From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Ij3b=OD=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-23.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 52B3CC433F5
	for <linux-mm@archiver.kernel.org>; Mon, 13 Sep 2021 18:20:03 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0C80260F9F
	for <linux-mm@archiver.kernel.org>; Mon, 13 Sep 2021 18:20:02 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 0C80260F9F
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 8A1DD6B006C; Mon, 13 Sep 2021 14:20:02 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 82C206B0071; Mon, 13 Sep 2021 14:20:02 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6A5A9900002; Mon, 13 Sep 2021 14:20:02 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0153.hostedemail.com [216.40.44.153])
	by kanga.kvack.org (Postfix) with ESMTP id 581AA6B006C
	for <linux-mm@kvack.org>; Mon, 13 Sep 2021 14:20:02 -0400 (EDT)
Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id A95CD1AB79
	for <linux-mm@kvack.org>; Mon, 13 Sep 2021 18:20:01 +0000 (UTC)
X-FDA: 78583364202.15.611B541
Received: from mail-io1-f45.google.com (mail-io1-f45.google.com [209.85.166.45])
	by imf23.hostedemail.com (Postfix) with ESMTP id 5E9AD9000093
	for <linux-mm@kvack.org>; Mon, 13 Sep 2021 18:20:01 +0000 (UTC)
Received: by mail-io1-f45.google.com with SMTP id g9so13361013ioq.11
        for <linux-mm@kvack.org>; Mon, 13 Sep 2021 11:20:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=x15OdEkA8VgPYNPGVxplNs9jrrfzcYBHGvSjLYCuZo4=;
        b=gYf7b1BY0yuQBPIhsQ1ixZ/DdWhrg+YCaUOnrRZqFbLBKYbGfTuRcPWnOUlkTBLxP+
         dMfODcGteNyVcaqhKQxzAoE9BZ+FdhIL0YmmaWR9rDQXgifjrcQFsKTD6lXg5Aks7T/+
         Z/HmHecDBKk1f/Y6z4PIHvqM1C9+V8jdYuDPWe1D/RKydm4oBWA0ADyT2rzidenIYEfZ
         /0I0V1TtCZLR+7ucz/q8oI+b1dMPvIAAUOadGhSez6T8g2LQS9/rTqkZCpvJQKaDAx2R
         lZXr4bmevfJ+7l5kB/3ERssK1FKpg5xk8jtlAjSs8AClX459e27xKro0asZM3ZBAr0Mf
         Do7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=x15OdEkA8VgPYNPGVxplNs9jrrfzcYBHGvSjLYCuZo4=;
        b=P+yqnj/SlVqtKM9VAI0PxxX27dHRH48A/G4uKhfJ8qCGFEsgAacnOpvHbcxey+jYeN
         SvgOLgYN5Emj7jrZWXVaTo66YLSxAeoPPHnseL5WyrQ+Lnbp5rCFQsFWNZs6GAJm35Ci
         Al1yoVcRXk50J9AaFwTzJfVUgp1d/osjduKE1S+cna6gnL6RdK2ZlE/BHfQLkl+7oyBp
         gflzKr8+NtZyyKZdpNvKJFj6n8t5XhC8bURQnewyo9Ax5H8wGVu9tnlKB1T4z1H2qn/v
         aruVL1teD2R/y0Sjrxf3XMNdC+uyuGEge/NNOT7v8m7m8mrwV5Wzxt025Pv3P+/Zo/iu
         gSvA==
X-Gm-Message-State: AOAM531MuHoq4LinyQZjby6la74qAvx7SxIftoLLL57x8xgqvNnGGeIn
	c19CbdTfypmiPTKpwzg87UioVRJoz+EUuu6srXEw2Q==
X-Google-Smtp-Source: ABdhPJyUkaMhviB/TMKBpPGVecFmgW+dYT8OzasZsL/WKtL8cQ6FWbveZ5ORAzbKIQTIpG93lLOBcJIdHPFXwfwyfFs=
X-Received: by 2002:a02:958e:: with SMTP id b14mr10996639jai.123.1631557200604;
 Mon, 13 Sep 2021 11:20:00 -0700 (PDT)
MIME-Version: 1.0
References: <20210910211356.3603758-1-pcc@google.com> <CA+fCnZcGg7bsX-7DXcrrggfDe-wJiMsieNQSVB39iZPXBmeP7A@mail.gmail.com>
 <CANpmjNNYBLFGh-JkKs7rtmbsK2BeB=jBrtuXneNpanMVnuL-YA@mail.gmail.com>
In-Reply-To: <CANpmjNNYBLFGh-JkKs7rtmbsK2BeB=jBrtuXneNpanMVnuL-YA@mail.gmail.com>
From: Peter Collingbourne <pcc@google.com>
Date: Mon, 13 Sep 2021 11:19:49 -0700
Message-ID: <CAMn1gO6OheYNs49oMHF_UH2x-iABM0jQMYCExvAEmXUuRGRuDA@mail.gmail.com>
Subject: Re: [PATCH v2] kasan: test: add memcpy test that avoids out-of-bounds write
To: Marco Elver <elver@google.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>, Robin Murphy <robin.murphy@arm.com>, 
	Will Deacon <will@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>, 
	Mark Rutland <mark.rutland@arm.com>, Evgenii Stepanov <eugenis@google.com>, 
	Alexander Potapenko <glider@google.com>, Linux ARM <linux-arm-kernel@lists.infradead.org>, 
	Linux Memory Management List <linux-mm@kvack.org>, Andrew Morton <akpm@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 5E9AD9000093
X-Stat-Signature: jtfz86gg1w1xppxhwmjsqbnxce3pjdzd
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=gYf7b1BY;
	spf=pass (imf23.hostedemail.com: domain of pcc@google.com designates 209.85.166.45 as permitted sender) smtp.mailfrom=pcc@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-HE-Tag: 1631557201-228402
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Sun, Sep 12, 2021 at 11:00 PM Marco Elver <elver@google.com> wrote:
>
> On Fri, 10 Sept 2021 at 23:17, Andrey Konovalov <andreyknvl@gmail.com> wrote:
> >
> > On Fri, Sep 10, 2021 at 11:14 PM Peter Collingbourne <pcc@google.com> wrote:
> > >
> > > With HW tag-based KASAN, error checks are performed implicitly by the
> > > load and store instructions in the memcpy implementation.  A failed check
> > > results in tag checks being disabled and execution will keep going. As a
> > > result, under HW tag-based KASAN, prior to commit 1b0668be62cf ("kasan:
> > > test: disable kmalloc_memmove_invalid_size for HW_TAGS"), this memcpy
> > > would end up corrupting memory until it hits an inaccessible page and
> > > causes a kernel panic.
> > >
> > > This is a pre-existing issue that was revealed by commit 285133040e6c
> > > ("arm64: Import latest memcpy()/memmove() implementation") which changed
> > > the memcpy implementation from using signed comparisons (incorrectly,
> > > resulting in the memcpy being terminated early for negative sizes)
> > > to using unsigned comparisons.
> > >
> > > It is unclear how this could be handled by memcpy itself in a reasonable
> > > way. One possibility would be to add an exception handler that would force
> > > memcpy to return if a tag check fault is detected -- this would make the
> > > behavior roughly similar to generic and SW tag-based KASAN. However,
> > > this wouldn't solve the problem for asynchronous mode and also makes
> > > memcpy behavior inconsistent with manually copying data.
> > >
> > > This test was added as a part of a series that taught KASAN to detect
> > > negative sizes in memory operations, see commit 8cceeff48f23 ("kasan:
> > > detect negative size in memory operation function"). Therefore we
> > > should keep testing for negative sizes with generic and SW tag-based
> > > KASAN. But there is some value in testing small memcpy overflows, so
> > > let's add another test with memcpy that does not destabilize the kernel
> > > by performing out-of-bounds writes, and run it in all modes.
> > >
> > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882
> > > Signed-off-by: Peter Collingbourne <pcc@google.com>
> > > ---
> > >  lib/test_kasan.c | 18 +++++++++++++++++-
> > >  1 file changed, 17 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> > > index 8835e0784578..aa8e42250219 100644
> > > --- a/lib/test_kasan.c
> > > +++ b/lib/test_kasan.c
> > > @@ -493,7 +493,7 @@ static void kmalloc_oob_in_memset(struct kunit *test)
> > >         kfree(ptr);
> > >  }
> > >
> > > -static void kmalloc_memmove_invalid_size(struct kunit *test)
> > > +static void kmalloc_memmove_negative_size(struct kunit *test)
> > >  {
> > >         char *ptr;
> > >         size_t size = 64;
> > > @@ -515,6 +515,21 @@ static void kmalloc_memmove_invalid_size(struct kunit *test)
> > >         kfree(ptr);
> > >  }
> > >
> > > +static void kmalloc_memmove_invalid_size(struct kunit *test)
> > > +{
> > > +       char *ptr;
> > > +       size_t size = 64;
> > > +       volatile size_t invalid_size = size;
> > > +
> > > +       ptr = kmalloc(size, GFP_KERNEL);
> > > +       KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
> > > +
> > > +       memset((char *)ptr, 0, 64);
> > > +       KUNIT_EXPECT_KASAN_FAIL(test,
> > > +               memmove((char *)ptr, (char *)ptr + 4, invalid_size));
> > > +       kfree(ptr);
> > > +}
> > > +
> > >  static void kmalloc_uaf(struct kunit *test)
> > >  {
> > >         char *ptr;
> > > @@ -1129,6 +1144,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> > >         KUNIT_CASE(kmalloc_oob_memset_4),
> > >         KUNIT_CASE(kmalloc_oob_memset_8),
> > >         KUNIT_CASE(kmalloc_oob_memset_16),
> > > +       KUNIT_CASE(kmalloc_memmove_negative_size),
> > >         KUNIT_CASE(kmalloc_memmove_invalid_size),
> > >         KUNIT_CASE(kmalloc_uaf),
> > >         KUNIT_CASE(kmalloc_uaf_memset),
> > > --
> > > 2.33.0.309.g3052b89438-goog
> > >
> >
> > Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
>
> Acked-by: Marco Elver <elver@google.com>
>
> Do you intend this patch to go through the arm64 or mm tree?

Let's take it through the mm tree.

Peter