From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF984C433EF for ; Fri, 10 Sep 2021 20:44:25 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 6D981610C7 for ; Fri, 10 Sep 2021 20:44:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 6D981610C7 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id DB8CA900002; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D666F6B0072; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C7C1D900002; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0212.hostedemail.com [216.40.44.212]) by kanga.kvack.org (Postfix) with ESMTP id B983E6B0071 for ; Fri, 10 Sep 2021 16:44:24 -0400 (EDT) Received: from smtpin32.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 5FCC639B8A for ; Fri, 10 Sep 2021 20:44:24 +0000 (UTC) X-FDA: 78572841648.32.39E75EF Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by imf25.hostedemail.com (Postfix) with ESMTP id 267C1B000181 for ; Fri, 10 Sep 2021 20:44:24 +0000 (UTC) Received: by mail-io1-f53.google.com with SMTP id n24so3954992ion.10 for ; Fri, 10 Sep 2021 13:44:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=jT6iJlrKNPrj6bpJJ3lgtpcahwA2kYcxuFn93Fdw7+JlprzyflVRJGOjqlmqNdhxkW yBCcjPVh4Ft8rWmeJENOhW6FoLubU5Yx/MfPl07xq76yH9qi2aSUrSsV1XQYz37iM9bm ZuCH0/U8YIxN2j9loICJ8JUv9YbrOgb0wg/Z/5WE7Ye07J/jb1UIzGa2UngcYZmNaKP+ i7E6RZa8TXNIPpYNngkvmherN9QQAxHgaPWV03ikJbmWKBWr2GTFAKGGCt2VMSzVKtP1 VgLgun60ujQOMXcgzS+/m6zBR8buX8FHTXNogMxfJnMxb3rr2ZEJCJHT0GxvO787t0nF 7Chg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AxFN7akG/FqoYED18aKoZZtGW6jqVqRB8yoZ8Owhw+s=; b=k1rd+8UEVb95jO9+M83/YNdiyd53ztA1OgnYi7jEumxg3Koq5q/59kElGXoOEzaNdh culjpT6PcGYa+EcRE8nO+dcYODmMLttfZTviI8SFzWcLKs+y5YwSF+7GvR14/QhF2ngN o7ZO/FgGEagDujRASrXD+6kQ1fxGsDl+d+LqlFj29mnoHcx3eFUMkRabflwwvjLFZWZp vAn1tDeJGnvFyp4egFnEySJNsYaYR2NQoXv+kmlZh+tMtUeqHxShggH3SMP7lfdxcH+j HUjJpK19oAA1brLlOFMgnWTjvRgnXyYFIGeUA58m9br5QqzW0BkkGulRaU6d3mOpRrpu 6lKQ== X-Gm-Message-State: AOAM531JJ3qA0sEDUE+zjz5qY3XG6nQt8yUzhVX+kMCF1venYerPPnNL YNsSBgPiTa4tZOD14rvpnNWV8wHuuSLCeBNIaKY= X-Google-Smtp-Source: ABdhPJw6vr4O9yXL+hkLwqymc6jt1+9s+InBdS9/Zg8xWq6+SKufrqISPw20VjyuZ/WEpfviIhJjyyujRdzstwN6gKU= X-Received: by 2002:a02:7b24:: with SMTP id q36mr2457457jac.130.1631306663486; Fri, 10 Sep 2021 13:44:23 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: <20210910203152.3549236-1-pcc@google.com> From: Andrey Konovalov Date: Fri, 10 Sep 2021 22:44:12 +0200 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Peter Collingbourne Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 267C1B000181 X-Stat-Signature: m5aei7aukpoq8w8h7y5357sbt351gqc8 Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=jT6iJlrK; spf=pass (imf25.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.166.53 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com X-HE-Tag: 1631306664-718525 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > With HW tag-based KASAN, error checks are performed implicitly by the load > and store instructions in the memcpy implementation. A failed check results > in tag checks being disabled and execution will keep going. As a result, > under HW tag-based KASAN, this memcpy would end up corrupting memory until > it hits an inaccessible page and causes a kernel panic. > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > Import latest memcpy()/memmove() implementation") which changed the memcpy > implementation from using signed comparisons (incorrectly, resulting in > the memcpy being terminated early for negative sizes) to using unsigned > comparisons. > > It is unclear how this could be handled by memcpy itself in a reasonable > way. One possibility would be to add an exception handler that would force > memcpy to return if a tag check fault is detected -- this would make the > behavior roughly similar to generic and SW tag-based KASAN. However, this > wouldn't solve the problem for asynchronous mode and also makes memcpy > behavior inconsistent with manually copying data. > > It may be more accurate to consider this a bug in the test: what we really > want to test here is that a memcpy overflow, however small, is caught, and any > further copying after the initial overflow is unnecessary and may affect system > stability. Therefore, adjust the test to pass the allocation size as the memcpy > size, ensuring that the memcpy will not result in an out-of-bounds write. > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > HW_TAGS") disabled this test in HW tags mode, but there is some value in > testing small memcpy overflows, so let's re-enable it with this fix. > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > Signed-off-by: Peter Collingbourne > --- > lib/test_kasan.c | 9 +-------- > 1 file changed, 1 insertion(+), 8 deletions(-) > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > index 8835e0784578..9af51e1f692d 100644 > --- a/lib/test_kasan.c > +++ b/lib/test_kasan.c > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > { > char *ptr; > size_t size = 64; > - volatile size_t invalid_size = -2; > - > - /* > - * Hardware tag-based mode doesn't check memmove for negative size. > - * As a result, this test introduces a side-effect memory corruption, > - * which can result in a crash. > - */ > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > + volatile size_t invalid_size = size; > > ptr = kmalloc(size, GFP_KERNEL); > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > -- > 2.33.0.309.g3052b89438-goog > Hi Peter, This test was added as a part of series that taught KASAN to detect negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect negative size in memory operation function"). So we need to keep it using negative sizes. I think we should rename kmalloc_memmove_invalid_size to kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And add another test named kmalloc_memmove_invalid_size, which does what you did in this patch. Thanks!