From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 016CAC433EF for ; Fri, 10 Sep 2021 21:14:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A3F5B61209 for ; Fri, 10 Sep 2021 21:14:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A3F5B61209 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 1AA7F940007; Fri, 10 Sep 2021 17:14:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 159DA900002; Fri, 10 Sep 2021 17:14:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0481D940007; Fri, 10 Sep 2021 17:14:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0074.hostedemail.com [216.40.44.74]) by kanga.kvack.org (Postfix) with ESMTP id EADE8900002 for ; Fri, 10 Sep 2021 17:14:45 -0400 (EDT) Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 95E2F267C8 for ; Fri, 10 Sep 2021 21:14:45 +0000 (UTC) X-FDA: 78572918130.19.15877CC Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) by imf04.hostedemail.com (Postfix) with ESMTP id 59A9E50000B2 for ; Fri, 10 Sep 2021 21:14:45 +0000 (UTC) Received: by mail-il1-f182.google.com with SMTP id h20so2491037ilj.13 for ; Fri, 10 Sep 2021 14:14:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=EUXkIZ8Ae2C4wPNLkjM8cOni1MkSMmEZVRvv7hbDnC7ugPeahSlnqzSQTs3afVPqYT 3o4UxtN7vc573y3Qg+72O2W5mZ3swH7aMI1SGvsF3QNKHf/uu2iqt0YsoZl51l2FhA7n DjTcS7GWWVTL0OOVaEB7P8/Ys6xvL/CpZGEn+yv7afcnN6AUjXAxen7pRpeq3V8ZFJ3H Xn9Y5lvK5CrE8Uk6NrGLYN5pCI5zI5PnrpjwgXq1dnXjHmcsU5Bp3XapTIVivCuIhbjH 2H3HehRxduAQLKzGKEKxVnEHV40xmvoE4XeVo432nLt3i2fOXkh4dx9gM69TJam7Lv7I r2yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=uchGmYKw9poyFu6V3keK0nw82wGm7ORCdKwrZviO9Epm3MkQxVF804P/cqC6tzIEhS 8NfeZHsFanYtFjOywDE8WSCkmvnsZXVBqH4uUhDdguJhvfojxMbmQzDJwvoamIcVxMhf AvDDYaBC3M5JR1pHhqywJqtFFgGczAXLw8ngbV+EPRk+S4MhacLmICWkkqtjW9bDGzNy pF/+QrjiATkFtKy944wlm8zMR0g7G301Ws1cN7j6QYGKWLWp9VslERinV1wPjbYjYnXv b4Yd88xDsG3DHbmXzM9H+86wUl1XOlQZx5VYygpYh5GC2NIowqV3+1OAW3y732XHWtHp 0F1Q== X-Gm-Message-State: AOAM533VcE+EOvJHtEKgWkGWy1lHio/oWiHSu4PxoIbN2u4Z0KcXg72H AkrX1CG3YMJtRWuhn2/4G4jRBfrwkiFwJfjoLuOCUI+tJ5M= X-Google-Smtp-Source: ABdhPJwpo0eKQqLuK54CFso/B5fYqTElx9Hk5mSko68NTE3Jpb1Nvdvc5CraH12/+2ng5uTgsIDXRIEIsF65Lj2DI5Q= X-Received: by 2002:a05:6e02:1564:: with SMTP id k4mr7981434ilu.146.1631308484555; Fri, 10 Sep 2021 14:14:44 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: From: Peter Collingbourne Date: Fri, 10 Sep 2021 14:14:33 -0700 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Andrey Konovalov Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: 7n14emy6dnhaij6gio48jbzcejksacp7 Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=EUXkIZ8A; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of pcc@google.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=pcc@google.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 59A9E50000B2 X-HE-Tag: 1631308485-31735 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 10, 2021 at 1:44 PM Andrey Konovalov wrote: > > On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > > > With HW tag-based KASAN, error checks are performed implicitly by the load > > and store instructions in the memcpy implementation. A failed check results > > in tag checks being disabled and execution will keep going. As a result, > > under HW tag-based KASAN, this memcpy would end up corrupting memory until > > it hits an inaccessible page and causes a kernel panic. > > > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > > Import latest memcpy()/memmove() implementation") which changed the memcpy > > implementation from using signed comparisons (incorrectly, resulting in > > the memcpy being terminated early for negative sizes) to using unsigned > > comparisons. > > > > It is unclear how this could be handled by memcpy itself in a reasonable > > way. One possibility would be to add an exception handler that would force > > memcpy to return if a tag check fault is detected -- this would make the > > behavior roughly similar to generic and SW tag-based KASAN. However, this > > wouldn't solve the problem for asynchronous mode and also makes memcpy > > behavior inconsistent with manually copying data. > > > > It may be more accurate to consider this a bug in the test: what we really > > want to test here is that a memcpy overflow, however small, is caught, and any > > further copying after the initial overflow is unnecessary and may affect system > > stability. Therefore, adjust the test to pass the allocation size as the memcpy > > size, ensuring that the memcpy will not result in an out-of-bounds write. > > > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > > HW_TAGS") disabled this test in HW tags mode, but there is some value in > > testing small memcpy overflows, so let's re-enable it with this fix. > > > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > > Signed-off-by: Peter Collingbourne > > --- > > lib/test_kasan.c | 9 +-------- > > 1 file changed, 1 insertion(+), 8 deletions(-) > > > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > > index 8835e0784578..9af51e1f692d 100644 > > --- a/lib/test_kasan.c > > +++ b/lib/test_kasan.c > > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > > { > > char *ptr; > > size_t size = 64; > > - volatile size_t invalid_size = -2; > > - > > - /* > > - * Hardware tag-based mode doesn't check memmove for negative size. > > - * As a result, this test introduces a side-effect memory corruption, > > - * which can result in a crash. > > - */ > > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > > + volatile size_t invalid_size = size; > > > > ptr = kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > -- > > 2.33.0.309.g3052b89438-goog > > > > Hi Peter, > > This test was added as a part of series that taught KASAN to detect > negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect > negative size in memory operation function"). So we need to keep it > using negative sizes. > > I think we should rename kmalloc_memmove_invalid_size to > kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And > add another test named kmalloc_memmove_invalid_size, which does what > you did in this patch. Makes sense, done in v2. Peter From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56E6CC433F5 for ; Fri, 10 Sep 2021 21:18:05 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F0C1761214 for ; Fri, 10 Sep 2021 21:18:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org F0C1761214 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:Subject:Message-ID:Date:From: In-Reply-To:References:MIME-Version:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ekH4euFJRR2LQfrOujvxDpAmCWGtyux5CfBZYK4PdVU=; b=Lla1bIBk46mUQ8 c1AYvVzVIbUqGiLn94gGTollKiDTDmVp5vFSjU1A81zkX9udoG3lnOLtUQMZttRGGxTGKKddLv+yC PWp1dk2MOOSGgs1HRgwlnq9Lw3IysRYzIlPY8oeY2vd0KL3kty38Dz7B7Qf5oBDt75t76KI2yhiNo 9SPNXiVCsIucP47gg7VE2lNSJ0NAl9g+EXle84/Ulkqv6qYScIvzI9qcALj/BkbyPoGc2VfVREP6O 4Fn4DCV9BL85DAryAFAjPE35WuxwJVOy2k+wepQV0c2cOXHogXymq+ivK+E2AJgpiZirrYxwNnA9g ChXwyGezkqKAGbXHZqfw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnsb-00DprK-Pk; Fri, 10 Sep 2021 21:16:14 +0000 Received: from mail-il1-x12d.google.com ([2607:f8b0:4864:20::12d]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnrB-00DpLq-K3 for linux-arm-kernel@lists.infradead.org; Fri, 10 Sep 2021 21:14:47 +0000 Received: by mail-il1-x12d.google.com with SMTP id b8so1690856ilh.12 for ; Fri, 10 Sep 2021 14:14:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=EUXkIZ8Ae2C4wPNLkjM8cOni1MkSMmEZVRvv7hbDnC7ugPeahSlnqzSQTs3afVPqYT 3o4UxtN7vc573y3Qg+72O2W5mZ3swH7aMI1SGvsF3QNKHf/uu2iqt0YsoZl51l2FhA7n DjTcS7GWWVTL0OOVaEB7P8/Ys6xvL/CpZGEn+yv7afcnN6AUjXAxen7pRpeq3V8ZFJ3H Xn9Y5lvK5CrE8Uk6NrGLYN5pCI5zI5PnrpjwgXq1dnXjHmcsU5Bp3XapTIVivCuIhbjH 2H3HehRxduAQLKzGKEKxVnEHV40xmvoE4XeVo432nLt3i2fOXkh4dx9gM69TJam7Lv7I r2yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=AaJmkas9r9Nmy0z3Oc2wP1oryKhu3k4o04hl/ko2ddcblGGKtG5bIiZpXPMRJUWwMQ USUqSAW4X2Ttkk1i1WadmjEnJDxnVS7f7pFBBDjYtJMhOXkqVJMDRevdPQWmeYqzT3RV opCNF/rnX+BKtNr/+gpYmy8eiaZBcdr+11TMB41M67TLOyMoBmi9rgbhjUbIAdtK/iXN YotxB/A79tMOkvgJqEFkyAa9HqmhIdiYNn6BpZ9/4DcLKZh+0771ybGCgVPkpR8ONnDU MlrVzaOqn4rMMJfSXhumo4JjsRvzP/6TNj455Mp2lJ6ILpcIWtWqiIdgK1DiKzzQiC8T zzbg== X-Gm-Message-State: AOAM530ffo3g2iDV4tjsDEf8YcQ+nSrPvpSXxFBAAtZl1DzeZx7In43t 8dAjEMk5gBzQ2ZLqk2fNg1I4OM3jqn3LdqhXbC7IAA== X-Google-Smtp-Source: ABdhPJwpo0eKQqLuK54CFso/B5fYqTElx9Hk5mSko68NTE3Jpb1Nvdvc5CraH12/+2ng5uTgsIDXRIEIsF65Lj2DI5Q= X-Received: by 2002:a05:6e02:1564:: with SMTP id k4mr7981434ilu.146.1631308484555; Fri, 10 Sep 2021 14:14:44 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: From: Peter Collingbourne Date: Fri, 10 Sep 2021 14:14:33 -0700 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Andrey Konovalov Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210910_141445_720993_5B2EEE81 X-CRM114-Status: GOOD ( 37.58 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Sep 10, 2021 at 1:44 PM Andrey Konovalov wrote: > > On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > > > With HW tag-based KASAN, error checks are performed implicitly by the load > > and store instructions in the memcpy implementation. A failed check results > > in tag checks being disabled and execution will keep going. As a result, > > under HW tag-based KASAN, this memcpy would end up corrupting memory until > > it hits an inaccessible page and causes a kernel panic. > > > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > > Import latest memcpy()/memmove() implementation") which changed the memcpy > > implementation from using signed comparisons (incorrectly, resulting in > > the memcpy being terminated early for negative sizes) to using unsigned > > comparisons. > > > > It is unclear how this could be handled by memcpy itself in a reasonable > > way. One possibility would be to add an exception handler that would force > > memcpy to return if a tag check fault is detected -- this would make the > > behavior roughly similar to generic and SW tag-based KASAN. However, this > > wouldn't solve the problem for asynchronous mode and also makes memcpy > > behavior inconsistent with manually copying data. > > > > It may be more accurate to consider this a bug in the test: what we really > > want to test here is that a memcpy overflow, however small, is caught, and any > > further copying after the initial overflow is unnecessary and may affect system > > stability. Therefore, adjust the test to pass the allocation size as the memcpy > > size, ensuring that the memcpy will not result in an out-of-bounds write. > > > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > > HW_TAGS") disabled this test in HW tags mode, but there is some value in > > testing small memcpy overflows, so let's re-enable it with this fix. > > > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > > Signed-off-by: Peter Collingbourne > > --- > > lib/test_kasan.c | 9 +-------- > > 1 file changed, 1 insertion(+), 8 deletions(-) > > > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > > index 8835e0784578..9af51e1f692d 100644 > > --- a/lib/test_kasan.c > > +++ b/lib/test_kasan.c > > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > > { > > char *ptr; > > size_t size = 64; > > - volatile size_t invalid_size = -2; > > - > > - /* > > - * Hardware tag-based mode doesn't check memmove for negative size. > > - * As a result, this test introduces a side-effect memory corruption, > > - * which can result in a crash. > > - */ > > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > > + volatile size_t invalid_size = size; > > > > ptr = kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > -- > > 2.33.0.309.g3052b89438-goog > > > > Hi Peter, > > This test was added as a part of series that taught KASAN to detect > negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect > negative size in memory operation function"). So we need to keep it > using negative sizes. > > I think we should rename kmalloc_memmove_invalid_size to > kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And > add another test named kmalloc_memmove_invalid_size, which does what > you did in this patch. Makes sense, done in v2. Peter _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel