From: Daniel Axtens <dja@axtens.net>
To: kernel-hardening@lists.openwall.com, linux-mm@kvack.org,
keescook@chromium.org
Cc: linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
Daniel Axtens <dja@axtens.net>
Subject: [PATCH 2/5] [RFC] kasan: kasan_test: hide allocation sizes from the compiler
Date: Mon, 20 Jan 2020 18:43:41 +1100 [thread overview]
Message-ID: <20200120074344.504-3-dja@axtens.net> (raw)
In-Reply-To: <20200120074344.504-1-dja@axtens.net>
We're about to annotate the allocation functions so that the complier will
know the sizes of the allocated objects. This is then caught at compile
time by both the testing in copy_to/from_user, and the testing in fortify.
The simplest way I can find to obscure the size is to pass the memory
through a WRITE_ONCE/READ_ONCE pair.
Create a macro to obscure an object's size, and a kmalloc wrapper to return
an object with an obscured size. Using these is sufficient to compile without
error.
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
lib/test_kasan.c | 48 +++++++++++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 13 deletions(-)
diff --git a/lib/test_kasan.c b/lib/test_kasan.c
index 328d33beae36..dbbecd75f1e3 100644
--- a/lib/test_kasan.c
+++ b/lib/test_kasan.c
@@ -20,9 +20,28 @@
#include <linux/uaccess.h>
#include <linux/io.h>
#include <linux/vmalloc.h>
+#include <linux/compiler.h>
#include <asm/page.h>
+/*
+ * obscure origin of a pointer, so we can test things that check
+ * the size of the underlying object
+ */
+#define OBSCURE_ORIGINAL_OBJECT(x) { \
+ void *bounce; \
+ WRITE_ONCE(bounce, x); \
+ x = READ_ONCE(bounce); \
+ }
+
+static inline void *obscured_kmalloc(size_t size, gfp_t flags)
+{
+ void *result, *bounce;
+ result = kmalloc(size, flags);
+ WRITE_ONCE(bounce, result);
+ return READ_ONCE(bounce);
+}
+
/*
* Note: test functions are marked noinline so that their names appear in
* reports.
@@ -34,7 +53,7 @@ static noinline void __init kmalloc_oob_right(void)
size_t size = 123;
pr_info("out-of-bounds to right\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -50,7 +69,7 @@ static noinline void __init kmalloc_oob_left(void)
size_t size = 15;
pr_info("out-of-bounds to left\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -67,6 +86,7 @@ static noinline void __init kmalloc_node_oob_right(void)
pr_info("kmalloc_node(): out-of-bounds to right\n");
ptr = kmalloc_node(size, GFP_KERNEL, 0);
+ OBSCURE_ORIGINAL_OBJECT(ptr);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -86,7 +106,7 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
* the page allocator fallback.
*/
pr_info("kmalloc pagealloc allocation: out-of-bounds to right\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -136,7 +156,7 @@ static noinline void __init kmalloc_large_oob_right(void)
* and does not trigger the page allocator fallback in SLUB.
*/
pr_info("kmalloc large allocation: out-of-bounds to right\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -155,6 +175,7 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
pr_info("out-of-bounds after krealloc more\n");
ptr1 = kmalloc(size1, GFP_KERNEL);
ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
+ OBSCURE_ORIGINAL_OBJECT(ptr2);
if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");
kfree(ptr1);
@@ -174,6 +195,7 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
pr_info("out-of-bounds after krealloc less\n");
ptr1 = kmalloc(size1, GFP_KERNEL);
ptr2 = krealloc(ptr1, size2, GFP_KERNEL);
+ OBSCURE_ORIGINAL_OBJECT(ptr2);
if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");
kfree(ptr1);
@@ -190,7 +212,7 @@ static noinline void __init kmalloc_oob_16(void)
} *ptr1, *ptr2;
pr_info("kmalloc out-of-bounds for 16-bytes access\n");
- ptr1 = kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
+ ptr1 = obscured_kmalloc(sizeof(*ptr1) - 3, GFP_KERNEL);
ptr2 = kmalloc(sizeof(*ptr2), GFP_KERNEL);
if (!ptr1 || !ptr2) {
pr_err("Allocation failed\n");
@@ -209,7 +231,7 @@ static noinline void __init kmalloc_oob_memset_2(void)
size_t size = 8;
pr_info("out-of-bounds in memset2\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -225,7 +247,7 @@ static noinline void __init kmalloc_oob_memset_4(void)
size_t size = 8;
pr_info("out-of-bounds in memset4\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -242,7 +264,7 @@ static noinline void __init kmalloc_oob_memset_8(void)
size_t size = 8;
pr_info("out-of-bounds in memset8\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -258,7 +280,7 @@ static noinline void __init kmalloc_oob_memset_16(void)
size_t size = 16;
pr_info("out-of-bounds in memset16\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -274,7 +296,7 @@ static noinline void __init kmalloc_oob_in_memset(void)
size_t size = 666;
pr_info("out-of-bounds in memset\n");
- ptr = kmalloc(size, GFP_KERNEL);
+ ptr = obscured_kmalloc(size, GFP_KERNEL);
if (!ptr) {
pr_err("Allocation failed\n");
return;
@@ -479,7 +501,7 @@ static noinline void __init copy_user_test(void)
size_t size = 10;
int unused;
- kmem = kmalloc(size, GFP_KERNEL);
+ kmem = obscured_kmalloc(size, GFP_KERNEL);
if (!kmem)
return;
@@ -599,7 +621,7 @@ static noinline void __init kasan_memchr(void)
size_t size = 24;
pr_info("out-of-bounds in memchr\n");
- ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
+ ptr = obscured_kmalloc(size, GFP_KERNEL | __GFP_ZERO);
if (!ptr)
return;
@@ -614,7 +636,7 @@ static noinline void __init kasan_memcmp(void)
int arr[9];
pr_info("out-of-bounds in memcmp\n");
- ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
+ ptr = obscured_kmalloc(size, GFP_KERNEL | __GFP_ZERO);
if (!ptr)
return;
--
2.20.1
next prev parent reply other threads:[~2020-01-20 7:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 7:43 [PATCH 0/5] Annotate allocation functions with alloc_size attribute Daniel Axtens
2020-01-20 7:43 ` [PATCH 1/5] altera-stapl: altera_get_note: prevent write beyond end of 'key' Daniel Axtens
2020-01-20 7:43 ` Daniel Axtens [this message]
2020-01-20 7:43 ` [PATCH 3/5] [RFC] staging: rts5208: make len a u16 in rtsx_write_cfg_seq Daniel Axtens
2020-01-20 7:43 ` [PATCH 4/5] [VERY RFC] mm: kmalloc(_node): return NULL immediately for SIZE_MAX Daniel Axtens
2020-01-20 11:14 ` Michal Hocko
2020-01-20 22:51 ` Daniel Axtens
2020-01-20 7:43 ` [PATCH 5/5] [RFC] mm: annotate memory allocation functions with their sizes Daniel Axtens
2020-02-07 20:38 ` Daniel Micay
2020-02-25 18:35 ` Kees Cook
2020-02-26 6:07 ` Daniel Axtens
2020-02-26 21:56 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200120074344.504-3-dja@axtens.net \
--to=dja@axtens.net \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).