From: Andrey Konovalov <andreyknvl@gmail.com>
To: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Cc: tglx@linutronix.de, bp@alien8.de, glider@google.com,
akpm@linux-foundation.org, mingo@redhat.com,
dave.hansen@linux.intel.com, ryabinin.a.a@gmail.com,
x86@kernel.org, hpa@zytor.com, dvyukov@google.com,
vincenzo.frascino@arm.com, brauner@kernel.org,
dhowells@redhat.com, linux-kernel@vger.kernel.org,
kasan-dev@googlegroups.com, linux-mm@kvack.org
Subject: Re: [PATCH] mm: x86: instrument __get/__put_kernel_nofault
Date: Wed, 18 Sep 2024 00:51:11 +0200 [thread overview]
Message-ID: <CA+fCnZeorA7ptz6YY6=KEmJ+Bvo=9MQmUeBvzYNobtNmBM4L-A@mail.gmail.com> (raw)
In-Reply-To: <20240917201817.657490-1-snovitoll@gmail.com>
On Tue, Sep 17, 2024 at 10:18 PM Sabyrzhan Tasbolatov
<snovitoll@gmail.com> wrote:
>
> Instrument copy_from_kernel_nofault(), copy_to_kernel_nofault(),
> strncpy_from_kernel_nofault() where __put_kernel_nofault,
> __get_kernel_nofault macros are used.
>
> Regular instrument_read() and instrument_write() handles KASAN, KCSAN
> checks for the access address, though instrument_memcpy_before() might
> be considered as well for both src and dst address validation.
>
> __get_user_size was appended with instrument_get_user() for KMSAN check in
> commit 888f84a6da4d("x86: asm: instrument usercopy in get_user() and
> put_user()") but only for CONFIG_CC_HAS_ASM_GOTO_OUTPUT.
>
> Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505
> Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Hi Sabyrzhan,
Thanks for working on this!
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test.c
> index 7b32be2a3cf0..f5086c86e0bd 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test.c
> @@ -1899,6 +1899,22 @@ static void match_all_mem_tag(struct kunit *test)
> kfree(ptr);
> }
>
> +static void copy_from_to_kernel_nofault(struct kunit *test)
> +{
> + char *ptr;
> + char buf[16];
> + size_t size = sizeof(buf);
> +
> + ptr = kmalloc(size, GFP_KERNEL);
> + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
> + kfree(ptr);
> +
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_from_kernel_nofault(&buf[0], ptr, size));
> + KUNIT_EXPECT_KASAN_FAIL(test,
> + copy_to_kernel_nofault(ptr, &buf[0], size));
I just realized that the test I wrote in the bug report is not good.
This call will overwrite the object's contents and thus corrupt the
freelist pointer. This might cause crashes in further tests. KASAN
tests try to avoid harmfully corrupting memory to avoid crashes.
I think the easiest fix would be to allocate e.g. 128 -
KASAN_GRANULE_SIZE bytes and do an out-of-bounds up to 128 bytes via
copy_to/from_kernel_nofault. This will only corrupt the in-object
kmalloc redzone, which is not harmful.
Also, I think we need to test all 4 calls that I had in the bug report
to check both arguments of both functions. Not only the 2 you
included.
> +}
Thank you!
next prev parent reply other threads:[~2024-09-17 22:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-17 20:18 Sabyrzhan Tasbolatov
2024-09-17 22:51 ` Andrey Konovalov [this message]
2024-09-18 10:56 ` [PATCH v2] " Sabyrzhan Tasbolatov
2024-09-18 15:15 ` Andrey Konovalov
2024-09-19 10:57 ` [PATCH v3] " Sabyrzhan Tasbolatov
2024-09-20 22:26 ` Andrey Konovalov
2024-09-21 7:10 ` [PATCH v4] " Sabyrzhan Tasbolatov
2024-09-21 20:49 ` Andrey Konovalov
2024-09-22 9:26 ` Sabyrzhan Tasbolatov
2024-09-22 12:04 ` Andrey Konovalov
2024-09-22 14:57 ` [PATCH v5] " Sabyrzhan Tasbolatov
2024-09-23 6:09 ` Sabyrzhan Tasbolatov
2024-09-27 15:18 ` Sabyrzhan Tasbolatov
2024-09-22 12:06 ` [PATCH v4] " Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+fCnZeorA7ptz6YY6=KEmJ+Bvo=9MQmUeBvzYNobtNmBM4L-A@mail.gmail.com' \
--to=andreyknvl@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=dave.hansen@linux.intel.com \
--cc=dhowells@redhat.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=ryabinin.a.a@gmail.com \
--cc=snovitoll@gmail.com \
--cc=tglx@linutronix.de \
--cc=vincenzo.frascino@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox