linux-arm-kernel.lists.infradead.org archive mirror
 help / color / mirror / Atom feed
From: Walter Wu <walter-zh.wu@mediatek.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Matthias Brugger <matthias.bgg@gmail.com>
Cc: Walter Wu <walter-zh.wu@mediatek.com>,
	wsd_upstream@mediatek.com, linux-kernel@vger.kernel.org,
	kasan-dev@googlegroups.com, linux-mm@kvack.org,
	linux-mediatek@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org
Subject: [PATCH] kasan: fix the missing underflow in memmove and memcpy with CONFIG_KASAN_GENERIC=y
Date: Fri, 27 Sep 2019 11:43:38 +0800	[thread overview]
Message-ID: <20190927034338.15813-1-walter-zh.wu@mediatek.com> (raw)

memmove() and memcpy() have missing underflow issues.
When -7 <= size < 0, then KASAN will miss to catch the underflow issue.
It looks like shadow start address and shadow end address is the same,
so it does not actually check anything.

The following test is indeed not caught by KASAN:

	char *p = kmalloc(64, GFP_KERNEL);
	memset((char *)p, 0, 64);
	memmove((char *)p, (char *)p + 4, -2);
	kfree((char*)p);

It should be checked here:

void *memmove(void *dest, const void *src, size_t len)
{
	check_memory_region((unsigned long)src, len, false, _RET_IP_);
	check_memory_region((unsigned long)dest, len, true, _RET_IP_);

	return __memmove(dest, src, len);
}

We fix the shadow end address which is calculated, then generic KASAN
get the right shadow end address and detect this underflow issue.

[1] https://bugzilla.kernel.org/show_bug.cgi?id=199341

Signed-off-by: Walter Wu <walter-zh.wu@mediatek.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
---
 lib/test_kasan.c   | 36 ++++++++++++++++++++++++++++++++++++
 mm/kasan/generic.c |  8 ++++++--
 2 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index b63b367a94e8..8bd014852556 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -280,6 +280,40 @@ static noinline void __init kmalloc_oob_in_memset(void)
 	kfree(ptr);
 }
 
+static noinline void __init kmalloc_oob_in_memmove_underflow(void)
+{
+	char *ptr;
+	size_t size = 64;
+
+	pr_info("underflow out-of-bounds in memmove\n");
+	ptr = kmalloc(size, GFP_KERNEL);
+	if (!ptr) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+
+	memset((char *)ptr, 0, 64);
+	memmove((char *)ptr, (char *)ptr + 4, -2);
+	kfree(ptr);
+}
+
+static noinline void __init kmalloc_oob_in_memmove_overflow(void)
+{
+	char *ptr;
+	size_t size = 64;
+
+	pr_info("overflow out-of-bounds in memmove\n");
+	ptr = kmalloc(size, GFP_KERNEL);
+	if (!ptr) {
+		pr_err("Allocation failed\n");
+		return;
+	}
+
+	memset((char *)ptr, 0, 64);
+	memmove((char *)ptr + size, (char *)ptr, 2);
+	kfree(ptr);
+}
+
 static noinline void __init kmalloc_uaf(void)
 {
 	char *ptr;
@@ -734,6 +768,8 @@ static int __init kmalloc_tests_init(void)
 	kmalloc_oob_memset_4();
 	kmalloc_oob_memset_8();
 	kmalloc_oob_memset_16();
+	kmalloc_oob_in_memmove_underflow();
+	kmalloc_oob_in_memmove_overflow();
 	kmalloc_uaf();
 	kmalloc_uaf_memset();
 	kmalloc_uaf2();
diff --git a/mm/kasan/generic.c b/mm/kasan/generic.c
index 616f9dd82d12..34ca23d59e67 100644
--- a/mm/kasan/generic.c
+++ b/mm/kasan/generic.c
@@ -131,9 +131,13 @@ static __always_inline bool memory_is_poisoned_n(unsigned long addr,
 						size_t size)
 {
 	unsigned long ret;
+	void *shadow_start = kasan_mem_to_shadow((void *)addr);
+	void *shadow_end = kasan_mem_to_shadow((void *)addr + size - 1) + 1;
 
-	ret = memory_is_nonzero(kasan_mem_to_shadow((void *)addr),
-			kasan_mem_to_shadow((void *)addr + size - 1) + 1);
+	if ((long)size < 0)
+		shadow_end = kasan_mem_to_shadow((void *)addr + size);
+
+	ret = memory_is_nonzero(shadow_start, shadow_end);
 
 	if (unlikely(ret)) {
 		unsigned long last_byte = addr + size - 1;
-- 
2.18.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

             reply	other threads:[~2019-09-27  3:43 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-27  3:43 Walter Wu [this message]
2019-09-27 13:07 ` [PATCH] kasan: fix the missing underflow in memmove and memcpy with CONFIG_KASAN_GENERIC=y Dmitry Vyukov
2019-09-27 14:22   ` Walter Wu
2019-09-27 19:41     ` Dmitry Vyukov
2019-09-30  4:36       ` Walter Wu
2019-09-30  8:57         ` Marc Gonzalez
2019-10-01  2:36           ` Walter Wu
2019-10-01  3:01             ` Dmitry Vyukov
2019-10-01  3:18               ` Walter Wu
2019-10-02 12:15         ` Walter Wu
2019-10-02 13:57           ` Dmitry Vyukov
2019-10-03  2:17             ` Walter Wu
2019-10-03  6:26               ` Dmitry Vyukov
2019-10-03  9:38                 ` Walter Wu
2019-10-03 13:51                   ` Walter Wu
2019-10-03 14:53                     ` Dmitry Vyukov
2019-10-04  4:42                       ` Walter Wu
2019-10-04  8:02                         ` Walter Wu
2019-10-04  9:18                           ` Dmitry Vyukov
2019-10-04  9:44                             ` Walter Wu
2019-10-04  9:54                               ` Dmitry Vyukov
2019-10-04 12:05                                 ` Walter Wu
2019-10-04 13:52                                   ` Dmitry Vyukov
2019-10-07  3:22                                     ` Walter Wu
2019-10-07  7:29                                       ` Dmitry Vyukov
2019-10-07  8:18                                         ` Walter Wu
2019-10-07  8:24                                           ` Dmitry Vyukov
2019-10-07  8:51                                             ` Walter Wu
2019-10-07  8:54                                               ` Dmitry Vyukov
2019-10-07  9:03                                                 ` Walter Wu
2019-10-07  9:10                                                   ` Dmitry Vyukov
2019-10-07  9:28                                                     ` Walter Wu
2019-10-07  9:50                                                       ` Walter Wu
2019-10-07 10:51                                                         ` Dmitry Vyukov
2019-10-07 12:03                                                           ` Walter Wu
2019-10-07 12:19                                                             ` Dmitry Vyukov
2019-10-07 12:32                                                               ` Walter Wu
2019-10-07 13:33                                                                 ` Dmitry Vyukov
2019-10-08  6:15                                                                   ` Walter Wu
2019-10-08  9:47                                                                     ` Qian Cai
2019-10-08 11:02                                                                       ` Walter Wu
2019-10-08 11:42                                                                         ` Qian Cai
2019-10-08 12:07                                                                           ` Walter Wu
2019-10-08 12:11                                                                           ` Dmitry Vyukov
2019-10-14  2:19                                                                             ` Walter Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190927034338.15813-1-walter-zh.wu@mediatek.com \
    --to=walter-zh.wu@mediatek.com \
    --cc=aryabinin@virtuozzo.com \
    --cc=dvyukov@google.com \
    --cc=glider@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-mm@kvack.org \
    --cc=matthias.bgg@gmail.com \
    --cc=wsd_upstream@mediatek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).