kasan: Add strscpy() test to trigger tag fault on arm64

When we invoke strscpy() with a maximum size of N bytes, it assumes
that:
- It can always read N bytes from the source.
- It always write N bytes (zero-padded) to the destination.

On aarch64 with Memory Tagging Extension enabled if we pass an N that is
bigger then the source buffer, it would previously trigger an MTE fault.

Implement a KASAN KUnit test that triggers the issue with the previous
implementation of read_word_at_a_time() on aarch64 with MTE enabled.

Cc: Will Deacon <will@kernel.org>
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Co-developed-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://linux-review.googlesource.com/id/If88e396b9e7c058c1a4b5a252274120e77b1898a
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20250403000703.2584581-3-pcc@google.com
Signed-off-by: Kees Cook <kees@kernel.org>

diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
index 3ea317837c2d3724ecec3ca44f93aa327e753317..888912637b540961642f072008a6acf95a4b41dc 100644 (file)
--- a/mm/kasan/kasan_test_c.c
+++ b/mm/kasan/kasan_test_c.c
@@ -1567,6 +1567,7 @@ static void kasan_memcmp(struct kunit *test)
 static void kasan_strings(struct kunit *test)
 {
        char *ptr;
+       char *src;
        size_t size = 24;
 
        /*
@@ -1578,6 +1579,25 @@ static void kasan_strings(struct kunit *test)
        ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
        KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
 
+       src = kmalloc(KASAN_GRANULE_SIZE, GFP_KERNEL | __GFP_ZERO);
+       strscpy(src, "f0cacc1a0000000", KASAN_GRANULE_SIZE);
+
+       /*
+        * Make sure that strscpy() does not trigger KASAN if it overreads into
+        * poisoned memory.
+        *
+        * The expected size does not include the terminator '\0'
+        * so it is (KASAN_GRANULE_SIZE - 2) ==
+        * KASAN_GRANULE_SIZE - ("initial removed character" + "\0").
+        */
+       KUNIT_EXPECT_EQ(test, KASAN_GRANULE_SIZE - 2,
+                       strscpy(ptr, src + 1, KASAN_GRANULE_SIZE));
+
+       /* strscpy should fail if the first byte is unreadable. */
+       KUNIT_EXPECT_KASAN_FAIL(test, strscpy(ptr, src + KASAN_GRANULE_SIZE,
+                                             KASAN_GRANULE_SIZE));
+
+       kfree(src);
        kfree(ptr);
 
        /*