testing: refactor kasan test

Signed-off-by: yinshengkai <yinshengkai@xiaomi.com>
This commit is contained in:
yinshengkai 2024-04-22 18:44:20 +08:00 committed by Xiang Xiao
parent 7cd9919a46
commit 85ad50c39e

View File

@ -22,154 +22,252 @@
* Included Files * Included Files
****************************************************************************/ ****************************************************************************/
#include <nuttx/config.h> #include <assert.h>
#include <malloc.h>
#include <pthread.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <syslog.h>
#include <sys/param.h>
#include <sys/wait.h>
#include <nuttx/fs/procfs.h>
#include <nuttx/mm/mm.h>
#include <nuttx/mm/kasan.h> #include <nuttx/mm/kasan.h>
#include <stdio.h>
#include <syslog.h>
#include <pthread.h>
/**************************************************************************** /****************************************************************************
* Pre-processor Definitions * Private Types Prototypes
****************************************************************************/ ****************************************************************************/
#define KASAN_TEST_MEM_SIZE 128 typedef struct testcase_s
{
bool (*func)(FAR struct mm_heap_s *heap, size_t size);
FAR const char *name;
} testcase_t;
typedef struct run_s
{
char argv[16];
FAR const testcase_t *testcase;
FAR struct mm_heap_s *heap;
size_t size;
} run_t;
/****************************************************************************
* Private Function Prototypes
****************************************************************************/
static bool test_heap_underflow(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_overflow(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_use_after_free(FAR struct mm_heap_s *heap,
size_t size);
static bool test_heap_invalid_free(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_double_free(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_poison(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_unpoison(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_memset(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_memcpy(FAR struct mm_heap_s *heap, size_t size);
static bool test_heap_memmove(FAR struct mm_heap_s *heap, size_t size);
/**************************************************************************** /****************************************************************************
* Private Data * Private Data
****************************************************************************/ ****************************************************************************/
static char g_kasan_test_buffer[KASAN_TEST_MEM_SIZE]; const static testcase_t g_kasan_test[] =
{
{test_heap_underflow, "heap underflow"},
{test_heap_overflow, "heap overflow"},
{test_heap_use_after_free, "heap use after free"},
{test_heap_invalid_free, "heap inval free"},
{test_heap_double_free, "test heap double free"},
{test_heap_poison, "heap poison"},
{test_heap_unpoison, "heap unpoison"},
{test_heap_memset, "heap memset"},
{test_heap_memcpy, "heap memcpy"},
{test_heap_memmove, "heap memmove"}
};
/**************************************************************************** /****************************************************************************
* Private Functions * Private Functions
****************************************************************************/ ****************************************************************************/
static void kasan_test(char *p, size_t size) static bool test_heap_underflow(FAR struct mm_heap_s *heap, size_t size)
{ {
size_t i; FAR uint8_t *mem = mm_malloc(heap, size);
*(mem - 1) = 0x12;
for (i = 0; i < size + 64; i++) return false;
{
syslog(LOG_SYSLOG,
"Access Buffer[%zu] : %zu address: %p", size, i, &p[i]);
p[i]++;
syslog(LOG_SYSLOG, "read: %02x -- Successful\n", p[i]);
}
} }
static void kasan_test_use_after_free(void) static bool test_heap_overflow(FAR struct mm_heap_s *heap, size_t size)
{ {
char *ptr = malloc(KASAN_TEST_MEM_SIZE); FAR uint8_t *mem = mm_malloc(heap, size);
size = mm_malloc_size(heap, mem);
if (ptr == NULL) mem[size + 1] = 0x11;
return false;
}
static bool test_heap_use_after_free(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *mem = mm_malloc(heap, size);
mm_free(heap, mem);
mem[0] = 0x10;
return 0;
}
static bool test_heap_invalid_free(FAR struct mm_heap_s *heap, size_t size)
{
int x;
mm_free(heap, &x);
return false;
}
static bool test_heap_double_free(FAR struct mm_heap_s *heap, size_t size)
{
uint8_t *mem = mm_malloc(heap, size);
mm_free(heap, mem);
mm_free(heap, mem);
return false;
}
static bool test_heap_poison(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *mem = mm_malloc(heap, size);
size = mm_malloc_size(heap, mem);
kasan_poison(mem, size);
mem[0] = 0x10;
return false;
}
static bool test_heap_unpoison(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *mem = mm_malloc(heap, size);
size_t memsize = mm_malloc_size(heap, mem);
kasan_poison(mem, memsize);
kasan_unpoison(mem, memsize);
mem[0] = 0x10;
return true;
}
static bool test_heap_memset(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *mem = mm_malloc(heap, size);
size = mm_malloc_size(heap, mem);
memset(mem, 0x11, size + 1);
return false;
}
static bool test_heap_memcpy(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *src;
FAR uint8_t *dst;
size = size / 2;
src = mm_malloc(heap, size);
size = mm_malloc_size(heap, src);
dst = mm_malloc(heap, size);
memcpy(dst, src, size);
memcpy(dst, src, size + 4);
return false;
}
static bool test_heap_memmove(FAR struct mm_heap_s *heap, size_t size)
{
FAR uint8_t *src;
FAR uint8_t *dst;
size = size / 2;
src = mm_malloc(heap, size);
size = mm_malloc_size(heap, src);
dst = mm_malloc(heap, size);
memmove(dst, src, size);
memmove(dst, src, size + 4);
return false;
}
static int run_testcase(int argc, FAR char *argv[])
{
FAR run_t *run = (FAR run_t *)(uintptr_t)strtoul(argv[1], NULL, 0);
return run->testcase->func(run->heap, run->size);
}
static int run_test(FAR const testcase_t *test)
{
size_t heap_size = 65536;
FAR char *argv[3];
FAR run_t *run;
int status;
pid_t pid;
/* There is a memory leak here because we cannot guarantee that
* it can be released correctly.
*/
run = malloc(sizeof(run_t) + heap_size);
if (!run)
{ {
syslog(LOG_SYSLOG, "Failed to allocate memory\n"); return ERROR;
return;
} }
syslog(LOG_SYSLOG, "KASan test use after free\n"); snprintf(run->argv, sizeof(run->argv), "%p", run);
strcpy(ptr, "kasan test use after free"); run->testcase = test;
free(ptr); run->size = rand() % (heap_size / 2) + 1;
printf("%s\n", ptr); run->heap = mm_initialize("kasan", &run[1], heap_size);
} if (!run->heap)
static void kasan_test_heap_memory_out_of_bounds(char *str)
{
char *endptr;
size_t size;
char *ptr;
size = strtoul(str, &endptr, 0);
if (*endptr != '\0')
{ {
printf("Conversion failed: Not a valid integer.\n"); free(run);
return; return ERROR;
} }
ptr = zalloc(size); argv[0] = "kasantest";
if (ptr == NULL) argv[1] = run->argv;
argv[2] = NULL;
posix_spawn(&pid, "kasantest", NULL, NULL, argv, NULL);
waitpid(pid, &status, 0);
if (status == 0)
{ {
syslog(LOG_SYSLOG, "Failed to allocate memory\n"); printf("KASan test: %s, size: %d FAIL\n", test->name, run->size);
return; }
else
{
printf("KASan test: %s, size: %d PASS\n", test->name, run->size);
} }
syslog(LOG_SYSLOG, return 0;
"KASan test accessing heap memory out of bounds completed\n");
kasan_test(ptr, size);
}
static void kasan_test_global_variable_out_of_bounds(void)
{
syslog(LOG_SYSLOG,
"KASan test accessing global variable out of bounds\n");
kasan_test(g_kasan_test_buffer, KASAN_TEST_MEM_SIZE);
}
static void *mm_stampede_thread(void *arg)
{
char *p = (char *)arg;
syslog(LOG_SYSLOG, "Child thread is running");
kasan_test(p, KASAN_TEST_MEM_SIZE);
pthread_exit(NULL);
}
static void kasan_test_memory_stampede(void)
{
pthread_t thread;
char array[KASAN_TEST_MEM_SIZE];
syslog(LOG_SYSLOG, "KASan test accessing memory stampede\n");
pthread_create(&thread, NULL, mm_stampede_thread, kasan_reset_tag(&array));
pthread_join(thread, NULL);
} }
/**************************************************************************** /****************************************************************************
* Public Functions * Public Functions
****************************************************************************/ ****************************************************************************/
/**************************************************************************** int main(int argc, FAR char *argv[])
* Name: kasantest_main
****************************************************************************/
int main(int argc, char *argv[])
{ {
/* NutttX cannot check the secondary release
* because the mm module has closed kasan instrumentation
*/
if (argc < 2) if (argc < 2)
{ {
printf("Usage: %s <test_option>\n", argv[0]); size_t j;
printf("Available test options:\n"); for (j = 0; j < nitems(g_kasan_test); j++)
printf(" -u : Test use after free\n"); {
printf(" -h <arg> : Test heap memory out of bounds (provide size)\n"); if (run_test(&g_kasan_test[j]) < 0)
printf(" -g : Test global variable out of bounds\n"); {
printf(" -s : Test memory stampede\n"); return EXIT_FAILURE;
return 0; }
} }
else if (strncmp(argv[1], "-u", 2) == 0)
{
kasan_test_use_after_free();
}
else if (strncmp(argv[1], "-h", 2) == 0 && argc == 3)
{
kasan_test_heap_memory_out_of_bounds(argv[2]);
}
else if (strncmp(argv[1], "-g", 2) == 0)
{
kasan_test_global_variable_out_of_bounds();
}
else if (strncmp(argv[1], "-s", 2) == 0)
{
kasan_test_memory_stampede();
} }
else else
{ {
printf("Unknown test option: %s\n", argv[1]); return run_testcase(argc, argv);
} }
syslog(LOG_SYSLOG, "KASan test failed, please check\n"); return EXIT_SUCCESS;
return 0;
} }