From: Dmitry Vyukov <dvyukov@google.com>
To: Daniel Axtens <dja@axtens.net>
Cc: linux-s390 <linux-s390@vger.kernel.org>,
linux-xtensa@linux-xtensa.org,
the arch/x86 maintainers <x86@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
kasan-dev <kasan-dev@googlegroups.com>,
Linux-MM <linux-mm@kvack.org>,
Daniel Micay <danielmicay@gmail.com>,
Alexander Potapenko <glider@google.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 1/2] kasan: stop tests being eliminated as dead code with FORTIFY_SOURCE
Date: Wed, 15 Jan 2020 15:43:12 +0100 [thread overview]
Message-ID: <CACT4Y+bAuaeHOcTHqp-=ckOb58fRajpGYk4khNzpS7_OyBDQYQ@mail.gmail.com> (raw)
In-Reply-To: <20200115063710.15796-2-dja@axtens.net>
On Wed, Jan 15, 2020 at 7:37 AM Daniel Axtens <dja@axtens.net> wrote:
>
> 3 KASAN self-tests fail on a kernel with both KASAN and FORTIFY_SOURCE:
> memchr, memcmp and strlen.
>
> When FORTIFY_SOURCE is on, a number of functions are replaced with
> fortified versions, which attempt to check the sizes of the operands.
> However, these functions often directly invoke __builtin_foo() once they
> have performed the fortify check. The compiler can detect that the results
> of these functions are not used, and knows that they have no other side
> effects, and so can eliminate them as dead code.
>
> Why are only memchr, memcmp and strlen affected?
> ================================================
>
> Of string and string-like functions, kasan_test tests:
>
> * strchr -> not affected, no fortified version
> * strrchr -> likewise
> * strcmp -> likewise
> * strncmp -> likewise
>
> * strnlen -> not affected, the fortify source implementation calls the
> underlying strnlen implementation which is instrumented, not
> a builtin
>
> * strlen -> affected, the fortify souce implementation calls a __builtin
> version which the compiler can determine is dead.
>
> * memchr -> likewise
> * memcmp -> likewise
>
> * memset -> not affected, the compiler knows that memset writes to its
> first argument and therefore is not dead.
>
> Why does this not affect the functions normally?
> ================================================
>
> In string.h, these functions are not marked as __pure, so the compiler
> cannot know that they do not have side effects. If relevant functions are
> marked as __pure in string.h, we see the following warnings and the
> functions are elided:
>
> lib/test_kasan.c: In function ‘kasan_memchr’:
> lib/test_kasan.c:606:2: warning: statement with no effect [-Wunused-value]
> memchr(ptr, '1', size + 1);
> ^~~~~~~~~~~~~~~~~~~~~~~~~~
> lib/test_kasan.c: In function ‘kasan_memcmp’:
> lib/test_kasan.c:622:2: warning: statement with no effect [-Wunused-value]
> memcmp(ptr, arr, size+1);
> ^~~~~~~~~~~~~~~~~~~~~~~~
> lib/test_kasan.c: In function ‘kasan_strings’:
> lib/test_kasan.c:645:2: warning: statement with no effect [-Wunused-value]
> strchr(ptr, '1');
> ^~~~~~~~~~~~~~~~
> ...
>
> This annotation would make sense to add and could be added at any point, so
> the behaviour of test_kasan.c should change.
>
> The fix
> =======
>
> Make all the functions that are pure write their results to a global,
> which makes them live. The strlen and memchr tests now pass.
>
> The memcmp test still fails to trigger, which is addressed in the next
> patch.
>
> Cc: Daniel Micay <danielmicay@gmail.com>
> Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
> Cc: Alexander Potapenko <glider@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Fixes: 0c96350a2d2f ("lib/test_kasan.c: add tests for several string/memory API functions")
> Signed-off-by: Daniel Axtens <dja@axtens.net>
> ---
> lib/test_kasan.c | 30 +++++++++++++++++++-----------
> 1 file changed, 19 insertions(+), 11 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index 328d33beae36..58a8cef0d7a2 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -23,6 +23,14 @@
>
> #include <asm/page.h>
>
> +/*
> + * We assign some test results to these globals to make sure the tests
> + * are not eliminated as dead code.
> + */
> +
> +int int_result;
> +void *ptr_result;
These are globals, but are not static and don't have kasan_ prefix.
But I guess this does not matter for modules?
Otherwise:
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
> +
> /*
> * Note: test functions are marked noinline so that their names appear in
> * reports.
> @@ -603,7 +611,7 @@ static noinline void __init kasan_memchr(void)
> if (!ptr)
> return;
>
> - memchr(ptr, '1', size + 1);
> + ptr_result = memchr(ptr, '1', size + 1);
> kfree(ptr);
> }
>
> @@ -618,8 +626,7 @@ static noinline void __init kasan_memcmp(void)
> if (!ptr)
> return;
>
> - memset(arr, 0, sizeof(arr));
> - memcmp(ptr, arr, size+1);
> + int_result = memcmp(ptr, arr, size + 1);
> kfree(ptr);
> }
>
> @@ -642,22 +649,22 @@ static noinline void __init kasan_strings(void)
> * will likely point to zeroed byte.
> */
> ptr += 16;
> - strchr(ptr, '1');
> + ptr_result = strchr(ptr, '1');
>
> pr_info("use-after-free in strrchr\n");
> - strrchr(ptr, '1');
> + ptr_result = strrchr(ptr, '1');
>
> pr_info("use-after-free in strcmp\n");
> - strcmp(ptr, "2");
> + int_result = strcmp(ptr, "2");
>
> pr_info("use-after-free in strncmp\n");
> - strncmp(ptr, "2", 1);
> + int_result = strncmp(ptr, "2", 1);
>
> pr_info("use-after-free in strlen\n");
> - strlen(ptr);
> + int_result = strlen(ptr);
>
> pr_info("use-after-free in strnlen\n");
> - strnlen(ptr, 1);
> + int_result = strnlen(ptr, 1);
> }
>
> static noinline void __init kasan_bitops(void)
> @@ -724,11 +731,12 @@ static noinline void __init kasan_bitops(void)
> __test_and_change_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
>
> pr_info("out-of-bounds in test_bit\n");
> - (void)test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
> + int_result = test_bit(BITS_PER_LONG + BITS_PER_BYTE, bits);
>
> #if defined(clear_bit_unlock_is_negative_byte)
> pr_info("out-of-bounds in clear_bit_unlock_is_negative_byte\n");
> - clear_bit_unlock_is_negative_byte(BITS_PER_LONG + BITS_PER_BYTE, bits);
> + int_result = clear_bit_unlock_is_negative_byte(BITS_PER_LONG +
> + BITS_PER_BYTE, bits);
> #endif
> kfree(bits);
> }
> --
> 2.20.1
>
next prev parent reply other threads:[~2020-01-15 14:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-15 6:37 [PATCH 0/2] Fix some incompatibilites between KASAN and FORTIFY_SOURCE Daniel Axtens
2020-01-15 6:37 ` [PATCH 1/2] kasan: stop tests being eliminated as dead code with FORTIFY_SOURCE Daniel Axtens
2020-01-15 14:43 ` Dmitry Vyukov [this message]
2020-01-15 14:47 ` Christophe Leroy
2020-01-15 14:57 ` Dmitry Vyukov
2020-01-16 5:34 ` Daniel Axtens
2020-01-15 6:37 ` [PATCH 2/2] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN Daniel Axtens
2020-01-15 14:56 ` Dmitry Vyukov
2020-01-16 4:59 ` Daniel Axtens
2020-01-16 5:47 ` Dmitry Vyukov
2020-01-16 23:52 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+bAuaeHOcTHqp-=ckOb58fRajpGYk4khNzpS7_OyBDQYQ@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=danielmicay@gmail.com \
--cc=dja@axtens.net \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).