From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 322E6C433EF for ; Mon, 13 Sep 2021 06:00:32 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B253F60F9B for ; Mon, 13 Sep 2021 06:00:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B253F60F9B Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id EB21A6B0071; Mon, 13 Sep 2021 02:00:30 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E8942900002; Mon, 13 Sep 2021 02:00:30 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D292C6B0073; Mon, 13 Sep 2021 02:00:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0194.hostedemail.com [216.40.44.194]) by kanga.kvack.org (Postfix) with ESMTP id BF4AC6B0071 for ; Mon, 13 Sep 2021 02:00:30 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 53CF68249980 for ; Mon, 13 Sep 2021 06:00:30 +0000 (UTC) X-FDA: 78581500620.39.15F6255 Received: from mail-oo1-f51.google.com (mail-oo1-f51.google.com [209.85.161.51]) by imf01.hostedemail.com (Postfix) with ESMTP id 11FF95057CFC for ; Mon, 13 Sep 2021 06:00:29 +0000 (UTC) Received: by mail-oo1-f51.google.com with SMTP id b5-20020a4ac285000000b0029038344c3dso3012865ooq.8 for ; Sun, 12 Sep 2021 23:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zh0o1hNAQto+hPxH78P4O6r2SY4CvcJZmUkV8Exmb48=; b=CmXLtCiS4cE+TEedkYYnAMkIHOgLNrpdsOsjtinifTp95Yj0Y5sdTx7d4MddlDrhUZ DqwTZfP8ubCexfCOCS9/uETUVcW6ahAFlq9mynzvtRR28F0+gbWhhMlV0XeHFfEY0Bp3 Zvdo92qGy1UHHXDccCfC/9RcSLbpMPcoJYXYtrrChM3Y5h4iSAaP9jun+Kz7L0FVk7tE FXFQutPh+ywr9ZhPWSRunulHG9dHPThkN52yxCi5etpS5kEKeEzLRELg9aZnCr1nnL72 hjEDLe3G6gBcPB/XORC8w55ccuJji7h7XPuO6EgaEtYmjoKQUQ/tts5pXIieq5Ph7a8o 8R2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zh0o1hNAQto+hPxH78P4O6r2SY4CvcJZmUkV8Exmb48=; b=C6rR759+j1E8FSK3z99Byvdzoa9iPWTansKzQXv0TVLbnO/x+zmZy2kWuNfonTCsFs zRWgAlabQRRrnh2r16TpN3Ygr/7IYLj0FLEh8WIIX2bM4iTLSsxR+8J1CbCSuHF4eLT9 nsa5LHbu5xHa5dBXy1ZeYrC2XMMYBa4EhBY+S6eaR19MatBFXiyb3FAS8FWR3mZyF/Ml xehUwWJDjoR3dlIeHOVX4q8X6b4dsyS1ug1u/PbXJfTSRax5mphLfJsivzDIDfrCP3H4 yzn5XYQwfE0hIMMdBnfT17FKjsX1PP7H1bL8m5VW4yqC+ZH9MOepvYYyVw4mhscy7X5y Vo6g== X-Gm-Message-State: AOAM5305jXLGLUxepltK0qN+tvDGFlWdHenVtcDsl2c2Dxovn72K5qds hnw6dXdYnEZ6HufBz8yPOITN5X7RL0gzr94TNBePPw== X-Google-Smtp-Source: ABdhPJwDv/j1riToqPLq0cMcGBu5azEYz0aIk0gfw6MJPNnjHVtyKDnImnPcfqOiGqzicG/yLdYtKVtaqoYbAhA9d/U= X-Received: by 2002:a4a:1e46:: with SMTP id 67mr7892422ooq.38.1631512829064; Sun, 12 Sep 2021 23:00:29 -0700 (PDT) MIME-Version: 1.0 References: <20210910211356.3603758-1-pcc@google.com> In-Reply-To: From: Marco Elver Date: Mon, 13 Sep 2021 08:00:00 +0200 Message-ID: Subject: Re: [PATCH v2] kasan: test: add memcpy test that avoids out-of-bounds write To: Andrey Konovalov Cc: Peter Collingbourne , Robin Murphy , Will Deacon , Catalin Marinas , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: wmeruwwi87x84s1hhurir5n5hxw8yaxn Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=CmXLtCiS; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf01.hostedemail.com: domain of elver@google.com designates 209.85.161.51 as permitted sender) smtp.mailfrom=elver@google.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 11FF95057CFC X-HE-Tag: 1631512829-243322 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, 10 Sept 2021 at 23:17, Andrey Konovalov wrote: > > On Fri, Sep 10, 2021 at 11:14 PM Peter Collingbourne wrote: > > > > With HW tag-based KASAN, error checks are performed implicitly by the > > load and store instructions in the memcpy implementation. A failed check > > results in tag checks being disabled and execution will keep going. As a > > result, under HW tag-based KASAN, prior to commit 1b0668be62cf ("kasan: > > test: disable kmalloc_memmove_invalid_size for HW_TAGS"), this memcpy > > would end up corrupting memory until it hits an inaccessible page and > > causes a kernel panic. > > > > This is a pre-existing issue that was revealed by commit 285133040e6c > > ("arm64: Import latest memcpy()/memmove() implementation") which changed > > the memcpy implementation from using signed comparisons (incorrectly, > > resulting in the memcpy being terminated early for negative sizes) > > to using unsigned comparisons. > > > > It is unclear how this could be handled by memcpy itself in a reasonable > > way. One possibility would be to add an exception handler that would force > > memcpy to return if a tag check fault is detected -- this would make the > > behavior roughly similar to generic and SW tag-based KASAN. However, > > this wouldn't solve the problem for asynchronous mode and also makes > > memcpy behavior inconsistent with manually copying data. > > > > This test was added as a part of a series that taught KASAN to detect > > negative sizes in memory operations, see commit 8cceeff48f23 ("kasan: > > detect negative size in memory operation function"). Therefore we > > should keep testing for negative sizes with generic and SW tag-based > > KASAN. But there is some value in testing small memcpy overflows, so > > let's add another test with memcpy that does not destabilize the kernel > > by performing out-of-bounds writes, and run it in all modes. > > > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > > Signed-off-by: Peter Collingbourne > > --- > > lib/test_kasan.c | 18 +++++++++++++++++- > > 1 file changed, 17 insertions(+), 1 deletion(-) > > > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > > index 8835e0784578..aa8e42250219 100644 > > --- a/lib/test_kasan.c > > +++ b/lib/test_kasan.c > > @@ -493,7 +493,7 @@ static void kmalloc_oob_in_memset(struct kunit *test) > > kfree(ptr); > > } > > > > -static void kmalloc_memmove_invalid_size(struct kunit *test) > > +static void kmalloc_memmove_negative_size(struct kunit *test) > > { > > char *ptr; > > size_t size = 64; > > @@ -515,6 +515,21 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > > kfree(ptr); > > } > > > > +static void kmalloc_memmove_invalid_size(struct kunit *test) > > +{ > > + char *ptr; > > + size_t size = 64; > > + volatile size_t invalid_size = size; > > + > > + ptr = kmalloc(size, GFP_KERNEL); > > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > + > > + memset((char *)ptr, 0, 64); > > + KUNIT_EXPECT_KASAN_FAIL(test, > > + memmove((char *)ptr, (char *)ptr + 4, invalid_size)); > > + kfree(ptr); > > +} > > + > > static void kmalloc_uaf(struct kunit *test) > > { > > char *ptr; > > @@ -1129,6 +1144,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { > > KUNIT_CASE(kmalloc_oob_memset_4), > > KUNIT_CASE(kmalloc_oob_memset_8), > > KUNIT_CASE(kmalloc_oob_memset_16), > > + KUNIT_CASE(kmalloc_memmove_negative_size), > > KUNIT_CASE(kmalloc_memmove_invalid_size), > > KUNIT_CASE(kmalloc_uaf), > > KUNIT_CASE(kmalloc_uaf_memset), > > -- > > 2.33.0.309.g3052b89438-goog > > > > Reviewed-by: Andrey Konovalov Acked-by: Marco Elver Do you intend this patch to go through the arm64 or mm tree? > Thanks!