From: Walter Wu <walter-zh.wu@mediatek.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: wsd_upstream <wsd_upstream@mediatek.com>,
LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux-MM <linux-mm@kvack.org>,
Alexander Potapenko <glider@google.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v3 1/2] kasan: detect negative size in memory operation function
Date: Mon, 11 Nov 2019 18:28:33 +0800 [thread overview]
Message-ID: <1573468113.20611.61.camel@mtksdccf07> (raw)
In-Reply-To: <CACT4Y+bxWCF0WCkVxi+Qq3pztAXf2g-eBG5oexmQsQ65xrmiRw@mail.gmail.com>
On Mon, 2019-11-11 at 11:17 +0100, Dmitry Vyukov wrote:
> On Mon, Nov 11, 2019 at 11:12 AM Walter Wu <walter-zh.wu@mediatek.com> wrote:
> > > On 11/11/19 10:14 AM, Walter Wu wrote:
> > > > On Sat, 2019-11-09 at 01:31 +0300, Andrey Ryabinin wrote:
> > > >>
> > > >> On 11/4/19 5:05 AM, Walter Wu wrote:
> > > >>
> > > >>>
> > > >>> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> > > >>> index 6814d6d6a023..4ff67e2fd2db 100644
> > > >>> --- a/mm/kasan/common.c
> > > >>> +++ b/mm/kasan/common.c
> > > >>> @@ -99,10 +99,14 @@ bool __kasan_check_write(const volatile void *p, unsigned int size)
> > > >>> }
> > > >>> EXPORT_SYMBOL(__kasan_check_write);
> > > >>>
> > > >>> +extern bool report_enabled(void);
> > > >>> +
> > > >>> #undef memset
> > > >>> void *memset(void *addr, int c, size_t len)
> > > >>> {
> > > >>> - check_memory_region((unsigned long)addr, len, true, _RET_IP_);
> > > >>> + if (report_enabled() &&
> > > >>> + !check_memory_region((unsigned long)addr, len, true, _RET_IP_))
> > > >>> + return NULL;
> > > >>>
> > > >>> return __memset(addr, c, len);
> > > >>> }
> > > >>> @@ -110,8 +114,10 @@ void *memset(void *addr, int c, size_t len)
> > > >>> #undef memmove
> > > >>> void *memmove(void *dest, const void *src, size_t len)
> > > >>> {
> > > >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
> > > >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
> > > >>> + if (report_enabled() &&
> > > >>> + (!check_memory_region((unsigned long)src, len, false, _RET_IP_) ||
> > > >>> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_)))
> > > >>> + return NULL;
> > > >>>
> > > >>> return __memmove(dest, src, len);
> > > >>> }
> > > >>> @@ -119,8 +125,10 @@ void *memmove(void *dest, const void *src, size_t len)
> > > >>> #undef memcpy
> > > >>> void *memcpy(void *dest, const void *src, size_t len)
> > > >>> {
> > > >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_);
> > > >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_);
> > > >>> + if (report_enabled() &&
> > > >>
> > > >> report_enabled() checks seems to be useless.
> > > >>
> > > >
> > > > Hi Andrey,
> > > >
> > > > If it doesn't have report_enable(), then it will have below the error.
> > > > We think it should be x86 shadow memory is invalid value before KASAN
> > > > initialized, it will have some misjudgments to do directly return when
> > > > it detects invalid shadow value in memset()/memcpy()/memmove(). So we
> > > > add report_enable() to avoid this happening. but we should only use the
> > > > condition "current->kasan_depth == 0" to determine if KASAN is
> > > > initialized. And we try it is pass at x86.
> > > >
> > >
> > > Ok, I see. It just means that check_memory_region() return incorrect result in early stages of boot.
> > > So, the right way to deal with this would be making kasan_report() to return bool ("false" if no report and "true" if reported)
> > > and propagate this return value up to check_memory_region().
> > >
> > This changes in v4.
> >
> > >
> > > >>> diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c
> > > >>> index 36c645939bc9..52a92c7db697 100644
> > > >>> --- a/mm/kasan/generic_report.c
> > > >>> +++ b/mm/kasan/generic_report.c
> > > >>> @@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info)
> > > >>>
> > > >>> const char *get_bug_type(struct kasan_access_info *info)
> > > >>> {
> > > >>> + /*
> > > >>> + * If access_size is negative numbers, then it has three reasons
> > > >>> + * to be defined as heap-out-of-bounds bug type.
> > > >>> + * 1) Casting negative numbers to size_t would indeed turn up as
> > > >>> + * a large size_t and its value will be larger than ULONG_MAX/2,
> > > >>> + * so that this can qualify as out-of-bounds.
> > > >>> + * 2) If KASAN has new bug type and user-space passes negative size,
> > > >>> + * then there are duplicate reports. So don't produce new bug type
> > > >>> + * in order to prevent duplicate reports by some systems
> > > >>> + * (e.g. syzbot) to report the same bug twice.
> > > >>> + * 3) When size is negative numbers, it may be passed from user-space.
> > > >>> + * So we always print heap-out-of-bounds in order to prevent that
> > > >>> + * kernel-space and user-space have the same bug but have duplicate
> > > >>> + * reports.
> > > >>> + */
> > > >>
> > > >> Completely fail to understand 2) and 3). 2) talks something about *NOT* producing new bug
> > > >> type, but at the same time you code actually does that.
> > > >> 3) says something about user-space which have nothing to do with kasan.
> > > >>
> > > > about 2)
> > > > We originally think the heap-out-of-bounds is similar to
> > > > heap-buffer-overflow, maybe we should change the bug type to
> > > > heap-buffer-overflow.
> > >
> > > There is no "heap-buffer-overflow".
> > >
> > If I remember correctly, "heap-buffer-overflow" is one of existing bug
> > type in user-space? Or you want to expect to see an existing bug type in
> > kernel space?
>
> Existing bug in KASAN.
> KASAN and ASAN bugs will never match regardless of what we do. They
> are simply in completely different code. So aligning titles between
> kernel and userspace will not lead to any better deduplication.
Ok, it seems like to print "out-of-bounds". Simple and easy to know it.
Thanks Dmitry.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-11-11 10:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 2:05 [PATCH v3 1/2] kasan: detect negative size in memory operation function Walter Wu
2019-11-08 22:31 ` Andrey Ryabinin
2019-11-11 7:14 ` Walter Wu
2019-11-11 9:29 ` Andrey Ryabinin
2019-11-11 10:12 ` Walter Wu
2019-11-11 10:17 ` Dmitry Vyukov
2019-11-11 10:28 ` Walter Wu [this message]
2019-11-11 7:57 ` Dmitry Vyukov
2019-11-11 8:24 ` Andrey Ryabinin
-- strict thread matches above, loose matches on Subject: below --
2019-10-24 8:57 Walter Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573468113.20611.61.camel@mtksdccf07 \
--to=walter-zh.wu@mediatek.com \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matthias.bgg@gmail.com \
--cc=wsd_upstream@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).