From: Marco Elver <elver@google.com>
To: andrey.konovalov@linux.dev
Cc: Andrew Morton <akpm@linux-foundation.org>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Dmitry Vyukov <dvyukov@google.com>,
Alexander Potapenko <glider@google.com>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 8/8] kasan: test: avoid corrupting memory in kasan_rcu_uaf
Date: Thu, 12 Aug 2021 10:50:30 +0200 [thread overview]
Message-ID: <CANpmjNOf=XzX1xhjaz7+SBN2HYq+9jH4EcHi4gfwjSyTa3q00w@mail.gmail.com> (raw)
In-Reply-To: <da8d30df9206b54be2768b27bb026ec06e4da7a4.1628709663.git.andreyknvl@gmail.com>
On Wed, 11 Aug 2021 at 21:34, <andrey.konovalov@linux.dev> wrote:
>
> From: Andrey Konovalov <andreyknvl@gmail.com>
>
> kasan_rcu_uaf() writes to freed memory via kasan_rcu_reclaim(), which is
> only safe with the GENERIC mode (as it uses quarantine). For other modes,
> this test corrupts kernel memory, which might result in a crash.
>
> Turn the write into a read.
>
> Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Reviewed-by: Marco Elver <elver@google.com>
> ---
> lib/test_kasan_module.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c
> index fa73b9df0be4..7ebf433edef3 100644
> --- a/lib/test_kasan_module.c
> +++ b/lib/test_kasan_module.c
> @@ -71,7 +71,7 @@ static noinline void __init kasan_rcu_reclaim(struct rcu_head *rp)
> struct kasan_rcu_info, rcu);
>
> kfree(fp);
> - fp->i = 1;
> + ((volatile struct kasan_rcu_info *)fp)->i;
> }
>
> static noinline void __init kasan_rcu_uaf(void)
> --
> 2.25.1
>
next prev parent reply other threads:[~2021-08-12 8:50 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 19:21 [PATCH 0/8] kasan: test: avoid crashing the kernel with HW_TAGS andrey.konovalov
2021-08-11 19:21 ` [PATCH 1/8] kasan: test: rework kmalloc_oob_right andrey.konovalov
2021-08-12 8:57 ` Marco Elver
2021-08-12 8:57 ` Marco Elver
2021-08-11 19:21 ` [PATCH 2/8] kasan: test: avoid writing invalid memory andrey.konovalov
2021-08-12 8:57 ` Marco Elver
2021-08-12 8:57 ` Marco Elver
2021-08-12 13:02 ` Andrey Konovalov
2021-08-12 13:02 ` Andrey Konovalov
2021-08-11 19:21 ` [PATCH 3/8] kasan: test: avoid corrupting memory via memset andrey.konovalov
2021-08-12 8:56 ` Marco Elver
2021-08-12 8:56 ` Marco Elver
2021-08-12 12:55 ` Andrey Konovalov
2021-08-12 12:55 ` Andrey Konovalov
2021-08-11 19:21 ` [PATCH 4/8] kasan: test: disable kmalloc_memmove_invalid_size for HW_TAGS andrey.konovalov
2021-08-12 8:57 ` Marco Elver
2021-08-12 8:57 ` Marco Elver
2021-08-11 19:21 ` [PATCH 5/8] kasan: test: only do kmalloc_uaf_memset for generic mode andrey.konovalov
2021-08-12 8:56 ` Marco Elver
2021-08-12 8:56 ` Marco Elver
2021-08-11 19:23 ` [PATCH 6/8] kasan: test: clean up ksize_uaf andrey.konovalov
2021-08-12 8:56 ` Marco Elver
2021-08-12 8:56 ` Marco Elver
2021-08-11 19:30 ` [PATCH 7/8] kasan: test: avoid corrupting memory in copy_user_test andrey.konovalov
2021-08-12 8:50 ` Marco Elver
2021-08-12 8:50 ` Marco Elver
2021-08-11 19:34 ` [PATCH 8/8] kasan: test: avoid corrupting memory in kasan_rcu_uaf andrey.konovalov
2021-08-12 8:50 ` Marco Elver [this message]
2021-08-12 8:50 ` Marco Elver
2021-08-12 8:58 ` [PATCH 0/8] kasan: test: avoid crashing the kernel with HW_TAGS Marco Elver
2021-08-12 8:58 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANpmjNOf=XzX1xhjaz7+SBN2HYq+9jH4EcHi4gfwjSyTa3q00w@mail.gmail.com' \
--to=elver@google.com \
--cc=akpm@linux-foundation.org \
--cc=andrey.konovalov@linux.dev \
--cc=andreyknvl@gmail.com \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.