From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=FaIs=O2=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BAC15C433F5
	for <linux-mm@archiver.kernel.org>; Wed,  6 Oct 2021 03:06:23 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 659476120D
	for <linux-mm@archiver.kernel.org>; Wed,  6 Oct 2021 03:06:23 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 659476120D
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id 053826B006C; Tue,  5 Oct 2021 23:06:23 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F1DB26B0071; Tue,  5 Oct 2021 23:06:22 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DBE51940007; Tue,  5 Oct 2021 23:06:22 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0143.hostedemail.com [216.40.44.143])
	by kanga.kvack.org (Postfix) with ESMTP id C9C776B006C
	for <linux-mm@kvack.org>; Tue,  5 Oct 2021 23:06:22 -0400 (EDT)
Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 8E7A31802E8A2
	for <linux-mm@kvack.org>; Wed,  6 Oct 2021 03:06:22 +0000 (UTC)
X-FDA: 78664524204.09.DB9D1E4
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172])
	by imf27.hostedemail.com (Postfix) with ESMTP id 482E570148CC
	for <linux-mm@kvack.org>; Wed,  6 Oct 2021 03:06:22 +0000 (UTC)
Received: by mail-pl1-f172.google.com with SMTP id y5so769922pll.3
        for <linux-mm@kvack.org>; Tue, 05 Oct 2021 20:06:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=h/B2/4lvsg/CGVwkkVTPAzFHikkG/kMza4mFfWJz56M=;
        b=RoIQ370OysL/Vat32I9DE1b65g2D9zD1Su7VuAiStesPYk8mNSoeyahvzP3MVGUf35
         9s7no6dpO/dT6vVvpKpHp23xb2HwN3BPV7urynVsqosllSY4TX1f72huqIqUzBWz2fVr
         g7bKg+U3G3fU6Z7TcAByj7Ma+/ydevcwWBjUU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=h/B2/4lvsg/CGVwkkVTPAzFHikkG/kMza4mFfWJz56M=;
        b=2gcSOUvDs/nuy9c1hl9N+c96UZCxRrENL5cPHgJrVE3hQJoSVnYTgST1PvDF8jIdQi
         +km6DPCVdMayRU9gkACDbOedfDT40uTco791i9AG51P6KORgcmboaYLzjnp0rmZe8GSr
         FzHsv6Co1/MZj6z6DTX9SlYQrxvw8aMwuodZ9fdbR2O5NtoksAagbsDFnuzdA7eDiOtE
         bIKUhWceFZMRsO5FdElabW0pZfGPlxDrktnMp3HuA8qlSnsHczbxVipmWXd0qOQJwv15
         +WINanzwRWwX35eh0E2jL12EbsEA5Sli0VozTaXeeCRSe7ftPpGT+Q8bSHOO21DsDoMJ
         T7rw==
X-Gm-Message-State: AOAM530xumgngtYww6VXOAKDPg0Bf6s5q7/bBlQAwYkntwusCqAOpTEW
	v28JfpAj6Qte1RO24VxokSUDLg==
X-Google-Smtp-Source: ABdhPJxd3GTDs3AmQw6NUx7I6g3wW7HHJ1LFAkBIXJF6Fjyx/chs9vINb4JfHNqKo3KcWB3kTVCVCw==
X-Received: by 2002:a17:90a:6405:: with SMTP id g5mr7951706pjj.71.1633489581366;
        Tue, 05 Oct 2021 20:06:21 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id y8sm19333896pfe.217.2021.10.05.20.06.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 Oct 2021 20:06:21 -0700 (PDT)
Date: Tue, 5 Oct 2021 20:06:20 -0700
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Christoph Lameter <cl@linux.com>, Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Andy Whitcroft <apw@canonical.com>, Dennis Zhou <dennis@kernel.org>,
	Dwaipayan Ray <dwaipayanray1@gmail.com>,
	Joe Perches <joe@perches.com>,
	Lukas Bulwahn <lukas.bulwahn@gmail.com>,
	Miguel Ojeda <ojeda@kernel.org>,
	Nathan Chancellor <nathan@kernel.org>, Tejun Heo <tj@kernel.org>,
	Daniel Micay <danielmicay@gmail.com>,
	Nick Desaulniers <ndesaulniers@google.com>,
	Masahiro Yamada <masahiroy@kernel.org>,
	Michal Marek <michal.lkml@markovi.net>,
	clang-built-linux@googlegroups.com, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org,
	linux-hardening@vger.kernel.org
Subject: Re: [PATCH v3 4/8] slab: Add __alloc_size attributes for better
 bounds checking
Message-ID: <202110052002.34E998B@keescook>
References: <20210930222704.2631604-1-keescook@chromium.org>
 <20210930222704.2631604-5-keescook@chromium.org>
 <20211005184717.65c6d8eb39350395e387b71f@linux-foundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20211005184717.65c6d8eb39350395e387b71f@linux-foundation.org>
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 482E570148CC
X-Stat-Signature: 7rmti5x51whxtqbn8rncyxbe9j8iexrn
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b=RoIQ370O;
	spf=pass (imf27.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.172 as permitted sender) smtp.mailfrom=keescook@chromium.org;
	dmarc=pass (policy=none) header.from=chromium.org
X-HE-Tag: 1633489582-326626
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Oct 05, 2021 at 06:47:17PM -0700, Andrew Morton wrote:
> On Thu, 30 Sep 2021 15:27:00 -0700 Kees Cook <keescook@chromium.org> wrote:
> 
> > As already done in GrapheneOS, add the __alloc_size attribute for regular
> > kmalloc interfaces, to provide additional hinting for better bounds
> > checking, assisting CONFIG_FORTIFY_SOURCE and other compiler
> > optimizations.
> 
> x86_64 allmodconfig:

What compiler and version?

> 
> In file included from ./arch/x86/include/asm/preempt.h:7,
>                  from ./include/linux/preempt.h:78,
>                  from ./include/linux/spinlock.h:55,
>                  from ./include/linux/mmzone.h:8,
>                  from ./include/linux/gfp.h:6,
>                  from ./include/linux/mm.h:10,
>                  from ./include/linux/mman.h:5,
>                  from lib/test_kasan_module.c:10:
> In function 'check_copy_size',
>     inlined from 'copy_user_test' at ./include/linux/uaccess.h:191:6:
> ./include/linux/thread_info.h:213:4: error: call to '__bad_copy_to' declared with attribute error: copy destination size is too small
>   213 |    __bad_copy_to();
>       |    ^~~~~~~~~~~~~~~
> In function 'check_copy_size',
>     inlined from 'copy_user_test' at ./include/linux/uaccess.h:199:6:
> ./include/linux/thread_info.h:211:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small
>   211 |    __bad_copy_from();
>       |    ^~~~~~~~~~~~~~~~~
> make[1]: *** [lib/test_kasan_module.o] Error 1
> make: *** [lib] Error 2

Hah, yes, it caught an intentionally bad copy. This may bypass the
check, as I've had to do in LKDTM before. I will test...

diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c
index 7ebf433edef3..9fb2fb2937da 100644
--- a/lib/test_kasan_module.c
+++ b/lib/test_kasan_module.c
@@ -19,7 +19,12 @@ static noinline void __init copy_user_test(void)
 {
 	char *kmem;
 	char __user *usermem;
-	size_t size = 128 - KASAN_GRANULE_SIZE;
+	/*
+	 * This is marked volatile to avoid __alloc_size()
+	 * noticing the intentionally out-of-bounds copys
+	 * being done on the allocation.
+	 */
+	volatile size_t size = 128 - KASAN_GRANULE_SIZE;
 	int __maybe_unused unused;
 
 	kmem = kmalloc(size, GFP_KERNEL);

-- 
Kees Cook