From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF984C433EF for ; Fri, 10 Sep 2021 20:44:25 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6D981610C7 for ; Fri, 10 Sep 2021 20:44:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6D981610C7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id DB8CA900002; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D666F6B0072; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C7C1D900002; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0212.hostedemail.com [216.40.44.212]) by kanga.kvack.org (Postfix) with ESMTP id B983E6B0071 for ; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) Received: from smtpin32.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 5FCC639B8A for ; Fri, 10 Sep 2021 20:44:24 +0000 (UTC) X-FDA: 78572841648.32.39E75EF Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by imf25.hostedemail.com (Postfix) with ESMTP id 267C1B000181 for ; Fri, 10 Sep 2021 20:44:24 +0000 (UTC) Received: by mail-io1-f53.google.com with SMTP id n24so3954992ion.10 for ; Fri, 10 Sep 2021 13:44:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=jT6iJlrKNPrj6bpJJ3lgtpcahwA2kYcxuFn93Fdw7+JlprzyflVRJGOjqlmqNdhxkW yBCcjPVh4Ft8rWmeJENOhW6FoLubU5Yx/MfPl07xq76yH9qi2aSUrSsV1XQYz37iM9bm ZuCH0/U8YIxN2j9loICJ8JUv9YbrOgb0wg/Z/5WE7Ye07J/jb1UIzGa2UngcYZmNaKP+ i7E6RZa8TXNIPpYNngkvmherN9QQAxHgaPWV03ikJbmWKBWr2GTFAKGGCt2VMSzVKtP1 VgLgun60ujQOMXcgzS+/m6zBR8buX8FHTXNogMxfJnMxb3rr2ZEJCJHT0GxvO787t0nF 7Chg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=k1rd+8UEVb95jO9+M83/YNdiyd53ztA1OgnYi7jEumxg3Koq5q/59kElGXoOEzaNdh culjpT6PcGYa+EcRE8nO+dcYODmMLttfZTviI8SFzWcLKs+y5YwSF+7GvR14/QhF2ngN o7ZO/FgGEagDujRASrXD+6kQ1fxGsDl+d+LqlFj29mnoHcx3eFUMkRabflwwvjLFZWZp vAn1tDeJGnvFyp4egFnEySJNsYaYR2NQoXv+kmlZh+tMtUeqHxShggH3SMP7lfdxcH+j HUjJpK19oAA1brLlOFMgnWTjvRgnXyYFIGeUA58m9br5QqzW0BkkGulRaU6d3mOpRrpu 6lKQ== X-Gm-Message-State: AOAM531JJ3qA0sEDUE+zjz5qY3XG6nQt8yUzhVX+kMCF1venYerPPnNL YNsSBgPiTa4tZOD14rvpnNWV8wHuuSLCeBNIaKY= X-Google-Smtp-Source: ABdhPJw6vr4O9yXL+hkLwqymc6jt1+9s+InBdS9/Zg8xWq6+SKufrqISPw20VjyuZ/WEpfviIhJjyyujRdzstwN6gKU= X-Received: by 2002:a02:7b24:: with SMTP id q36mr2457457jac.130.1631306663486; Fri, 10 Sep 2021 13:44:23 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: <20210910203152.3549236-1-pcc@google.com> From: Andrey Konovalov Date: Fri, 10 Sep 2021 22:44:12 +0200 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Peter Collingbourne Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 267C1B000181 X-Stat-Signature: m5aei7aukpoq8w8h7y5357sbt351gqc8 Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=jT6iJlrK; spf=pass (imf25.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.166.53 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-HE-Tag: 1631306664-718525 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > With HW tag-based KASAN, error checks are performed implicitly by the load > and store instructions in the memcpy implementation. A failed check results > in tag checks being disabled and execution will keep going. As a result, > under HW tag-based KASAN, this memcpy would end up corrupting memory until > it hits an inaccessible page and causes a kernel panic. > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > Import latest memcpy()/memmove() implementation") which changed the memcpy > implementation from using signed comparisons (incorrectly, resulting in > the memcpy being terminated early for negative sizes) to using unsigned > comparisons. > > It is unclear how this could be handled by memcpy itself in a reasonable > way. One possibility would be to add an exception handler that would force > memcpy to return if a tag check fault is detected -- this would make the > behavior roughly similar to generic and SW tag-based KASAN. However, this > wouldn't solve the problem for asynchronous mode and also makes memcpy > behavior inconsistent with manually copying data. > > It may be more accurate to consider this a bug in the test: what we really > want to test here is that a memcpy overflow, however small, is caught, and any > further copying after the initial overflow is unnecessary and may affect system > stability. Therefore, adjust the test to pass the allocation size as the memcpy > size, ensuring that the memcpy will not result in an out-of-bounds write. > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > HW_TAGS") disabled this test in HW tags mode, but there is some value in > testing small memcpy overflows, so let's re-enable it with this fix. > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > Signed-off-by: Peter Collingbourne > --- > lib/test_kasan.c | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index 8835e0784578..9af51e1f692d 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > { > char *ptr; > size_t size = 64; > - volatile size_t invalid_size = -2; > - > - /* > - * Hardware tag-based mode doesn't check memmove for negative size. > - * As a result, this test introduces a side-effect memory corruption, > - * which can result in a crash. > - */ > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > + volatile size_t invalid_size = size; > > ptr = kmalloc(size, GFP_KERNEL); > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > -- > 2.33.0.309.g3052b89438-goog > Hi Peter, This test was added as a part of series that taught KASAN to detect negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect negative size in memory operation function"). So we need to keep it using negative sizes. I think we should rename kmalloc_memmove_invalid_size to kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And add another test named kmalloc_memmove_invalid_size, which does what you did in this patch. Thanks! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.7 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3B74C433F5 for ; Fri, 10 Sep 2021 20:46:19 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 67753610C7 for ; Fri, 10 Sep 2021 20:46:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 67753610C7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=GkQ8LopaTylQhF5IE+wiVSgfuyMFMlzrT6VFOcRiruM=; b=KNlc9g9vpdRuPy osP0QP4ydBeoko3/rxgXlfkkygtsiayy8FPUn1M9i0TxAf9Wd3R/fjDrkSoB94Uz+1Z3uDsmgubPp eSCyAOXw5ui1r+GOvz7icErLviLxpSrjky3zXmCD4pZp3e8rJhjZBSsFOEXalAzTkR6Qg050wUAQk U0BW3wTYfCCq/LYuY5LQ5Oz6P/V7TssvbOmDQWkXxt6b+1zBRTDSHSJ+j30AcKCoh8o5SjWkrYMbb emDuj3babIJUYrboabshEISJudKI2jsIrXMbvt9G60LfiM7qGZOn2Ir9Yr3WeOTPzJGrUiKPGadnD 8cP/F8rBIAE/qG5ShpXw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnNu-00Dmpn-5u; Fri, 10 Sep 2021 20:44:30 +0000 Received: from mail-io1-xd2f.google.com ([2607:f8b0:4864:20::d2f]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnNo-00DmoV-UI for linux-arm-kernel@lists.infradead.org; Fri, 10 Sep 2021 20:44:26 +0000 Received: by mail-io1-xd2f.google.com with SMTP id q3so3973392iot.3 for ; Fri, 10 Sep 2021 13:44:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=jT6iJlrKNPrj6bpJJ3lgtpcahwA2kYcxuFn93Fdw7+JlprzyflVRJGOjqlmqNdhxkW yBCcjPVh4Ft8rWmeJENOhW6FoLubU5Yx/MfPl07xq76yH9qi2aSUrSsV1XQYz37iM9bm ZuCH0/U8YIxN2j9loICJ8JUv9YbrOgb0wg/Z/5WE7Ye07J/jb1UIzGa2UngcYZmNaKP+ i7E6RZa8TXNIPpYNngkvmherN9QQAxHgaPWV03ikJbmWKBWr2GTFAKGGCt2VMSzVKtP1 VgLgun60ujQOMXcgzS+/m6zBR8buX8FHTXNogMxfJnMxb3rr2ZEJCJHT0GxvO787t0nF 7Chg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=bho2dP8UnVx4oSR1dnys8f7Wn7uVgg1smGBKDqiRmcffhZ1uxAH4xyDCKti63Epque wTvGfw4Qk3J5kuk8i3l0kDdR4RFJ10NuR5GDolBgRZrQdRgcx/vZJUNaWNYMfFPr9iGZ OG3s5JeUjb3dqUOTQurAiF5BQtUvWHJoGw1m2hJxLLFZ7OeBvsd/m76XBayoVecPxuu8 0vQIYEjg8UbKEXTzDuu2JGG+6n6G5Zv8Q3+WwBGKbrtXZoK45Cs0iN9cpll4PGLVxlAF zJ7p9q4dLPJ5dQCnh42Oo3mDts+5xfSPO5yY7EaftPBYWXOSbFK9I+47dR6z2U+8Arc5 dxRQ== X-Gm-Message-State: AOAM530qutBnvfdLZwPmzufyb3ZKPVu30dD6Ghk3gj+5Gut3pl/rk+cl +WXqAeUvhs5jHA/gFZJ7PzJLQKkeqMC/YpnUGCE= X-Google-Smtp-Source: ABdhPJw6vr4O9yXL+hkLwqymc6jt1+9s+InBdS9/Zg8xWq6+SKufrqISPw20VjyuZ/WEpfviIhJjyyujRdzstwN6gKU= X-Received: by 2002:a02:7b24:: with SMTP id q36mr2457457jac.130.1631306663486; Fri, 10 Sep 2021 13:44:23 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: <20210910203152.3549236-1-pcc@google.com> From: Andrey Konovalov Date: Fri, 10 Sep 2021 22:44:12 +0200 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Peter Collingbourne Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210910_134425_047745_A8E96138 X-CRM114-Status: GOOD ( 31.10 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > With HW tag-based KASAN, error checks are performed implicitly by the load > and store instructions in the memcpy implementation. A failed check results > in tag checks being disabled and execution will keep going. As a result, > under HW tag-based KASAN, this memcpy would end up corrupting memory until > it hits an inaccessible page and causes a kernel panic. > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > Import latest memcpy()/memmove() implementation") which changed the memcpy > implementation from using signed comparisons (incorrectly, resulting in > the memcpy being terminated early for negative sizes) to using unsigned > comparisons. > > It is unclear how this could be handled by memcpy itself in a reasonable > way. One possibility would be to add an exception handler that would force > memcpy to return if a tag check fault is detected -- this would make the > behavior roughly similar to generic and SW tag-based KASAN. However, this > wouldn't solve the problem for asynchronous mode and also makes memcpy > behavior inconsistent with manually copying data. > > It may be more accurate to consider this a bug in the test: what we really > want to test here is that a memcpy overflow, however small, is caught, and any > further copying after the initial overflow is unnecessary and may affect system > stability. Therefore, adjust the test to pass the allocation size as the memcpy > size, ensuring that the memcpy will not result in an out-of-bounds write. > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > HW_TAGS") disabled this test in HW tags mode, but there is some value in > testing small memcpy overflows, so let's re-enable it with this fix. > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > Signed-off-by: Peter Collingbourne > --- > lib/test_kasan.c | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index 8835e0784578..9af51e1f692d 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > { > char *ptr; > size_t size = 64; > - volatile size_t invalid_size = -2; > - > - /* > - * Hardware tag-based mode doesn't check memmove for negative size. > - * As a result, this test introduces a side-effect memory corruption, > - * which can result in a crash. > - */ > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > + volatile size_t invalid_size = size; > > ptr = kmalloc(size, GFP_KERNEL); > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > -- > 2.33.0.309.g3052b89438-goog > Hi Peter, This test was added as a part of series that taught KASAN to detect negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect negative size in memory operation function"). So we need to keep it using negative sizes. I think we should rename kmalloc_memmove_invalid_size to kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And add another test named kmalloc_memmove_invalid_size, which does what you did in this patch. Thanks! _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel