From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18C49CF9C69 for ; Fri, 20 Sep 2024 22:26:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7EE6E6B0085; Fri, 20 Sep 2024 18:26:44 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 79B716B0089; Fri, 20 Sep 2024 18:26:44 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 63CFE6B008A; Fri, 20 Sep 2024 18:26:44 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 4350A6B0085 for ; Fri, 20 Sep 2024 18:26:44 -0400 (EDT) Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id AAF6B160686 for ; Fri, 20 Sep 2024 22:26:43 +0000 (UTC) X-FDA: 82586552286.03.DAF6763 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by imf03.hostedemail.com (Postfix) with ESMTP id D626D20019 for ; Fri, 20 Sep 2024 22:26:41 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=e4SDlavI; spf=pass (imf03.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.128.51 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1726871086; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=6ne01jFW0K4x6QCPtZYjHKYV4ojmW2zokGbfexor1Lk=; b=Y5RfSPHCuAkJ/A5qVOCtDBhOeU+jd5Ry0nCwSufgv3zgL5iKE5xolzA11t23q94wz+jM7g umY9LaZY6loFj95s/idx8SYDyGhoa67v4PwnOu0PzuekFTFC0mwG83VFRmlHGhs4WrCX2g 1B5NAPmFBDQxeztSsA3nH8ss/JDtJKE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1726871086; a=rsa-sha256; cv=none; b=mCPOUVvj+mrAvmQ1o8brbWpcVQTU8nlnJRIhk9ew/8AZAiqHpSt3WHBP5OTMgVyqXSOgyY 96wyLkQTJLXoAPMyX/8Y/6rWNK6UZyo5Hg/bZIlOg0fZKTTJQngf6YDFSUVEuNt0MWvImk YSfvKK/BBDaHzSiZll+uaz30Q+qu3Us= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=e4SDlavI; spf=pass (imf03.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.128.51 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-42cafda818aso22807365e9.2 for ; Fri, 20 Sep 2024 15:26:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726871200; x=1727476000; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6ne01jFW0K4x6QCPtZYjHKYV4ojmW2zokGbfexor1Lk=; b=e4SDlavIzMWg4XLc3TsucsHK9U22FbiAFuZP2xHaNp23LFT+LbwcScVHNRymCTeh5L gqJubSHn8R4Ct6JFYITqkZeV8JWa9vp8P6cqEIHPjBxAZfqhnaupxr33OhxFE7nvJVDA d/IPUEXFL368dYGuLMpblNQGHEkeQRKvqL0HND6rDOaYYK+VJgRcGvlJHY/b7dXx+Zgq bXA+dkp0uRbvN6hm4jLWJ1h++2p3MbxA5MMzdUJ2gcbDaU3CG7R9n1X4eX872mfoJ25H 1ue6Rqzsrl3DNpp+j+ZY0FL2cu0HSLm5D6zKOTRCioEwgiWk8OAmJBadxaFEsNdRMcIX MW5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726871200; x=1727476000; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6ne01jFW0K4x6QCPtZYjHKYV4ojmW2zokGbfexor1Lk=; b=R91CYqyueoMj5rhNB0xgBrJAwMkK+fIEKZ2n78FF6PbArSKcr6Cwtuzvbv6WcVjghB IY9eZjAjVPPcuQaK5cRllru/a3f/EXvzdPyzg+UxHqMLDQwJISMoSCBHdwnvy3YiPJpK pgiSBKZ65kYuYaItwFl45f6YGSPFSfTWEtA9FPuig9tv7y4h/AOjYgU9DIjolqc0zX8/ zUqiPM+BZoUESeOXyAEYd0NilIkJwR+KHWKMPDqM2dEsH8gHMSlaSM/4qcUQk5g14OHq vRoDUnC5PHnGLefodg2S2YghJocHVmA/QHu3qLka1eW75VuLiWE8LgNoOEX8vkTWUqfR INCw== X-Forwarded-Encrypted: i=1; AJvYcCX9sCzJoWJpr6ntMu/h9bJmN1x0eMtid2YOjHKf8xY0us9HFnZ0eMgpyMj6MZwKGSez7kobu+XOkA==@kvack.org X-Gm-Message-State: AOJu0YxX2QP3w3qKNVEXRQQ72q/QkgUIj4damlE5NzsMF1tYxxnDkwvR 1VXKKqomHoL7BLVRUtaLW8VwbNh+TRY/rFz6/4dPUZFXRDVurn0dXwUbn+pfuvYfLOm5SzI/u41 W5bKeodCQXOC0KPTSpzcTZXPJEnE= X-Google-Smtp-Source: AGHT+IGElvKgczn6kPm0WwE0PeEKj1lfNfAGYM3aS2UkIKa5wrYRbxGC0QHQBO9/w60FVQ0/Y1gdWbsOGy0QRBm+W9A= X-Received: by 2002:a05:600c:1c87:b0:42c:af2a:dcf4 with SMTP id 5b1f17b1804b1-42e7c1a3283mr24646825e9.27.1726871200155; Fri, 20 Sep 2024 15:26:40 -0700 (PDT) MIME-Version: 1.0 References: <20240919105750.901303-1-snovitoll@gmail.com> In-Reply-To: <20240919105750.901303-1-snovitoll@gmail.com> From: Andrey Konovalov Date: Sat, 21 Sep 2024 00:26:28 +0200 Message-ID: Subject: Re: [PATCH v3] mm: x86: instrument __get/__put_kernel_nofault To: Sabyrzhan Tasbolatov Cc: akpm@linux-foundation.org, bp@alien8.de, brauner@kernel.org, dave.hansen@linux.intel.com, dhowells@redhat.com, dvyukov@google.com, glider@google.com, hpa@zytor.com, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, ryabinin.a.a@gmail.com, tglx@linutronix.de, vincenzo.frascino@arm.com, x86@kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: ozra8u74bwh8hskjqkk91h1qh1cpeukf X-Rspamd-Queue-Id: D626D20019 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1726871201-527623 X-HE-Meta: U2FsdGVkX1+Q0/ayg6zzeXF85kS9IqwY3voGNfdU1Kb7QZ/1zTXQbiv9pJntgOonOyqC0PE1xsMvlaL/fzkOY5dcegy0/KmKoYOofirBsbDfNV1KpZvAuRf6H7YwPiU03P2GnHXs/STZCawo0vCn6GNYe0Ck89FTg5h7BmhHYqz3GrbTZhB/La4hlp+bfB0GW1zV3ZdwbQH9+nZ+easYB6yHon0F2V8DzbwM8Aktxkcg+J5G2OVZwUJWG+GDp5IAyhcvoDxL1puMgCx7jietaVVbkiGoaTUiz3f0Ddaym+owzXvDm53RIWgVp0BzZ+hd/T0op/YwFa8o8l+qvkqTUAoTVgxrfsUpOUHey1gEFmA59Shl1LOS4EB3GFDN2u5WbIz7iwot8RNPbXztz8aFya2sIInDgTtFFtY8nXZdGYmT0s3TcXTeTwBETtCEI0AIrt2AoTD4ypJQjuXNhcZgZShmx2K6JF5XhG8WxNCoIObhbO8bdXbJSRlr+JYiYOdarZMYNeqCOX9hP0E7mxpzMlquCRAgjsz9pFcx7WB3C/rlqCVBPfTHToDeoX7tDGJzwFba0Rg1UaNHX+1iNMmEIBKagMPqw+Ezs66DK27X30P3SKQ300LN/zToOlhntMYy2ZFsu7v2YntcHPq0WwDsDCQTZCpg8Z+DBbhnWVK1Icqedpyc1dR7SoYd74+vJsqdzWiasHW7MtMMKqQ2T4t1h2LLBY6wf3Tj5nWjwCgF7F5l8FPMHr0BNxqxID/bHi/RYsQ8pvM/fCSyzxmu5nbT/W009QLrKpqDR7N4zWLksNcnLA+Q51er9vFXWUJBTFttg0x2UBro57GKnhzB8tONfwIwLLgplPy/OC/6bf/aCb3lE7A4oQYvUwsp3pVbL9xMxp89ZCSQogXqCuk3wD525lycJormUSlxHeB+tjfhWeJqtx1gTAtzxw66odd79eScLQRMvXI9yf0xxlRjMSD P5P7XIHM +E58IEi5o7I+puCFN5s+zlp0SXw9EJe6cIqr4DiO1wHf34GoRzbpRQkOYZnQABBF7lFNb9oIbu/PN3stCZBTFnTxJCvUbibzeup1eHoHuzCXVv/WAx2PPvFl9AomMgvhT+FZ3IGCWpxtXIP5TTN7jzFp/Nsg/bEoc7WwHytgE2WIgutSKPvCVzVnPUFrD0yxqK9rIhkHOwZV+hGCVoDpI/jbbaapsexmXPcmhaQF/7YuyjIYKp70HnlmZjGZm9ArkMpch5fDibfQ1T/uc0TLaSTyAACLNtGIAnujB7r1sSdppehgm1A2k/bBPcMFG+UuKs/YlGKUdTFkvN3MWlug+ZVDLelE41RoFg86wrLRU1dlFt5jc8Gco5JPb6D2j5LBibeu6gjZsjlBTvPrmaPLew4D3/b05T0O1P4srU9yGs2HIlemSkDYNFkfebIU6fvUsj7peeRkbbCVlwL7oO4EJlFF7iR94ERqjl4kQ2C86HhFG3+A= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Sep 19, 2024 at 12:57=E2=80=AFPM Sabyrzhan Tasbolatov wrote: > > On Wed, Sep 18, 2024 at 8:15=E2=80=AFPM Andrey Konovalov wrote: > > You still have the same problem here. > > > > What I meant is: > > > > char *ptr; > > char buf[128 - KASAN_GRANULE_SIZE]; > > size_t size =3D sizeof(buf); > > > > ptr =3D kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > > > KUNIT_EXPECT_KASAN_FAIL(...); > > ... > > > > kfree(ptr); > > Thanks for catching this! I've turned kunit test into OOB instead of UAF. > --- > v3: changed kunit test from UAF to OOB case and git commit message. > --- > Instrument copy_from_kernel_nofault(), copy_to_kernel_nofault(), > strncpy_from_kernel_nofault() where __put_kernel_nofault, __get_kernel_no= fault > macros are used. > > __get_kernel_nofault needs instrument_memcpy_before() which handles > KASAN, KCSAN checks for src, dst address, whereas for __put_kernel_nofaul= t > macro, instrument_write() check should be enough as it's validated via > kmsan_copy_to_user() in instrument_put_user(). > > __get_user_size was appended with instrument_get_user() for KMSAN check i= n > commit 888f84a6da4d("x86: asm: instrument usercopy in get_user() and > put_user()") but only for CONFIG_CC_HAS_ASM_GOTO_OUTPUT. > > copy_from_to_kernel_nofault_oob() kunit test triggers 4 KASAN OOB bug rep= orts > as expected for each copy_from/to_kernel_nofault call. "as expected for each" =3D> "as expected, one for each" > > Reported-by: Andrey Konovalov > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D210505 > Signed-off-by: Sabyrzhan Tasbolatov > --- > arch/x86/include/asm/uaccess.h | 4 ++++ > mm/kasan/kasan_test.c | 21 +++++++++++++++++++++ > 2 files changed, 25 insertions(+) > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uacces= s.h > index 3a7755c1a441..87fb59071e8c 100644 > --- a/arch/x86/include/asm/uaccess.h > +++ b/arch/x86/include/asm/uaccess.h > @@ -353,6 +353,7 @@ do { = \ > default: \ > (x) =3D __get_user_bad(); = \ > } \ > + instrument_get_user(x); \ > } while (0) > > #define __get_user_asm(x, addr, err, itype) \ > @@ -620,6 +621,7 @@ do { = \ > > #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT > #define __get_kernel_nofault(dst, src, type, err_label) = \ > + instrument_memcpy_before(dst, src, sizeof(type)); \ > __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ > sizeof(type), err_label) > #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT > @@ -627,6 +629,7 @@ do { = \ > do { \ > int __kr_err; \ > \ > + instrument_memcpy_before(dst, src, sizeof(type)); \ > __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ > sizeof(type), __kr_err); \ > if (unlikely(__kr_err)) \ > @@ -635,6 +638,7 @@ do { = \ > #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT > > #define __put_kernel_nofault(dst, src, type, err_label) = \ > + instrument_write(dst, sizeof(type)); \ > __put_user_size(*((type *)(src)), (__force type __user *)(dst), \ > sizeof(type), err_label) > > diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c > index 7b32be2a3cf0..d13f1a514750 100644 > --- a/mm/kasan/kasan_test.c > +++ b/mm/kasan/kasan_test.c > @@ -1899,6 +1899,26 @@ static void match_all_mem_tag(struct kunit *test) > kfree(ptr); > } > > +static void copy_from_to_kernel_nofault_oob(struct kunit *test) > +{ > + char *ptr; > + char buf[128]; > + size_t size =3D sizeof(buf); > + > + ptr =3D kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL); > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > + > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_from_kernel_nofault(&buf[0], ptr, size)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_from_kernel_nofault(ptr, &buf[0], size)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_to_kernel_nofault(&buf[0], ptr, size)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_to_kernel_nofault(ptr, &buf[0], size)); > + kfree(ptr); > +} > + > static struct kunit_case kasan_kunit_test_cases[] =3D { > KUNIT_CASE(kmalloc_oob_right), > KUNIT_CASE(kmalloc_oob_left), > @@ -1971,6 +1991,7 @@ static struct kunit_case kasan_kunit_test_cases[] = =3D { > KUNIT_CASE(match_all_not_assigned), > KUNIT_CASE(match_all_ptr_tag), > KUNIT_CASE(match_all_mem_tag), > + KUNIT_CASE(copy_from_to_kernel_nofault_oob), > {} > }; The test looks good to me now. But you need to send the patch as a standalone email, without combining it with the response to my comment. Thanks!