From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A11A7C4167B for ; Sun, 27 Nov 2022 00:55:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 946E56B0072; Sat, 26 Nov 2022 19:55:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 8D06A6B0073; Sat, 26 Nov 2022 19:55:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 749076B0074; Sat, 26 Nov 2022 19:55:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 5FB3E6B0072 for ; Sat, 26 Nov 2022 19:55:16 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 22F9F804C0 for ; Sun, 27 Nov 2022 00:55:16 +0000 (UTC) X-FDA: 80177403432.13.A7ADEE4 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by imf17.hostedemail.com (Postfix) with ESMTP id AEC0940002 for ; Sun, 27 Nov 2022 00:55:14 +0000 (UTC) Received: by mail-pl1-f170.google.com with SMTP id b21so7068760plc.9 for ; Sat, 26 Nov 2022 16:55:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=TX4xrszZ73TLZMRLzOtqL582Nxzu/yrD4HfU99RN3oNyKJ3LN7xrw8jELReSbxqhLc R/C7r8S9aPqKc4mLuSphopRGYkMrGuyaFEcLH/zLG1Hk4AFsHw4lyXNzjxdq7PJlWlq4 yj9ajMuSinkA7YHL44VSc/tZ4f6Vzmd5LKE6I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=7YuE4LhmA1mXwUTB3oyCtYINSCff1mXyQqndFoyjJ3KcCMgkgMAzvIBsmFA0Y7DGAu C7Q0CY3+GuyoCFrq/pYa8IInEgY3S2i2Zm1jGtbQvCmAcHvMXtF1LARaysrByVI/kQKa TNrIwROXsTTwvWfXYfCoL5GK4xT5Tl6TS2SZqFSofxRMYL/jHnMeGr8YFrA2EJsJHNMo c3ZM+vmPmPDX0NEOQOsMV5gMzbiPefVJirjtSvTecCAS96LP96Md2VEy9Ne8mygDKBKB LWigtrfJ5L1FNZZpsBvXM1unLaQ+J9WTCGq607Va+JAesXXb7oXlDtkos2R/VqgkTQWN nb+A== X-Gm-Message-State: ANoB5plguJigmm/gGA3StFVvWTthqyQVRKVZxiIfobx0nQXnXWaec5bn /h+C6c/X7kOgAW1cydECnCYV0A== X-Google-Smtp-Source: AA0mqf7wp2FIhD0FntRgJT1eFEiJKsh2svj3J2IIiX3PvH1BlpkEYBccuTfOAsKeGGUK2B8MQFqdGA== X-Received: by 2002:a17:903:1ce:b0:186:a2ef:7a69 with SMTP id e14-20020a17090301ce00b00186a2ef7a69mr25665561plh.77.1669510513461; Sat, 26 Nov 2022 16:55:13 -0800 (PST) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 70-20020a621749000000b0056da073b2b7sm5250323pfx.210.2022.11.26.16.55.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Nov 2022 16:55:12 -0800 (PST) Date: Sat, 26 Nov 2022 16:55:11 -0800 From: Kees Cook To: Andrey Konovalov Cc: Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Andrew Morton , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Andrey Ryabinin , Alexander Potapenko , Dmitry Vyukov , Vincenzo Frascino , linux-mm@kvack.org, kasan-dev@googlegroups.com, Vlastimil Babka , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH v2] mm: Make ksize() a reporting-only function Message-ID: <202211261654.5F276B51B@keescook> References: <20221118035656.gonna.698-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1669510514; a=rsa-sha256; cv=none; b=AfT8uVFofLD19hV6kQ5JkrOw36nJaogq5wYRpV88iN8upSHI+TUWbXmw6/RNuk6uQNUS2g szq5SNqDBc1s7M8CxAXEJjrpstrbXS93+euFXH7YhA854E7RvtPQIq0+Dncuvk8DZj/Wf1 NqyPjJ7DkELrg10DZCvvLiJaWc7Si8k= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=TX4xrszZ; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.170 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1669510514; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FsLJX0InAbt1kTuvXLVor2ZX32CfM2qEUmM/5HpvT0k=; b=KRUQdyQAFP8pP16SswrtKGrJfKC+j0vRqEMnWTu/2On2n8Ly2YyzymPzGGDi1zixOe3hSW Acw576wgPN/S7pJgpm7qMFQ49rgrMCl7q+a+UffbwXrerRuzVovQy8PYwnx1oOcQKRcM7M YI28CUMId6X5+dKzYTRQgN1VtMXW160= X-Rspamd-Queue-Id: AEC0940002 X-Stat-Signature: ixuwuanzu3em7qihypx8c7qt1fg6r8hr X-Rspam-User: Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=TX4xrszZ; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf17.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.170 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Rspamd-Server: rspam09 X-HE-Tag: 1669510514-732141 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat, Nov 26, 2022 at 06:04:39PM +0100, Andrey Konovalov wrote: > On Fri, Nov 18, 2022 at 4:57 AM Kees Cook wrote: > > > > With all "silently resizing" callers of ksize() refactored, remove the > > logic in ksize() that would allow it to be used to effectively change > > the size of an allocation (bypassing __alloc_size hints, etc). Users > > wanting this feature need to either use kmalloc_size_roundup() before an > > allocation, or use krealloc() directly. > > > > For kfree_sensitive(), move the unpoisoning logic inline. Replace the > > some of the partially open-coded ksize() in __do_krealloc with ksize() > > now that it doesn't perform unpoisoning. > > > > Adjust the KUnit tests to match the new ksize() behavior. > > > > Cc: Andrey Konovalov > > Cc: Christoph Lameter > > Cc: Pekka Enberg > > Cc: David Rientjes > > Cc: Joonsoo Kim > > Cc: Andrew Morton > > Cc: Roman Gushchin > > Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> > > Cc: Andrey Ryabinin > > Cc: Alexander Potapenko > > Cc: Dmitry Vyukov > > Cc: Vincenzo Frascino > > Cc: linux-mm@kvack.org > > Cc: kasan-dev@googlegroups.com > > Acked-by: Vlastimil Babka > > Signed-off-by: Kees Cook > > --- > > v2: > > - improve kunit test precision (andreyknvl) > > - add Ack (vbabka) > > v1: https://lore.kernel.org/all/20221022180455.never.023-kees@kernel.org > > --- > > mm/kasan/kasan_test.c | 14 +++++++++----- > > mm/slab_common.c | 26 ++++++++++---------------- > > 2 files changed, 19 insertions(+), 21 deletions(-) > > > > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c > > index 7502f03c807c..fc4b22916587 100644 > > --- a/mm/kasan/kasan_test.c > > +++ b/mm/kasan/kasan_test.c > > @@ -821,7 +821,7 @@ static void kasan_global_oob_left(struct kunit *test) > > KUNIT_EXPECT_KASAN_FAIL(test, *(volatile char *)p); > > } > > > > -/* Check that ksize() makes the whole object accessible. */ > > +/* Check that ksize() does NOT unpoison whole object. */ > > static void ksize_unpoisons_memory(struct kunit *test) > > { > > char *ptr; > > @@ -829,15 +829,19 @@ static void ksize_unpoisons_memory(struct kunit *test) > > > > ptr = kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > + > > real_size = ksize(ptr); > > + KUNIT_EXPECT_GT(test, real_size, size); > > > > OPTIMIZER_HIDE_VAR(ptr); > > > > - /* This access shouldn't trigger a KASAN report. */ > > - ptr[size] = 'x'; > > + /* These accesses shouldn't trigger a KASAN report. */ > > + ptr[0] = 'x'; > > + ptr[size - 1] = 'x'; > > > > - /* This one must. */ > > - KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size]); > > + /* These must trigger a KASAN report. */ > > + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[size]); > > + KUNIT_EXPECT_KASAN_FAIL(test, ((volatile char *)ptr)[real_size - 1]); > > Hi Kees, > > I just realized there's an issue here with the tag-based modes, as > they align the unpoisoned area to 16 bytes. > > One solution would be to change the allocation size to 128 - > KASAN_GRANULE_SIZE - 5, the same way kmalloc_oob_right test does it, > so that the last 16-byte granule won't get unpoisoned for the > tag-based modes. And then check that the ptr[size] access fails only > for the Generic mode. Ah! Good point. Are you able to send a patch? I suspect you know exactly what to change; it might take me a bit longer to double-check all of those details. -Kees -- Kees Cook