testing: refactor kasan test
Signed-off-by: yinshengkai <yinshengkai@xiaomi.com>
This commit is contained in:
parent
7cd9919a46
commit
85ad50c39e
@ -22,154 +22,252 @@
|
|||||||
* Included Files
|
* Included Files
|
||||||
****************************************************************************/
|
****************************************************************************/
|
||||||
|
|
||||||
#include <nuttx/config.h>
|
#include <assert.h>
|
||||||
|
#include <malloc.h>
|
||||||
|
#include <pthread.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
|
||||||
|
#include <sys/param.h>
|
||||||
|
#include <sys/wait.h>
|
||||||
|
|
||||||
|
#include <nuttx/fs/procfs.h>
|
||||||
|
#include <nuttx/mm/mm.h>
|
||||||
#include <nuttx/mm/kasan.h>
|
#include <nuttx/mm/kasan.h>
|
||||||
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <syslog.h>
|
|
||||||
#include <pthread.h>
|
|
||||||
|
|
||||||
/****************************************************************************
|
/****************************************************************************
|
||||||
* Pre-processor Definitions
|
* Private Types Prototypes
|
||||||
****************************************************************************/
|
****************************************************************************/
|
||||||
|
|
||||||
#define KASAN_TEST_MEM_SIZE 128
|
typedef struct testcase_s
|
||||||
|
{
|
||||||
|
bool (*func)(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
FAR const char *name;
|
||||||
|
} testcase_t;
|
||||||
|
|
||||||
|
typedef struct run_s
|
||||||
|
{
|
||||||
|
char argv[16];
|
||||||
|
FAR const testcase_t *testcase;
|
||||||
|
FAR struct mm_heap_s *heap;
|
||||||
|
size_t size;
|
||||||
|
} run_t;
|
||||||
|
|
||||||
|
/****************************************************************************
|
||||||
|
* Private Function Prototypes
|
||||||
|
****************************************************************************/
|
||||||
|
|
||||||
|
static bool test_heap_underflow(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_overflow(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_use_after_free(FAR struct mm_heap_s *heap,
|
||||||
|
size_t size);
|
||||||
|
static bool test_heap_invalid_free(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_double_free(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_poison(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_unpoison(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_memset(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_memcpy(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
static bool test_heap_memmove(FAR struct mm_heap_s *heap, size_t size);
|
||||||
|
|
||||||
/****************************************************************************
|
/****************************************************************************
|
||||||
* Private Data
|
* Private Data
|
||||||
****************************************************************************/
|
****************************************************************************/
|
||||||
|
|
||||||
static char g_kasan_test_buffer[KASAN_TEST_MEM_SIZE];
|
const static testcase_t g_kasan_test[] =
|
||||||
|
{
|
||||||
|
{test_heap_underflow, "heap underflow"},
|
||||||
|
{test_heap_overflow, "heap overflow"},
|
||||||
|
{test_heap_use_after_free, "heap use after free"},
|
||||||
|
{test_heap_invalid_free, "heap inval free"},
|
||||||
|
{test_heap_double_free, "test heap double free"},
|
||||||
|
{test_heap_poison, "heap poison"},
|
||||||
|
{test_heap_unpoison, "heap unpoison"},
|
||||||
|
{test_heap_memset, "heap memset"},
|
||||||
|
{test_heap_memcpy, "heap memcpy"},
|
||||||
|
{test_heap_memmove, "heap memmove"}
|
||||||
|
};
|
||||||
|
|
||||||
/****************************************************************************
|
/****************************************************************************
|
||||||
* Private Functions
|
* Private Functions
|
||||||
****************************************************************************/
|
****************************************************************************/
|
||||||
|
|
||||||
static void kasan_test(char *p, size_t size)
|
static bool test_heap_underflow(FAR struct mm_heap_s *heap, size_t size)
|
||||||
{
|
{
|
||||||
size_t i;
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
*(mem - 1) = 0x12;
|
||||||
for (i = 0; i < size + 64; i++)
|
return false;
|
||||||
{
|
|
||||||
syslog(LOG_SYSLOG,
|
|
||||||
"Access Buffer[%zu] : %zu address: %p", size, i, &p[i]);
|
|
||||||
p[i]++;
|
|
||||||
syslog(LOG_SYSLOG, "read: %02x -- Successful\n", p[i]);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void kasan_test_use_after_free(void)
|
static bool test_heap_overflow(FAR struct mm_heap_s *heap, size_t size)
|
||||||
{
|
{
|
||||||
char *ptr = malloc(KASAN_TEST_MEM_SIZE);
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
size = mm_malloc_size(heap, mem);
|
||||||
|
|
||||||
if (ptr == NULL)
|
mem[size + 1] = 0x11;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_use_after_free(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
|
||||||
|
mm_free(heap, mem);
|
||||||
|
mem[0] = 0x10;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_invalid_free(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
int x;
|
||||||
|
mm_free(heap, &x);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_double_free(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
|
||||||
|
mm_free(heap, mem);
|
||||||
|
mm_free(heap, mem);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_poison(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
size = mm_malloc_size(heap, mem);
|
||||||
|
|
||||||
|
kasan_poison(mem, size);
|
||||||
|
mem[0] = 0x10;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_unpoison(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
size_t memsize = mm_malloc_size(heap, mem);
|
||||||
|
|
||||||
|
kasan_poison(mem, memsize);
|
||||||
|
kasan_unpoison(mem, memsize);
|
||||||
|
mem[0] = 0x10;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_memset(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *mem = mm_malloc(heap, size);
|
||||||
|
size = mm_malloc_size(heap, mem);
|
||||||
|
|
||||||
|
memset(mem, 0x11, size + 1);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_memcpy(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *src;
|
||||||
|
FAR uint8_t *dst;
|
||||||
|
|
||||||
|
size = size / 2;
|
||||||
|
src = mm_malloc(heap, size);
|
||||||
|
size = mm_malloc_size(heap, src);
|
||||||
|
dst = mm_malloc(heap, size);
|
||||||
|
|
||||||
|
memcpy(dst, src, size);
|
||||||
|
memcpy(dst, src, size + 4);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool test_heap_memmove(FAR struct mm_heap_s *heap, size_t size)
|
||||||
|
{
|
||||||
|
FAR uint8_t *src;
|
||||||
|
FAR uint8_t *dst;
|
||||||
|
|
||||||
|
size = size / 2;
|
||||||
|
src = mm_malloc(heap, size);
|
||||||
|
size = mm_malloc_size(heap, src);
|
||||||
|
dst = mm_malloc(heap, size);
|
||||||
|
|
||||||
|
memmove(dst, src, size);
|
||||||
|
memmove(dst, src, size + 4);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int run_testcase(int argc, FAR char *argv[])
|
||||||
|
{
|
||||||
|
FAR run_t *run = (FAR run_t *)(uintptr_t)strtoul(argv[1], NULL, 0);
|
||||||
|
return run->testcase->func(run->heap, run->size);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int run_test(FAR const testcase_t *test)
|
||||||
|
{
|
||||||
|
size_t heap_size = 65536;
|
||||||
|
FAR char *argv[3];
|
||||||
|
FAR run_t *run;
|
||||||
|
int status;
|
||||||
|
pid_t pid;
|
||||||
|
|
||||||
|
/* There is a memory leak here because we cannot guarantee that
|
||||||
|
* it can be released correctly.
|
||||||
|
*/
|
||||||
|
|
||||||
|
run = malloc(sizeof(run_t) + heap_size);
|
||||||
|
if (!run)
|
||||||
{
|
{
|
||||||
syslog(LOG_SYSLOG, "Failed to allocate memory\n");
|
return ERROR;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
syslog(LOG_SYSLOG, "KASan test use after free\n");
|
snprintf(run->argv, sizeof(run->argv), "%p", run);
|
||||||
strcpy(ptr, "kasan test use after free");
|
run->testcase = test;
|
||||||
free(ptr);
|
run->size = rand() % (heap_size / 2) + 1;
|
||||||
printf("%s\n", ptr);
|
run->heap = mm_initialize("kasan", &run[1], heap_size);
|
||||||
}
|
if (!run->heap)
|
||||||
|
|
||||||
static void kasan_test_heap_memory_out_of_bounds(char *str)
|
|
||||||
{
|
|
||||||
char *endptr;
|
|
||||||
size_t size;
|
|
||||||
char *ptr;
|
|
||||||
|
|
||||||
size = strtoul(str, &endptr, 0);
|
|
||||||
if (*endptr != '\0')
|
|
||||||
{
|
{
|
||||||
printf("Conversion failed: Not a valid integer.\n");
|
free(run);
|
||||||
return;
|
return ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
ptr = zalloc(size);
|
argv[0] = "kasantest";
|
||||||
if (ptr == NULL)
|
argv[1] = run->argv;
|
||||||
|
argv[2] = NULL;
|
||||||
|
|
||||||
|
posix_spawn(&pid, "kasantest", NULL, NULL, argv, NULL);
|
||||||
|
waitpid(pid, &status, 0);
|
||||||
|
if (status == 0)
|
||||||
{
|
{
|
||||||
syslog(LOG_SYSLOG, "Failed to allocate memory\n");
|
printf("KASan test: %s, size: %d FAIL\n", test->name, run->size);
|
||||||
return;
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
printf("KASan test: %s, size: %d PASS\n", test->name, run->size);
|
||||||
}
|
}
|
||||||
|
|
||||||
syslog(LOG_SYSLOG,
|
return 0;
|
||||||
"KASan test accessing heap memory out of bounds completed\n");
|
|
||||||
kasan_test(ptr, size);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void kasan_test_global_variable_out_of_bounds(void)
|
|
||||||
{
|
|
||||||
syslog(LOG_SYSLOG,
|
|
||||||
"KASan test accessing global variable out of bounds\n");
|
|
||||||
kasan_test(g_kasan_test_buffer, KASAN_TEST_MEM_SIZE);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void *mm_stampede_thread(void *arg)
|
|
||||||
{
|
|
||||||
char *p = (char *)arg;
|
|
||||||
|
|
||||||
syslog(LOG_SYSLOG, "Child thread is running");
|
|
||||||
kasan_test(p, KASAN_TEST_MEM_SIZE);
|
|
||||||
pthread_exit(NULL);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void kasan_test_memory_stampede(void)
|
|
||||||
{
|
|
||||||
pthread_t thread;
|
|
||||||
char array[KASAN_TEST_MEM_SIZE];
|
|
||||||
|
|
||||||
syslog(LOG_SYSLOG, "KASan test accessing memory stampede\n");
|
|
||||||
pthread_create(&thread, NULL, mm_stampede_thread, kasan_reset_tag(&array));
|
|
||||||
pthread_join(thread, NULL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/****************************************************************************
|
/****************************************************************************
|
||||||
* Public Functions
|
* Public Functions
|
||||||
****************************************************************************/
|
****************************************************************************/
|
||||||
|
|
||||||
/****************************************************************************
|
int main(int argc, FAR char *argv[])
|
||||||
* Name: kasantest_main
|
|
||||||
****************************************************************************/
|
|
||||||
|
|
||||||
int main(int argc, char *argv[])
|
|
||||||
{
|
{
|
||||||
/* NutttX cannot check the secondary release
|
|
||||||
* because the mm module has closed kasan instrumentation
|
|
||||||
*/
|
|
||||||
|
|
||||||
if (argc < 2)
|
if (argc < 2)
|
||||||
{
|
{
|
||||||
printf("Usage: %s <test_option>\n", argv[0]);
|
size_t j;
|
||||||
printf("Available test options:\n");
|
for (j = 0; j < nitems(g_kasan_test); j++)
|
||||||
printf(" -u : Test use after free\n");
|
{
|
||||||
printf(" -h <arg> : Test heap memory out of bounds (provide size)\n");
|
if (run_test(&g_kasan_test[j]) < 0)
|
||||||
printf(" -g : Test global variable out of bounds\n");
|
{
|
||||||
printf(" -s : Test memory stampede\n");
|
return EXIT_FAILURE;
|
||||||
return 0;
|
}
|
||||||
}
|
}
|
||||||
else if (strncmp(argv[1], "-u", 2) == 0)
|
|
||||||
{
|
|
||||||
kasan_test_use_after_free();
|
|
||||||
}
|
|
||||||
else if (strncmp(argv[1], "-h", 2) == 0 && argc == 3)
|
|
||||||
{
|
|
||||||
kasan_test_heap_memory_out_of_bounds(argv[2]);
|
|
||||||
}
|
|
||||||
else if (strncmp(argv[1], "-g", 2) == 0)
|
|
||||||
{
|
|
||||||
kasan_test_global_variable_out_of_bounds();
|
|
||||||
}
|
|
||||||
else if (strncmp(argv[1], "-s", 2) == 0)
|
|
||||||
{
|
|
||||||
kasan_test_memory_stampede();
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
printf("Unknown test option: %s\n", argv[1]);
|
return run_testcase(argc, argv);
|
||||||
}
|
}
|
||||||
|
|
||||||
syslog(LOG_SYSLOG, "KASan test failed, please check\n");
|
return EXIT_SUCCESS;
|
||||||
return 0;
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user