From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF81EC3DA4A for ; Tue, 20 Aug 2024 19:57:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 24E2D6B007B; Tue, 20 Aug 2024 15:57:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1FE326B0082; Tue, 20 Aug 2024 15:57:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0ECC76B0083; Tue, 20 Aug 2024 15:57:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id E47AC6B007B for ; Tue, 20 Aug 2024 15:57:34 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 945C4A0525 for ; Tue, 20 Aug 2024 19:57:34 +0000 (UTC) X-FDA: 82473683628.29.DE39191 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by imf02.hostedemail.com (Postfix) with ESMTP id B3C7580024 for ; Tue, 20 Aug 2024 19:57:32 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Ohf48FAP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724183764; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UaL9zj6zB1sI38i5Boy36u4I8G4LxBoHczpTGYKeAio=; b=A//Rf30nlKNSIbplM5Dat4B11LvVuZc+M/YhDYSgY1ugWoiXcub92sBfCt8XFLxnGxwmN1 tVXJbvL1CXwegoSBgUURGwrDv4dfwTQT42I0fkETYIeqb0n2Q45AXC5VWnBQ/EyRMcLIeD CpL1MGq/p+uac7MWFwwOnVMplk3euPY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724183764; a=rsa-sha256; cv=none; b=eDf63a80CM2ETj409fbeQe+pnst+TQKPOK9tOdQT9mO0X8sp09w5e2ztVBgVRwUwC79jTI mRK4TZq3ZNUo6KV2pflbVaAt75Mp5PQ260YT3xv5LPBXpKRP8naAGmd4OH525k8ucwF3ux r4bmWC7gyBcM4E7+Y97T396kMVUVNtU= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=Ohf48FAP; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf02.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.47 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-3718c176ed7so2819432f8f.2 for ; Tue, 20 Aug 2024 12:57:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1724183851; x=1724788651; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=UaL9zj6zB1sI38i5Boy36u4I8G4LxBoHczpTGYKeAio=; b=Ohf48FAP4q33CQz1IAdz3WZV5N3fm/dXcWm7qGErR2eZkdVtSmyTbhgxLvM3eVRrbY Bl2g4RsRnr6fXeKuc0n6jn6ZBwHMDnhkOClIkFcNJ+8OG6g2SaeeLSLq6NA4P7C4PqEt 84kCp1M8OioYgdg4uNKQX109GskK1gL6TWQlbHVcqy8WDVznhzUyLawgXOdfKDyHZ4ud jfl//QNagmLvzhZuCkXbiMrusLC+Bi/LQxJmgKZvLNN5yhUY/iQ4BrtvyfrBVnilhskx cdV0WpBDHn4STqAUv9etOuJ59M0OPLggSLcHd1dm8HfuvJILc5lXMZnPDS5Ol4kDSMxt 5vRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724183851; x=1724788651; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UaL9zj6zB1sI38i5Boy36u4I8G4LxBoHczpTGYKeAio=; b=CZ0ivfSvke4+nOYrS1i1GIsAf//oCg9wmeZEpeygGRJa7xTzOpFTZazJu3gBb13LO0 gUwuJGkyzWI/th517b7Mg97W5hRnWGmGWBwD/15MF+1QVxedLqa/bwTNIRlsVPT/LeGd 7119qRjm8porYjVN9+p+oscBR8MKzk/YrvdM3Gd7kbDvNoM66r09zMEZ/IlVeH9Hh/mJ DjFj/m9U0AEXMoOn4tFc9TYuc07tK97bzEm6ohS9YOaN6UUjjQyZAP/l6XihEuieQMaF 1deB+jpfrLkdGG8CkqPtsyD37MAOaI/SBjhYison0S2yHaDeZtHFhO+O7cQzmUU0BYYf uFhQ== X-Forwarded-Encrypted: i=1; AJvYcCWD6Af+E4k+y9kyGbFU3d4xG815LIt5LUtC9UinZZi47T6GjCrKbtVvTgzkWP70ELt8L0gTGqNrjQ==@kvack.org X-Gm-Message-State: AOJu0YzmeGUXCPpRSUErIG2RUS7f3Iccf7aGRmF0yEDOSXpQH7n+sn/J OBYGlhDKP3c4OU1bBUOBGpJci+xGJoGtSGAvexWlBeVI1553n5qzIY6C1ZbIavzsshrYBwrH8OH /Djj7WkVUnOIUY+8PjMzE8hB8vpk= X-Google-Smtp-Source: AGHT+IEznsehmKZmHvHgq4ZkCfGQmdhf6Mincfw8xXYVedCVeiTwsSwo5HAQJtbtnPBAZV9xE0roNoYhfGuJq41HffA= X-Received: by 2002:a5d:474d:0:b0:367:980a:6af with SMTP id ffacd0b85a97d-372fd727b4amr37670f8f.59.1724183850741; Tue, 20 Aug 2024 12:57:30 -0700 (PDT) MIME-Version: 1.0 References: <20240820194910.187826-1-mmaurer@google.com> <20240820194910.187826-5-mmaurer@google.com> In-Reply-To: <20240820194910.187826-5-mmaurer@google.com> From: Andrey Konovalov Date: Tue, 20 Aug 2024 21:57:18 +0200 Message-ID: Subject: Re: [PATCH v4 4/4] kasan: rust: Add KASAN smoke test via UAF To: Matthew Maurer Cc: ojeda@kernel.org, Andrey Ryabinin , Andrew Morton , Alex Gaynor , Wedson Almeida Filho , dvyukov@google.com, aliceryhl@google.com, samitolvanen@google.com, kasan-dev@googlegroups.com, linux-mm@kvack.org, glider@google.com, Vincenzo Frascino , Boqun Feng , Gary Guo , =?UTF-8?Q?Bj=C3=B6rn_Roy_Baron?= , Benno Lossin , Andreas Hindborg , linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: B3C7580024 X-Stat-Signature: 4xbinkcupwystmkc1pigftec7a3gjpnz X-Rspam-User: X-HE-Tag: 1724183852-226841 X-HE-Meta: U2FsdGVkX19rWUzYk3jD6X0tPjq0DedehEGVr3v2YDHqNwcBTBxZugu9IUksc3Os7nqpnqZ8vAYydMasdz2e9m02LB6/nbZsodPPU4V8Mbd+dHPKeHkDYa83xlLAc5RVeU/63rFrISbNn4YpvVHEYn+JubmowqEnq7lFvo1jECvzz6cxis00znBq2Z3z4Hln9opoKBJCb8iITdGfkzQkuca0XcKgCDIidrEEKDYR0gliaAEBt4ZNfDLvE9iZ0skTN7qFQRfJGfBWtdKGmSSByPd8IPZ8S9qW3ZdDH//n98oNDg2V+YL5ikN3ptFqjUI2mi8I8oW7HLvN/dBxdcjQJQcmyaLxO78L4X8FlDhxgquuxmwieZ/U8Dht7s+VoBe5zNtx5Oz+0KIp38IammN1dZVinxg4eXIb6JuGVFOYh5lSVVSuPuL+ykfCw0byuSc3pwjWnNfBcSUL/lCTnZ6SaHES9CmP+WCyOal4JxVTgSqduBiMQbQHGNQMd+xra11/RsY6GZCuKpE7dytR5PdzL+W4rr8pQlUH5ZLQn1SyMRKK7I710/wIwEug7C5qu8s/m4XszVefAdPvKmAycOFERNp9dmLxoBXvZi32XW+/65+jidR6eQJ6AEPvjVRQ8ArP/HoH+QZNVF9+n53PpDx9dWOSOzRCvB+4cHGX4uPyMO7RCk77Ep1yyp9SafBBL7JtHob7pPg/V9xKhBpU8wtooppDV68YAcT3WQZGPhb+63XUlNPpafI8y9zGPtMjLwiqaXtz1LkTaDZIi6k/XcTeowDO552sMAHAvbe0UD8GCE7zvKvQdYf/jiRzfIEStdzxzQOsd3irAwKgEMdCW0PChn+rINe2L19t4I0JeJSO+8mi6q+uCveiiCcCDL+symtnc/bVNziCSmBDBQVIZ5/8E6tj9MUEnIF9ETadvBXrI6MvWjzGQR/hzZ9pDAX6baNhW5WIcreKG1UhBbo3xJw qTXzeX5o Vwle1cWiijfR8CScEogiEqiBssaHecdpad2TTdbAj7aDwyZ7+ilWC40ipNoOpRASjm32PjzvDnCLGDDKRb+CIt0CqkijTctvLInxi1j9vrkoPoD7f5SC6MyDFYaP2WGVDXEOOaL0EYuDrm/Wd2goh6+aAs3exR/yZ++Yw/0Okj7jG00hx5ukVGCdVIF67oWTCcvSd7jqB1fRekfFeR8+wqljQDXgb6fQJKrUjE0Rbr4d1vxEUqZ9sSI6fQ/17gXvy7g83xDieNnnvf/WnBycOwDkmMZ6VyPeSYIpzd0nHWS/2oM76KyMZJ7q1YM92hPLKX9t/hozqcf+077K2wrJ4PPMDSN9w4TqRYRhNnIwadpwMPN+q4azldBe9sD2zr+fiUjHy2tc6B6bgIOs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000003, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Aug 20, 2024 at 9:49=E2=80=AFPM Matthew Maurer = wrote: > > Adds a smoke test to ensure that KASAN in Rust is actually detecting a > Rust-native UAF. There is significant room to expand this test suite, > but this will at least ensure that flags are having the intended effect. > > The rename from kasan_test.c to kasan_test_c.c is in order to allow the > single kasan_test.ko test suite to contain both a .o file produced > by the C compiler and one produced by rustc. > > Signed-off-by: Matthew Maurer > --- > mm/kasan/Makefile | 7 ++++++- > mm/kasan/kasan.h | 6 ++++++ > mm/kasan/{kasan_test.c =3D> kasan_test_c.c} | 12 ++++++++++++ > mm/kasan/kasan_test_rust.rs | 19 +++++++++++++++++++ > 4 files changed, 43 insertions(+), 1 deletion(-) > rename mm/kasan/{kasan_test.c =3D> kasan_test_c.c} (99%) > create mode 100644 mm/kasan/kasan_test_rust.rs > > diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile > index 7634dd2a6128..13059d9ee13c 100644 > --- a/mm/kasan/Makefile > +++ b/mm/kasan/Makefile > @@ -44,13 +44,18 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX > CFLAGS_KASAN_TEST +=3D -fno-builtin > endif > > -CFLAGS_kasan_test.o :=3D $(CFLAGS_KASAN_TEST) > +CFLAGS_kasan_test_c.o :=3D $(CFLAGS_KASAN_TEST) > +RUSTFLAGS_kasan_test_rust.o :=3D $(RUSTFLAGS_KASAN) > CFLAGS_kasan_test_module.o :=3D $(CFLAGS_KASAN_TEST) > > obj-y :=3D common.o report.o > obj-$(CONFIG_KASAN_GENERIC) +=3D init.o generic.o report_generic.o shado= w.o quarantine.o > obj-$(CONFIG_KASAN_HW_TAGS) +=3D hw_tags.o report_hw_tags.o tags.o repor= t_tags.o > obj-$(CONFIG_KASAN_SW_TAGS) +=3D init.o report_sw_tags.o shadow.o sw_tag= s.o tags.o report_tags.o Nit: empty line here. > +kasan_test-objs :=3D kasan_test_c.o > +ifdef CONFIG_RUST > + kasan_test-objs +=3D kasan_test_rust.o > +endif > > obj-$(CONFIG_KASAN_KUNIT_TEST) +=3D kasan_test.o > obj-$(CONFIG_KASAN_MODULE_TEST) +=3D kasan_test_module.o > diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h > index fb2b9ac0659a..f438a6cdc964 100644 > --- a/mm/kasan/kasan.h > +++ b/mm/kasan/kasan.h > @@ -555,6 +555,12 @@ static inline bool kasan_arch_is_ready(void) {= return true; } > void kasan_kunit_test_suite_start(void); > void kasan_kunit_test_suite_end(void); > > +#ifdef CONFIG_RUST > +char kasan_test_rust_uaf(void); > +#else > +static inline char kasan_test_rust_uaf(void) { return '\0'; } > +#endif > + > #else /* CONFIG_KASAN_KUNIT_TEST */ > > static inline void kasan_kunit_test_suite_start(void) { } > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c > similarity index 99% > rename from mm/kasan/kasan_test.c > rename to mm/kasan/kasan_test_c.c > index 7b32be2a3cf0..dd3d2a1e3145 100644 > --- a/mm/kasan/kasan_test.c > +++ b/mm/kasan/kasan_test_c.c > @@ -1899,6 +1899,17 @@ static void match_all_mem_tag(struct kunit *test) > kfree(ptr); > } > > +/* > + * Check that Rust performing a use-after-free using `unsafe` is detecte= d. > + * This is a smoke test to make sure that Rust is being sanitized proper= ly. > + */ > +static void rust_uaf(struct kunit *test) > +{ > + KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST); > + KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); > +} > + > + > static struct kunit_case kasan_kunit_test_cases[] =3D { > KUNIT_CASE(kmalloc_oob_right), > KUNIT_CASE(kmalloc_oob_left), > @@ -1971,6 +1982,7 @@ static struct kunit_case kasan_kunit_test_cases[] = =3D { > KUNIT_CASE(match_all_not_assigned), > KUNIT_CASE(match_all_ptr_tag), > KUNIT_CASE(match_all_mem_tag), > + KUNIT_CASE(rust_uaf), > {} > }; > > diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs > new file mode 100644 > index 000000000000..7239303b232c > --- /dev/null > +++ b/mm/kasan/kasan_test_rust.rs > @@ -0,0 +1,19 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +//! Helper crate for KASAN testing > +//! Provides behavior to check the sanitization of Rust code. > +use kernel::prelude::*; > +use core::ptr::addr_of_mut; > + > +/// Trivial UAF - allocate a big vector, grab a pointer partway through, > +/// drop the vector, and touch it. > +#[no_mangle] > +pub extern "C" fn kasan_test_rust_uaf() -> u8 { > + let mut v: Vec =3D Vec::new(); > + for _ in 0..4096 { > + v.push(0x42, GFP_KERNEL).unwrap(); > + } > + let ptr: *mut u8 =3D addr_of_mut!(v[2048]); > + drop(v); > + unsafe { *ptr } > +} > -- > 2.46.0.184.g6999bdac58-goog >