From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B485FCF887B for ; Sat, 5 Oct 2024 09:22:31 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1940D6B0201; Sat, 5 Oct 2024 05:22:31 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 11D046B0395; Sat, 5 Oct 2024 05:22:31 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EFD996B01FE; Sat, 5 Oct 2024 05:22:30 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id CE3266B01FB for ; Sat, 5 Oct 2024 05:22:30 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 4BC28ABCD4 for ; Sat, 5 Oct 2024 09:22:30 +0000 (UTC) X-FDA: 82639008060.05.0E23B49 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) by imf08.hostedemail.com (Postfix) with ESMTP id 8472D16000D for ; Sat, 5 Oct 2024 09:22:28 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="XqOAL/5/"; spf=pass (imf08.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=snovitoll@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728120017; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=tBNL0qdzrJKc0pu8ZbalsnWWokUHQrbB6w4+rulqCSc=; b=SYkQzrwSrsVrC/sea3+rlf3a6Eyz7xfsusBpQdtt5gVvypvfB51CfYEh8kzjwyDWs6wJDI uQt0h7yU4KgAglorNjwSxLMJbFhi4Jwm/pATHawx6AFtzMtM8Ljjd/Qzm7H4VgQ5ymDsEq 93eo4FkWVhyh2gtMf3vPPjaEBesgX5A= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728120017; a=rsa-sha256; cv=none; b=FGNHg6CkC+DjzFrmSBRM++ojvId7Al9YkJOYDELRLEfl49YI4fzI8+GCYNCaG6pX+SNrtr Y1EvASWHIeCvPmLSjU/qyRT+l5oC5l/bw2idq+x93DJDXt3JwNb0R+GicPZ0f3xbYggd30 0e8oO+4x6Y1I3E4T+4vrULFWv7vkLLI= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b="XqOAL/5/"; spf=pass (imf08.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.221.42 as permitted sender) smtp.mailfrom=snovitoll@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-37ccc600466so1513764f8f.1 for ; Sat, 05 Oct 2024 02:22:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728120147; x=1728724947; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tBNL0qdzrJKc0pu8ZbalsnWWokUHQrbB6w4+rulqCSc=; b=XqOAL/5/NPXuN23WOimh3uewd74/7mc1EbV7kVcp8zv7rFNEP+urdEB52it0xpxOav ADMi9VoqAMC8FHmTkt5Jpb/ZrNxz5XeHPEj/NkJtfRUsvnql/M97qCvoNFy7AOwUi0ys iJzGxXN7O/FCAoBo8hp76p1nBrkf4O4tG1k+MFIHY4uool3Xh8UaXGlaPaDVYRAyabOq lNm+2a1PmxulOvBp0IOCF8bQN1KGsnvRH1T+Tb7ndYPW6YgHiC6HcrCDEyXRzghOutY1 qQIDErKk+NRngT+UfWlNnEp7SChxMaWuySsO2EjCagpFTCZqVEIw/hbD1dzHAcXCThkG cIJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728120147; x=1728724947; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tBNL0qdzrJKc0pu8ZbalsnWWokUHQrbB6w4+rulqCSc=; b=eyAEKGIfqAxnBf+GQw819Ha4spybEqjNZPh2+YywKBJLxj3+vOmqsakk8s5CKwZeKh Hyc9xIUvsDYFUX9vQgMTwkozgxk8Ne+RQR+DHIBp/qvdvQEP1bWLF23lqFEulpPz012w hArqVKgKG0lyJOwmjXS+UJnZWqDHwRYZ9yjAJ+Ud/VpfUye3vTey7GJmQmFE/NBe6RBd RdVBudxs1lM2cE7nB9CqnUja8beEc6MLdKbfy2swOD3ey+g/pPVq1LVgEqle+ZAFZ393 pBlSvsL9M9MViXWzqFVuDNDB1boyq842PAB85h+edgr2WnIBrZsz8peTWPKdUdLpjwU+ OyXA== X-Forwarded-Encrypted: i=1; AJvYcCUnUPsMmyGcOVKIux4p/n9iWufBgvlT8Bgcl9yTFN67c/MjYKw7kIph5eHdadfscusI/tw5vwdpsw==@kvack.org X-Gm-Message-State: AOJu0Yx1OwczZfa7bDBTndO/AF3k6rIgplCNmU9gkYSiaSfSI32YCMCa 38+vMl0tlKB7bdmpvdWMqiWrOVMzUue8C+Y91/i+Mq7vnIXAJIuV X-Google-Smtp-Source: AGHT+IGFE84IKUYfL+jNf5bn7gC89qtd9swu/tiPtE9ykuBwPOwBbsNB3YAVgKsK303pOyFguhL+AA== X-Received: by 2002:a5d:43cc:0:b0:37c:d1eb:5527 with SMTP id ffacd0b85a97d-37d0e74be67mr3538265f8f.31.1728120146599; Sat, 05 Oct 2024 02:22:26 -0700 (PDT) Received: from work.. ([94.200.20.179]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42f89ec63d9sm17725325e9.31.2024.10.05.02.22.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 05 Oct 2024 02:22:26 -0700 (PDT) From: Sabyrzhan Tasbolatov To: elver@google.com, ryabinin.a.a@gmail.com, glider@google.com, andreyknvl@gmail.com, dvyukov@google.com, akpm@linux-foundation.org Cc: vincenzo.frascino@arm.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, Sabyrzhan Tasbolatov , syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com Subject: [PATCH] mm, kmsan: instrument copy_from_kernel_nofault Date: Sat, 5 Oct 2024 14:23:16 +0500 Message-Id: <20241005092316.2471810-1-snovitoll@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 8472D16000D X-Stat-Signature: etmfegdxa6yhpe3rkxrowm7tesijgr8z X-HE-Tag: 1728120148-410849 X-HE-Meta: U2FsdGVkX1+uwlFPIhFF7SqfmHY+O6+PH1fp3OPaL8cYGsG8FKHTzRcxL9EHhghoW8sSGJI5KVgShLcjDczqgxOli4uyI02na8bXLooPEWjSHTydm2mABzZhUjA6UhrTaeEWmY1mcj6wkRu+cm4bmCM3cxl4BZ0e7GSKqTaCpUfIZa/1TYcxNux25hXsRfUzOE996aFLg7M5arrZA9NfXEpKDC3t+ul0pjGBgRtqkKcNADwr7utvm+oXtTouwKg+cwc8Tn1FkvkqkQ2ypsgRk0FP5FlRF/BjM/m76n1F7FmuxYhhwlqvgcHEs+dAmDqAP6jZlHxC+OpJxinJIW68HgPMVAvCKq2NrGL3WPg3S0xt6hkUDy9qIJkggYacPG7r3iQYlQAGsGy8QlGL+H741/NkfE1LSusE4KSS5j9Xeq4dpkB+m5tJcGWtdUUz2TSMK5a0dQ8vAM/SVdM5zhQV8m5CAgwjcNZYEoyWYmcamEZ3J3lpV10MyXckKMyx1mozKxd1xNRZu1CwFgZ6Qxj2tRcTu3RBkyvZvz0mD8j+qUex+KKbGhovZu7c1n4pQ83Xr9L7Izsk8Dm7kpX0/qfUIn0EcOZma+PAH5gIinyxnXuVKc+Ocb7iOdAar0bNSYVUsRkIMDuUrJV5NmjM+DVF2abh53FK2EcYVVdgpazg598Aq/1hVBGy/MRPtVGsAkGHJt+v6yx5EzljneHlfQA2QW1CSTv/uKEt2PTstt9T9Ic0MYsaFWsN9bu5iQehbbN3cr9FC65x7ah3buxLOLGN22/szmSmjzX8+9rflnw1p1FV4AXougOaLjRwmcJGorGcX31/fqhQunUKBVwtx3b6D9W0x2p9yQMh2yK5sK4yzxvUXs8QVIcI863gjINLWdEbkZiVKjUH4voyEvUYYqEf/UYU/KM6FxSTY9Sg4jbxYlUycOEgNsA2m+y8lvO9gJ+3zzcYol/HjempgXm7f6Z Yd1elU80 XVzWsgX7wm6no1V4QehUUXGNNySODbhtd5/Eg+8Op4SKz2K232USiZxPtQy0/LlV7VGXiICvRkEd4t8wbOz1s5H4be/pwqbJhgNU6nKlFXIrT7dLsl8f99tZlgiFns03WyTT4URWGvUr7lG5FfDvW20DFseH7+MzsYNHIzs28isaSXDh5IE/PsOIuJzR/sf3K2vCLTzMlcAC5syByYayJqsLiJEWSaYGdFHv8o6mqRZpk3pZgRSIFqiD9Br3SXGNfkm3cnvd8TPnCuD++XzD/H5gMDzL6qWWoZzv7d2dGSZiwmrp5l09IRIO3S1AO0ruxCCRbeEMKaEyZ867uxI+rrSJsbqKansjdZ2iJzQuCyLQVwzVLLz5pvo/gjvTIWxo5UiJOikpGh6zU2YQIhL2ND+PRnT8iy3CsS8yBoZtSFytCMtR+zGszwGl7qXPoPi/9AmJCJZTGz+fp6lM64Xt6omU44RVfajX3BOta8DVuLBUO5NHemvrLL9/FFaLVacvhytqclINJALZmcgUYSoNAJKT69/N3qr07P3Ys/85Cvpq5qKhFy31ETjyCJxOG5YzIr4BQbg7gV3EO/GyzmhMJhOZcdk9zpFBhEA6ZlvuG83PVv64ToqxOsrgySYbXQ5Fx22NCApnen0KXRYCMBVAqRT5cxNabtwkrR5rkH3ki1CkdPHPPg8E2CCt3Ng== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: syzbot reported that bpf_probe_read_kernel() kernel helper triggered KASAN report via kasan_check_range() which is not the expected behaviour as copy_from_kernel_nofault() is meant to be a non-faulting helper. Solution is, suggested by Marco Elver, to replace KASAN, KCSAN check in copy_from_kernel_nofault() with KMSAN detection of copying uninitilaized kernel memory. In copy_to_kernel_nofault() we can retain instrument_write() for the memory corruption instrumentation but before pagefault_disable(). Added KMSAN and modified KASAN kunit tests and tested on x86_64. This is the part of PATCH series attempting to properly address bugzilla issue. Link: https://lore.kernel.org/linux-mm/CANpmjNMAVFzqnCZhEity9cjiqQ9CVN1X7qeeeAp_6yKjwKo8iw@mail.gmail.com/ Suggested-by: Marco Elver Reported-by: syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=61123a5daeb9f7454599 Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505 Signed-off-by: Sabyrzhan Tasbolatov --- mm/kasan/kasan_test_c.c | 8 ++------ mm/kmsan/kmsan_test.c | 17 +++++++++++++++++ mm/maccess.c | 5 +++-- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c index 0a226ab032d..5cff90f831d 100644 --- a/mm/kasan/kasan_test_c.c +++ b/mm/kasan/kasan_test_c.c @@ -1954,7 +1954,7 @@ static void rust_uaf(struct kunit *test) KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); } -static void copy_from_to_kernel_nofault_oob(struct kunit *test) +static void copy_to_kernel_nofault_oob(struct kunit *test) { char *ptr; char buf[128]; @@ -1973,10 +1973,6 @@ static void copy_from_to_kernel_nofault_oob(struct kunit *test) KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL); } - KUNIT_EXPECT_KASAN_FAIL(test, - copy_from_kernel_nofault(&buf[0], ptr, size)); - KUNIT_EXPECT_KASAN_FAIL(test, - copy_from_kernel_nofault(ptr, &buf[0], size)); KUNIT_EXPECT_KASAN_FAIL(test, copy_to_kernel_nofault(&buf[0], ptr, size)); KUNIT_EXPECT_KASAN_FAIL(test, @@ -2057,7 +2053,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(match_all_not_assigned), KUNIT_CASE(match_all_ptr_tag), KUNIT_CASE(match_all_mem_tag), - KUNIT_CASE(copy_from_to_kernel_nofault_oob), + KUNIT_CASE(copy_to_kernel_nofault_oob), KUNIT_CASE(rust_uaf), {} }; diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c index 13236d579eb..9733a22c46c 100644 --- a/mm/kmsan/kmsan_test.c +++ b/mm/kmsan/kmsan_test.c @@ -640,6 +640,22 @@ static void test_unpoison_memory(struct kunit *test) KUNIT_EXPECT_TRUE(test, report_matches(&expect)); } +static void test_copy_from_kernel_nofault(struct kunit *test) +{ + long ret; + char buf[4], src[4]; + size_t size = sizeof(buf); + + EXPECTATION_UNINIT_VALUE_FN(expect, "copy_from_kernel_nofault"); + kunit_info( + test, + "testing copy_from_kernel_nofault with uninitialized memory\n"); + + ret = copy_from_kernel_nofault((char *)&buf[0], (char *)&src[0], size); + USE(ret); + KUNIT_EXPECT_TRUE(test, report_matches(&expect)); +} + static struct kunit_case kmsan_test_cases[] = { KUNIT_CASE(test_uninit_kmalloc), KUNIT_CASE(test_init_kmalloc), @@ -664,6 +680,7 @@ static struct kunit_case kmsan_test_cases[] = { KUNIT_CASE(test_long_origin_chain), KUNIT_CASE(test_stackdepot_roundtrip), KUNIT_CASE(test_unpoison_memory), + KUNIT_CASE(test_copy_from_kernel_nofault), {}, }; diff --git a/mm/maccess.c b/mm/maccess.c index f752f0c0fa3..a91a39a56cf 100644 --- a/mm/maccess.c +++ b/mm/maccess.c @@ -31,8 +31,9 @@ long copy_from_kernel_nofault(void *dst, const void *src, size_t size) if (!copy_from_kernel_nofault_allowed(src, size)) return -ERANGE; + /* Make sure uninitialized kernel memory isn't copied. */ + kmsan_check_memory(src, size); pagefault_disable(); - instrument_read(src, size); if (!(align & 7)) copy_from_kernel_nofault_loop(dst, src, size, u64, Efault); if (!(align & 3)) @@ -63,8 +64,8 @@ long copy_to_kernel_nofault(void *dst, const void *src, size_t size) if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) align = (unsigned long)dst | (unsigned long)src; - pagefault_disable(); instrument_write(dst, size); + pagefault_disable(); if (!(align & 7)) copy_to_kernel_nofault_loop(dst, src, size, u64, Efault); if (!(align & 3)) -- 2.34.1