alloc_size_kmalloc_dynamic: EXPECTATION FAILED at 
lib/fortify_kunit.c:265
[23:26:19]     Expected __builtin_dynamic_object_size(p, 1) == expected, but
[23:26:19]         __builtin_dynamic_object_size(p, 1) == -1 
(0xffffffffffffffff)
[23:26:19]         expected == 11 (0xb)
[23:26:19] __alloc_size() not working with __bdos on kmemdup("hello there", 
len, gfp)
[23:26:19] [FAILED] fortify_test_alloc_size_kmalloc_dynamic

Normal builds were not affected: __alloc_size continued to work there.

Use a zero-sized allocation instead, which allows __alloc_size to
behave.

Fixes: 4ce615e798a7 ("fortify: Provide KUnit counters for failure testing")
Fixes: fa4a3f86d498 ("fortify: Add KUnit tests for runtime overflows")
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Cc: linux-hardening@vger.kernel.org
---
 include/linux/fortify-string.h | 3 ++-
 lib/fortify_kunit.c            | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
index a0bb13825109..85fc0e6f0f7f 100644
--- a/include/linux/fortify-string.h
+++ b/include/linux/fortify-string.h
@@ -738,7 +738,8 @@ __FORTIFY_INLINE void *kmemdup(const void * const POS0 p, 
size_t size, gfp_t gfp
        if (__compiletime_lessthan(p_size, size))
                __read_overflow();
        if (p_size < size)
-               fortify_panic(FORTIFY_FUNC_kmemdup, FORTIFY_READ, p_size, size, 
NULL);
+               fortify_panic(FORTIFY_FUNC_kmemdup, FORTIFY_READ, p_size, size,
+                             __real_kmemdup(p, 0, gfp));
        return __real_kmemdup(p, size, gfp);
 }
 
diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c
index ef3e4c68b759..306522fd0aa2 100644
--- a/lib/fortify_kunit.c
+++ b/lib/fortify_kunit.c
@@ -1002,19 +1002,19 @@ static void fortify_test_kmemdup(struct kunit *test)
 
        /* Out of bounds by 1 byte. */
        copy = kmemdup(src, len + 1, GFP_KERNEL);
-       KUNIT_EXPECT_NULL(test, copy);
+       KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
        KUNIT_EXPECT_EQ(test, fortify_read_overflows, 1);
        kfree(copy);
 
        /* Way out of bounds. */
        copy = kmemdup(src, len * 2, GFP_KERNEL);
-       KUNIT_EXPECT_NULL(test, copy);
+       KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
        KUNIT_EXPECT_EQ(test, fortify_read_overflows, 2);
        kfree(copy);
 
        /* Starting offset causing out of bounds. */
        copy = kmemdup(src + 1, len, GFP_KERNEL);
-       KUNIT_EXPECT_NULL(test, copy);
+       KUNIT_EXPECT_PTR_EQ(test, copy, ZERO_SIZE_PTR);
        KUNIT_EXPECT_EQ(test, fortify_read_overflows, 3);
        kfree(copy);
 }
-- 
2.34.1

[PATCH] kunit/fortify: Fix replaced failure path to unbreak __alloc_size

Reply via email to