From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B383CC43331 for ; Mon, 11 Nov 2019 09:30:34 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 60D7C2075C for ; Mon, 11 Nov 2019 09:30:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 60D7C2075C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=virtuozzo.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id BCCFD6B0005; Mon, 11 Nov 2019 04:30:33 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id B7DC16B0006; Mon, 11 Nov 2019 04:30:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A93256B0007; Mon, 11 Nov 2019 04:30:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0227.hostedemail.com [216.40.44.227]) by kanga.kvack.org (Postfix) with ESMTP id 94FE46B0005 for ; Mon, 11 Nov 2019 04:30:33 -0500 (EST) Received: from smtpin03.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with SMTP id 66478180AD820 for ; Mon, 11 Nov 2019 09:30:33 +0000 (UTC) X-FDA: 76143476346.03.print77_5c12e445ea027 X-HE-Tag: print77_5c12e445ea027 X-Filterd-Recvd-Size: 6001 Received: from relay.sw.ru (relay.sw.ru [185.231.240.75]) by imf50.hostedemail.com (Postfix) with ESMTP for ; Mon, 11 Nov 2019 09:30:32 +0000 (UTC) Received: from dhcp-172-16-25-5.sw.ru ([172.16.25.5]) by relay.sw.ru with esmtp (Exim 4.92.3) (envelope-from ) id 1iU61K-0001Yc-OX; Mon, 11 Nov 2019 12:30:02 +0300 Subject: Re: [PATCH v3 1/2] kasan: detect negative size in memory operation function To: Walter Wu Cc: Alexander Potapenko , Dmitry Vyukov , Matthias Brugger , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, wsd_upstream References: <20191104020519.27988-1-walter-zh.wu@mediatek.com> <34bf9c08-d2f2-a6c6-1dbe-29b1456d8284@virtuozzo.com> <1573456464.20611.45.camel@mtksdccf07> From: Andrey Ryabinin Message-ID: <757f0296-7fa0-0e5e-8490-3eca52da41ad@virtuozzo.com> Date: Mon, 11 Nov 2019 12:29:51 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <1573456464.20611.45.camel@mtksdccf07> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 11/11/19 10:14 AM, Walter Wu wrote: > On Sat, 2019-11-09 at 01:31 +0300, Andrey Ryabinin wrote: >> >> On 11/4/19 5:05 AM, Walter Wu wrote: >> >>> >>> diff --git a/mm/kasan/common.c b/mm/kasan/common.c >>> index 6814d6d6a023..4ff67e2fd2db 100644 >>> --- a/mm/kasan/common.c >>> +++ b/mm/kasan/common.c >>> @@ -99,10 +99,14 @@ bool __kasan_check_write(const volatile void *p, unsigned int size) >>> } >>> EXPORT_SYMBOL(__kasan_check_write); >>> >>> +extern bool report_enabled(void); >>> + >>> #undef memset >>> void *memset(void *addr, int c, size_t len) >>> { >>> - check_memory_region((unsigned long)addr, len, true, _RET_IP_); >>> + if (report_enabled() && >>> + !check_memory_region((unsigned long)addr, len, true, _RET_IP_)) >>> + return NULL; >>> >>> return __memset(addr, c, len); >>> } >>> @@ -110,8 +114,10 @@ void *memset(void *addr, int c, size_t len) >>> #undef memmove >>> void *memmove(void *dest, const void *src, size_t len) >>> { >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_); >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_); >>> + if (report_enabled() && >>> + (!check_memory_region((unsigned long)src, len, false, _RET_IP_) || >>> + !check_memory_region((unsigned long)dest, len, true, _RET_IP_))) >>> + return NULL; >>> >>> return __memmove(dest, src, len); >>> } >>> @@ -119,8 +125,10 @@ void *memmove(void *dest, const void *src, size_t len) >>> #undef memcpy >>> void *memcpy(void *dest, const void *src, size_t len) >>> { >>> - check_memory_region((unsigned long)src, len, false, _RET_IP_); >>> - check_memory_region((unsigned long)dest, len, true, _RET_IP_); >>> + if (report_enabled() && >> >> report_enabled() checks seems to be useless. >> > > Hi Andrey, > > If it doesn't have report_enable(), then it will have below the error. > We think it should be x86 shadow memory is invalid value before KASAN > initialized, it will have some misjudgments to do directly return when > it detects invalid shadow value in memset()/memcpy()/memmove(). So we > add report_enable() to avoid this happening. but we should only use the > condition "current->kasan_depth == 0" to determine if KASAN is > initialized. And we try it is pass at x86. > Ok, I see. It just means that check_memory_region() return incorrect result in early stages of boot. So, the right way to deal with this would be making kasan_report() to return bool ("false" if no report and "true" if reported) and propagate this return value up to check_memory_region(). >>> diff --git a/mm/kasan/generic_report.c b/mm/kasan/generic_report.c >>> index 36c645939bc9..52a92c7db697 100644 >>> --- a/mm/kasan/generic_report.c >>> +++ b/mm/kasan/generic_report.c >>> @@ -107,6 +107,24 @@ static const char *get_wild_bug_type(struct kasan_access_info *info) >>> >>> const char *get_bug_type(struct kasan_access_info *info) >>> { >>> + /* >>> + * If access_size is negative numbers, then it has three reasons >>> + * to be defined as heap-out-of-bounds bug type. >>> + * 1) Casting negative numbers to size_t would indeed turn up as >>> + * a large size_t and its value will be larger than ULONG_MAX/2, >>> + * so that this can qualify as out-of-bounds. >>> + * 2) If KASAN has new bug type and user-space passes negative size, >>> + * then there are duplicate reports. So don't produce new bug type >>> + * in order to prevent duplicate reports by some systems >>> + * (e.g. syzbot) to report the same bug twice. >>> + * 3) When size is negative numbers, it may be passed from user-space. >>> + * So we always print heap-out-of-bounds in order to prevent that >>> + * kernel-space and user-space have the same bug but have duplicate >>> + * reports. >>> + */ >> >> Completely fail to understand 2) and 3). 2) talks something about *NOT* producing new bug >> type, but at the same time you code actually does that. >> 3) says something about user-space which have nothing to do with kasan. >> > about 2) > We originally think the heap-out-of-bounds is similar to > heap-buffer-overflow, maybe we should change the bug type to > heap-buffer-overflow. There is no "heap-buffer-overflow". > > about 3) > Our idea is just to always print "heap-out-of-bounds" and don't > differentiate if the size come from user-space or not. Still doesn't make sence to me. KASAN doesn't differentiate if the size coming from user-space or not. It simply doesn't have any way of knowing from where is the size coming from.