From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0B76CF2586 for ; Sat, 12 Oct 2024 22:45:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 258BE6B0085; Sat, 12 Oct 2024 18:45:50 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 1E2416B0088; Sat, 12 Oct 2024 18:45:50 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 05B806B0089; Sat, 12 Oct 2024 18:45:49 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id D77236B0085 for ; Sat, 12 Oct 2024 18:45:49 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 193ECC03B3 for ; Sat, 12 Oct 2024 22:45:43 +0000 (UTC) X-FDA: 82666433892.13.F1B0539 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by imf17.hostedemail.com (Postfix) with ESMTP id 341684000B for ; Sat, 12 Oct 2024 22:45:43 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=kpp5s4r3; spf=pass (imf17.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.51 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728773102; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QrAqah5calgIhNd5J2K0kgxnrRY1RxWPFw2HfKMPoO0=; b=g2BT9/aWEx8FfGRvX3HH+iSOdtdPeTl3EhOFzCXRt9fU/z3WA7re5DlXS3m0fWFycSsXWO Mem16QkJmLjYn1Qv1RSfPXwMK+3691MF2DsyXzT7MBvPmlh0CV40B86XpJVSShq2naT6om EkCPv65+Pz56uvyr6vbFzudpFJagWEw= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=kpp5s4r3; spf=pass (imf17.hostedemail.com: domain of andreyknvl@gmail.com designates 209.85.221.51 as permitted sender) smtp.mailfrom=andreyknvl@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728773102; a=rsa-sha256; cv=none; b=8ZY7JeVhZubQSjCoO4GN+1TQUqO9cNdG/7JOdf30LXb/4vMR7FHijz4eVqo+ixQvs2oSqY 8LJurFsrka2qaDsl1BlSfqB2wJFs6O/6ZVgOtfdcMpeknzTYW7Dq8qrRIthgj2eAm3Hh+J 2Z/DMUNnxAqvNSIDA/KF6LiW9VIAflY= Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-37d4612da0fso2281254f8f.0 for ; Sat, 12 Oct 2024 15:45:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728773146; x=1729377946; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=QrAqah5calgIhNd5J2K0kgxnrRY1RxWPFw2HfKMPoO0=; b=kpp5s4r3xAkza/p2iF4ewaR32GfwiOSH5ZmhJLggFrmw2XGTa+x0VaOJsWzrr3wCkr CupfqPWu2wsL8mmHdrBUS0oTssUGePzQ+8yKitfztvUL/rRm8ebLNo2nwzsKcWJOdp+a YfXK9e8nFOKtn3w9Rx4LiHwMBxSDDJrT7GM7PdP8oh/a5UjhgjBc7CiQ7u82y7DOVjdS /ozSmeo4O8DaakDLDO6EjmKAEelGzVWmyOCxB2yGzJNEKAn8C2q9EpKpjyC2scWTFudx L7ioA84E0gQIzUhjYc41uHqgkmYdhp0HMmSJYLdzvYAGW0qIeVVFEBP49akGARI+7z5f HBTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728773146; x=1729377946; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QrAqah5calgIhNd5J2K0kgxnrRY1RxWPFw2HfKMPoO0=; b=P8xFfw8SY4EnPQYLIcFZIDEH/kuKfztIlPwj06o/OtgEOd8quECiW9KK3thTXmP0Gc P2u0u7ijkEJq9IlHD3GYbUY6a1ywUtRGlsCtfxOaWBoTIRFBaP5C9wO5trUNHZIQxqW5 T1kNh526X/4B0ljDjb6OHgN322cONRVsupabH7HA9TNZTZG5eYXprc7NnbopKfTyn6Fg cQCOW1BWoQCQ7gS0Hw5bTi+Uun7o5uP2YofSV8AMmhePUjNf19bdDErCPAqiHcK1XXax ceQmD1I+yLotD/84O6L5LkVGVMKy8WGWBLDeWOxn/TGRJjTXs4RPb6lBwT7qiHidoTE1 DPXQ== X-Forwarded-Encrypted: i=1; AJvYcCVN40BuU7Kt8TgSeBsAihrOFaO3uxOxaM7TRqNTyprL66BMpo1aaZhvWBLROO17NnkgLdzPAr1Gzg==@kvack.org X-Gm-Message-State: AOJu0Yz2g6TQe2P+oK0FsZGY0W7ym79WBH0j3uL24etlQ+y7RdSc8yYV JODj/3fdscZpYwjrYnPqwNfZxBM4c7vw611x+7CLshpScAuezUHzD2F31dByl/6amDOCG2lfcuq 6RJcj/FDIQD7XhQVqlLM8R3EbAQc= X-Google-Smtp-Source: AGHT+IGbcU9EC65nnFvAa8jfBrfCQ1EvPVm0o/Tx0/F8uhISXF7+3QUzIEj0yWFxxEvXX3i4aKdgfbllJE1itf00xW0= X-Received: by 2002:a05:6000:18e:b0:37d:3f81:153f with SMTP id ffacd0b85a97d-37d551fc17cmr5735258f8f.17.1728773145741; Sat, 12 Oct 2024 15:45:45 -0700 (PDT) MIME-Version: 1.0 References: <20241011035310.2982017-1-snovitoll@gmail.com> In-Reply-To: <20241011035310.2982017-1-snovitoll@gmail.com> From: Andrey Konovalov Date: Sun, 13 Oct 2024 00:45:34 +0200 Message-ID: Subject: Re: [PATCH v6] mm, kasan, kmsan: copy_from/to_kernel_nofault To: Sabyrzhan Tasbolatov Cc: akpm@linux-foundation.org, bpf@vger.kernel.org, dvyukov@google.com, elver@google.com, glider@google.com, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, ryabinin.a.a@gmail.com, syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com, vincenzo.frascino@arm.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: qdciq7g4i7s4q8pwwxg1n964gq9arpjx X-Rspamd-Queue-Id: 341684000B X-Rspamd-Server: rspam11 X-HE-Tag: 1728773143-272113 X-HE-Meta: U2FsdGVkX1/INetIAmzoAYjG74QnDZrWuCtVIY1oFoU1VdhLYtDTyqjY0Y/wiV6aJ0AibGccOZw6W7mQejB07lUU7b3nizrMbJF8B0Ll+I4rzQOBNpLBaOXHmSIsy9MuVbpdSfpTx8QWvR8FY5qiZ/1HXczl7CHE7WU6KmhXEHeTsSSVVDqkcbOMfS42ELy2lP/CapcKyDTgRwKKLYfb+hip94wN1q49iN0auvwlj6xwwi4R1/LtV48nU3vAew98M8Ad1Kh0SkVN5MNlfDE3u+pE7rRCBB7B7oF/rXMi+pT+V1IsRa9GTxDWENn5tV7nYN+O8OW6qc8U9mcwNf0N0kkvVZS5eZrXBKTF8rOs31DYExgZj/KF5U33RxsVmuS7SREFMsJKE8MDzBHgu6EZb/e6xSdjeHmliPoZseBMvsbTh8aIaaDRY/E7YGjDPuM40pOqqJKw5WTtySnzPUkLjQcd3Z6b4j7E+SmFzRX2J3/SRNz90gQDumNyLrPWuGCH9oDNGrvP8xdqqnbBKyrFbVjUlxQ8dt5eUiC2hndMUJunjpjvHs3ecL12yN0H1Cm675azQtomRRKU4FgDHIIi+eE4JgXSIg+bJ1gcTwkKd8qgV6mF1zh0yy/XBO18tM3OWLjZPVPQgiSC/IeSiVSU18FaPnpfk/vGcGTzi0VmIwUpYUFCvgg6uo8PCxbDP1NOR4VKcoOr0d/fV3Cu+1tCdPCFVvI1PahI/pMJGDPgIJsyRbqxBs5R0LiYYvJudUeSx/JYvp57aj723IdDI3W9NCXRFQvPo/mVKE0igh2BEJiTQ4poXCkx8Hn9MrJNau/1hQVHFW2p33fG8L66Sgo/fXf9J2lEkwrMI6DGZ4mxGpQ+OaMmzieALwBjBjJNz2EC7MrzjeXg1ZDn2bY6e2ZXOxfNjJnvXKB3Gpu3FR6jhiQafO6opZTpWEWeyt0lyfIT7FVhAFUIMuth+JHphYo UMadHf+g DAEuYnkLEQ3hp95Nq5ASWLelCqTvLjYk35CSDB8Zp5vS83CyX32XoyYYshSmBZN8RltWpUfESC+Pms17B8/pa1XVwuORWi4VlSyviDBogmQlnoCMQpvC25SmLsGTIMrM1QlmsQ2IeNmTscTVRdQ1SATAiom2PpwpXQkK5nI4iI6906Edvm/BxRRbvsWuU34gAl77OxfSMZqNhtPeHm2qM/KPjYEPfs9pso91IaoU0hh1F5zbWCMycXU10cUpq32G8PaH56t1k9JXM86192LgfHVie2HbW3q2mtPjcJhUKeVO9Zf4PRHBmhZnvm+RMDlYTmZm6yZr25OVrPOwooN5nBf9ja13Rj2whgZT2vpDPFbEvhNcvykihYIgCcBpgkPhLg8l5t3CqUqWOiCffRdQ+FCLz2HVrfSBhYXZk7bOqSMQLKnI+arh2jRA2TAOwizFnFxCgVny7G7Tji/vrmACMzWKUC8kYx8EsVmeqKaXKVFXGRK1LNH/5thotXqUlGqQ3sFtOXysrI+iIbfJbDoHmUQY6FbcehQKv+dHgjHvUsOXOqNQlbxedfeCd6MSEEW/y9qnJMd/rwtoOrXZrA4L/C+uYHV3yaSiNcYGvJxnR3gQgj96qrWDHjDtWxQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 11, 2024 at 5:52=E2=80=AFAM Sabyrzhan Tasbolatov wrote: > > Instrument copy_from_kernel_nofault() with KMSAN for uninitialized kernel > memory check and copy_to_kernel_nofault() with KASAN, KCSAN to detect > the memory corruption. > > syzbot reported that bpf_probe_read_kernel() kernel helper triggered > KASAN report via kasan_check_range() which is not the expected behaviour > as copy_from_kernel_nofault() is meant to be a non-faulting helper. > > Solution is, suggested by Marco Elver, to replace KASAN, KCSAN check in > copy_from_kernel_nofault() with KMSAN detection of copying uninitilaized > kernel memory. In copy_to_kernel_nofault() we can retain > instrument_write() explicitly for the memory corruption instrumentation. For future reference: please write commit messages in a way that is readable standalone. I.e. without obscured references to the discussions or problems in the previous versions of the patch. It's fine to give such references in itself, but you need to give enough context in the commit message to make it understandable without looking up those discussions. > copy_to_kernel_nofault() is tested on x86_64 and arm64 with > CONFIG_KASAN_SW_TAGS. On arm64 with CONFIG_KASAN_HW_TAGS, > kunit test currently fails. Need more clarification on it. > > Link: https://lore.kernel.org/linux-mm/CANpmjNMAVFzqnCZhEity9cjiqQ9CVN1X7= qeeeAp_6yKjwKo8iw@mail.gmail.com/ > Reviewed-by: Marco Elver > Reported-by: syzbot+61123a5daeb9f7454599@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=3D61123a5daeb9f7454599 > Reported-by: Andrey Konovalov > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D210505 > Signed-off-by: Sabyrzhan Tasbolatov > --- > v2: > - squashed previous submitted in -mm tree 2 patches based on Linus tree > v3: > - moved checks to *_nofault_loop macros per Marco's comments > - edited the commit message > v4: > - replaced Suggested-by with Reviewed-by > v5: > - addressed Andrey's comment on deleting CONFIG_KASAN_HW_TAGS check in > mm/kasan/kasan_test_c.c > - added explanatory comment in kasan_test_c.c > - added Suggested-by: Marco Elver back per Andrew's comment. > v6: > - deleted checks KASAN_TAG_MIN, KASAN_TAG_KERNEL per Andrey's comment. > - added empty line before kfree. > --- > mm/kasan/kasan_test_c.c | 34 ++++++++++++++++++++++++++++++++++ > mm/kmsan/kmsan_test.c | 17 +++++++++++++++++ > mm/maccess.c | 10 ++++++++-- > 3 files changed, 59 insertions(+), 2 deletions(-) > > diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c > index a181e4780d9d..716f2cac9708 100644 > --- a/mm/kasan/kasan_test_c.c > +++ b/mm/kasan/kasan_test_c.c > @@ -1954,6 +1954,39 @@ static void rust_uaf(struct kunit *test) > KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); > } > > +static void copy_to_kernel_nofault_oob(struct kunit *test) > +{ > + char *ptr; > + char buf[128]; > + size_t size =3D sizeof(buf); > + > + /* This test currently fails with the HW_TAGS mode. > + * The reason is unknown and needs to be investigated. */ > + KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > + > + ptr =3D kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL); > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > + OPTIMIZER_HIDE_VAR(ptr); > + > + /* > + * We test copy_to_kernel_nofault() to detect corrupted memory tha= t is > + * being written into the kernel. In contrast, copy_from_kernel_no= fault() > + * is primarily used in kernel helper functions where the source a= ddress > + * might be random or uninitialized. Applying KASAN instrumentatio= n to > + * copy_from_kernel_nofault() could lead to false positives. > + * By focusing KASAN checks only on copy_to_kernel_nofault(), > + * we ensure that only valid memory is written to the kernel, > + * minimizing the risk of kernel corruption while avoiding > + * false positives in the reverse case. > + */ > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_to_kernel_nofault(&buf[0], ptr, size)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + copy_to_kernel_nofault(ptr, &buf[0], size)); > + > + kfree(ptr); > +} > + > static struct kunit_case kasan_kunit_test_cases[] =3D { > KUNIT_CASE(kmalloc_oob_right), > KUNIT_CASE(kmalloc_oob_left), > @@ -2027,6 +2060,7 @@ static struct kunit_case kasan_kunit_test_cases[] = =3D { > KUNIT_CASE(match_all_not_assigned), > KUNIT_CASE(match_all_ptr_tag), > KUNIT_CASE(match_all_mem_tag), > + KUNIT_CASE(copy_to_kernel_nofault_oob), > KUNIT_CASE(rust_uaf), > {} > }; > diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c > index 13236d579eba..9733a22c46c1 100644 > --- a/mm/kmsan/kmsan_test.c > +++ b/mm/kmsan/kmsan_test.c > @@ -640,6 +640,22 @@ static void test_unpoison_memory(struct kunit *test) > KUNIT_EXPECT_TRUE(test, report_matches(&expect)); > } > > +static void test_copy_from_kernel_nofault(struct kunit *test) > +{ > + long ret; > + char buf[4], src[4]; > + size_t size =3D sizeof(buf); > + > + EXPECTATION_UNINIT_VALUE_FN(expect, "copy_from_kernel_nofault"); > + kunit_info( > + test, > + "testing copy_from_kernel_nofault with uninitialized memo= ry\n"); > + > + ret =3D copy_from_kernel_nofault((char *)&buf[0], (char *)&src[0]= , size); > + USE(ret); > + KUNIT_EXPECT_TRUE(test, report_matches(&expect)); > +} > + > static struct kunit_case kmsan_test_cases[] =3D { > KUNIT_CASE(test_uninit_kmalloc), > KUNIT_CASE(test_init_kmalloc), > @@ -664,6 +680,7 @@ static struct kunit_case kmsan_test_cases[] =3D { > KUNIT_CASE(test_long_origin_chain), > KUNIT_CASE(test_stackdepot_roundtrip), > KUNIT_CASE(test_unpoison_memory), > + KUNIT_CASE(test_copy_from_kernel_nofault), > {}, > }; > > diff --git a/mm/maccess.c b/mm/maccess.c > index 518a25667323..3ca55ec63a6a 100644 > --- a/mm/maccess.c > +++ b/mm/maccess.c > @@ -13,9 +13,14 @@ bool __weak copy_from_kernel_nofault_allowed(const voi= d *unsafe_src, > return true; > } > > +/* > + * The below only uses kmsan_check_memory() to ensure uninitialized kern= el > + * memory isn't leaked. > + */ > #define copy_from_kernel_nofault_loop(dst, src, len, type, err_label) \ > while (len >=3D sizeof(type)) { = \ > - __get_kernel_nofault(dst, src, type, err_label); = \ > + __get_kernel_nofault(dst, src, type, err_label); \ > + kmsan_check_memory(src, sizeof(type)); \ > dst +=3D sizeof(type); = \ > src +=3D sizeof(type); = \ > len -=3D sizeof(type); = \ > @@ -49,7 +54,8 @@ EXPORT_SYMBOL_GPL(copy_from_kernel_nofault); > > #define copy_to_kernel_nofault_loop(dst, src, len, type, err_label) \ > while (len >=3D sizeof(type)) { = \ > - __put_kernel_nofault(dst, src, type, err_label); = \ > + __put_kernel_nofault(dst, src, type, err_label); \ > + instrument_write(dst, sizeof(type)); \ > dst +=3D sizeof(type); = \ > src +=3D sizeof(type); = \ > len -=3D sizeof(type); = \ > -- > 2.34.1 > Reviewed-by: Andrey Konovalov Tested-by: Andrey Konovalov For KASAN parts. Thank you!