From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F428CFD302 for ; Fri, 11 Oct 2024 09:12:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AB4046B00AC; Fri, 11 Oct 2024 05:12:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A64A96B00AD; Fri, 11 Oct 2024 05:12:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 92C646B00AE; Fri, 11 Oct 2024 05:12:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 6DE586B00AC for ; Fri, 11 Oct 2024 05:12:14 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 8CA001A0FE5 for ; Fri, 11 Oct 2024 09:12:06 +0000 (UTC) X-FDA: 82660754904.06.B2D78AB Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) by imf19.hostedemail.com (Postfix) with ESMTP id 436391A0011 for ; Fri, 11 Oct 2024 09:12:09 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=SuEk+zFk; spf=pass (imf19.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=snovitoll@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728637862; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dmyCPxp3PGxPiT0sfsdtuyO7wyt4DIIzCTNUesZj7zE=; b=fdItrJOr86rZ7DlwqSlFdh7m1Lt0iTd09PD00NeuZcrVrBQkbAsMsFrh33gPybuB6NCGb3 6pklLbTtpt4XHmshOESJxGVoIvl9WoSjSFDDd0jXr/7Zq8tx7IvoxZVQwQclfpDjPasYwt Vqb/gdtsUDo5K65Uesnxr3kBYsxEnNQ= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=SuEk+zFk; spf=pass (imf19.hostedemail.com: domain of snovitoll@gmail.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=snovitoll@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728637862; a=rsa-sha256; cv=none; b=BfEK3vsQvhbufIKeSwpDcpkm06RKrI844GbFhy6EGyZV5u0t2eXZgQKqjDU/s3byKxgcqI uaXn3kslIXDLzcsd3tP36twbO+D2cex08mbeXv2ENr+g9rYCr1SxaU3jg4CF0edjpnjR+M UIxa6j8wm16uazDs0HoA6lVdapJoMvg= Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-5c924667851so2161662a12.3 for ; Fri, 11 Oct 2024 02:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728637930; x=1729242730; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dmyCPxp3PGxPiT0sfsdtuyO7wyt4DIIzCTNUesZj7zE=; b=SuEk+zFkse9mRhe9TmKlu9X9z4FNFH3OGWYKknh2KrYYI2CctbJUKWuFXfcoL11dfs LEmq/atIBhaKJCntNmvgIWzjgzJHickIeyMMCzzn2zHA1C/nR6NQPpVDY/HXn6DzL6FB 9XJziEA+vt5RSlN+4BOPAM1TziAY1zHb0Or+d39HUqk+upQ91l31p9UmyTGhniHCoW4/ CxHMmTuDdR3lL7WT5+ea6ZEJ6aZr+mQOojizDU6XZwdmV+UgL1a1bt9UOeqwsI3QvmDW gDcsm3UWHdFoY059QslRErNAdMZjP0cI2Hwnn6F6Dfm5UT3K6QvDYTRPDxzTPNyRs38v u0tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728637930; x=1729242730; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dmyCPxp3PGxPiT0sfsdtuyO7wyt4DIIzCTNUesZj7zE=; b=XB63S1mZ4slrC4FGM4qvHPua/0/bviyjHuSobbcB69Jf8K7HoK+3+/4Xz0NyTmgDal hSj8zfI/4pm4qAHKZjRRmmZD3pFJJGvbjk1I0Q1+a95CkfrycnBv9X4nvQ8h2/I9Z+cr SgJqFlO0b6JbnBYLinOpcYRfcM98Hdrv2z7A2CPG80Z7rhTl9RNMJL/e4TpG445Wk4YE WCtxYJwrwLqeRQnzq0JIhmhF3MWFL5PsCT+PL2MPC8liujLhT3qU+VM6qeUUxSBKDiGP bKAR+IIdTL++LTJXCD8VK++Kp5OhmUWxUIfElrxExeSyHY0pPcEqh25NEzXY0GybXUtA FocA== X-Forwarded-Encrypted: i=1; AJvYcCUG8VAzU+V1ExpDQojMSP3e8yBwDmV5mGTmslmhbS7J6XwM1EmlCjRoximecJzrjED35q7scH1iTw==@kvack.org X-Gm-Message-State: AOJu0Yyogu/GX+qzPmr+fs2wgnhImsXKuF6ggxEFRYE2XyLQlT42uMBU NeY7rtOeDa5PojWkSBOJT3zoE9pmIKOnpC5Ugng0XNt8ozfC2OPF/x2HMR3dJRS0ntHAeZsJs9E ISnZnCs3EQbjENzD205KBp4apkX4= X-Google-Smtp-Source: AGHT+IG0Yn93AQOLk2HwbzKdyQ3pYfcAnV3otQB/93fZdfhLm21bUI4QJczTHMUdNmcHwu3+iAhjmuwrikTPshdYSLw= X-Received: by 2002:a05:6402:350b:b0:5c5:cbfd:b3a8 with SMTP id 4fb4d7f45d1cf-5c948c87a44mr1077977a12.1.1728637930115; Fri, 11 Oct 2024 02:12:10 -0700 (PDT) MIME-Version: 1.0 References: <20241011071657.3032690-1-snovitoll@gmail.com> In-Reply-To: <20241011071657.3032690-1-snovitoll@gmail.com> From: Sabyrzhan Tasbolatov Date: Fri, 11 Oct 2024 14:13:01 +0500 Message-ID: Subject: Re: [PATCH] kasan: migrate copy_user_test to kunit To: akpm@linux-foundation.org, ryabinin.a.a@gmail.com, andreyknvl@gmail.com Cc: glider@google.com, dvyukov@google.com, vincenzo.frascino@arm.com, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: 436391A0011 X-Stat-Signature: ra81berozhyy651qgm1z4187weaa7nxm X-HE-Tag: 1728637929-419789 X-HE-Meta: U2FsdGVkX1+vaTr92QHrM7yXFzFgxQpjMuoR30IjZcKoUgbki4qVP0ldrLCSUYEwNLcTx54BQAB3aweACaUo5AaqP/VeLLLZuHMeL4DsyzIwAq+a5PmqUb9+MaMei/FK3B02JLV26AnpVc1cDK6SZHnzoJ8E+NbDLaRzfdr3xzPWvkljjojP32t7lldN+1LTco227bpSLsYEeAEHAjON9F15Guh/CgaW2HG0l0CEAR3jfobJn33mcSOa5rYf3Gd1MqrjLOaIFrysoHO9Xd5MijrZqMa7mgWhe8WPtswAs54kt4it9F6LzCHcuuc2lFs3CSlaY+cv4ytqvKPQL5UpqpF1ZKFsfhu0rcOgDGjpCMKaCOqb0n5G5ZAtnb9jld0iJlVWsMR4qcc595dpvTHxMKeReOdsnnEe1EtUYW0YLE3nihYa7HhoxHP2TDW3UiG1Tzycr3WCdZyePjOfoFXhcyuevCbhh9GBP2n8spVGnPSEPjHBbhV2xfzq/TuYLO9fZWpXW1STgJaXirlAVMlkaWL/zEuIH3qU9sKyfalCsyoo8kZi43xqhgogCkJPKfvO9edOIGM/e7vOelZVoPt1yAb7QSot6CD+UmZMbr9hH+u0Yslmp6dTZNXY/AtZECfRhM/KDXdp59n8q0BLGfBBGYyvMO8G32LOP8NPTJIWXyvQrhbCIjyO2wYJ39iPovciyJAB037Mb5B9/e6Ot9aTqH1jF5l2X20i2PLymiimgkeSN9mSUOn0Y7tFWsrFdQQdx9PWaijFmbUArmwgSzqjLjKMVLXrJ4TAIKAhm6UB79dPiHXRbzLhyWRuAK+Bh6eEf2R2991Z93w+gz2Hsd6y3qnHMsf7XvQ4meyoNjoxbsU8jeY5WHymmGtKJnsjHhbhE78COBGbZYMFctfgZKhfKZVh9RKCHAtvNrd/BpbQfnDGZiwkMXHp3LLHUSvVeVFX1HsUt97czcRgFp17ukO oonKL0a/ TYH8ox1QgH9PE7haAY1iXLkL4zb+YyFOcywM3yL4bJzU5+0t0yfsCyrM3KQ/7REhSqrJFJN/6s4gHPtnWjbb+KEYtN26nUpzxzRYf8ipmuhgbvAiBi/99GVqUnmLaP/YUn4/BiZqQJHvpDI0YJhMRu4LHdF9diHa0kQ6125ZrUm0MNYg0XC0fZYk1Wf1Xo9aFzrcPPB8qQRpQzZBpKE19qKj1r7RDaIPFq6FEQThuHnrrvlQwq4LIO2f9LqjFHQqdgTEbx7w7ZHTWAk8drFiz3rbCNmJkBJaIUa9Zo2uEtUEmoSxSlE3ArYy2vz5Y0dO1Qz+UjSLfZQNoiJiL5+zauFgyfVqCAMK1wytr17LhV0knKjg0hJdmQd8oPJvPeWOUxlWYkOZapa+0uw2SY6UcQ5t5qpXyMT+uccbbUGjdf+rokYu3/d/YxYEB2H1VZLQ8pEvn0+4/m4MLIC/+qYt+uZLZnfURtoanNjo06JSWkLWu+zYlAMQfOKcR+wdNhpX3WN2qgtWOpjft78pk6PRanqTv/AboyhLXKcB43kcnyZyLStUtUq2kHQpHHobg0XapfFvgs5QsEGAjMdq4mEwi7UlzZ3IR+fW4ygu6W1PzitLs+uF5SDFERQH/8A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 11, 2024 at 12:16=E2=80=AFPM Sabyrzhan Tasbolatov wrote: > > Migrate the copy_user_test to the KUnit framework to verify out-of-bound > detection via KASAN reports in copy_from_user(), copy_to_user() and > their static functions. > > This is the last migrated test in kasan_test_module.c, therefore delete > the file. > > In order to detect OOB access in strncpy_from_user(), we need to move > kasan_check_write() to the function beginning to cover > if (can_do_masked_user_access()) {...} branch as well. > > Reported-by: Andrey Konovalov > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=3D212205 > Signed-off-by: Sabyrzhan Tasbolatov > --- > lib/strncpy_from_user.c | 3 +- > mm/kasan/kasan_test_c.c | 39 +++++++++++++++++ > mm/kasan/kasan_test_module.c | 81 ------------------------------------ > 3 files changed, 41 insertions(+), 82 deletions(-) > delete mode 100644 mm/kasan/kasan_test_module.c > > diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c > index 989a12a67872..55c33e4f3c70 100644 > --- a/lib/strncpy_from_user.c > +++ b/lib/strncpy_from_user.c > @@ -120,6 +120,8 @@ long strncpy_from_user(char *dst, const char __user *= src, long count) > if (unlikely(count <=3D 0)) > return 0; > > + kasan_check_write(dst, count); > + > if (can_do_masked_user_access()) { > long retval; > > @@ -142,7 +144,6 @@ long strncpy_from_user(char *dst, const char __user *= src, long count) > if (max > count) > max =3D count; > > - kasan_check_write(dst, count); > check_object_size(dst, count, false); > if (user_read_access_begin(src, max)) { > retval =3D do_strncpy_from_user(dst, src, count, = max); > diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c > index a181e4780d9d..e71a16d0dfb9 100644 > --- a/mm/kasan/kasan_test_c.c > +++ b/mm/kasan/kasan_test_c.c > @@ -1954,6 +1954,44 @@ static void rust_uaf(struct kunit *test) > KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf()); > } > > +static void copy_user_test_oob(struct kunit *test) > +{ > + char *kmem; > + char __user *usermem; > + unsigned long useraddr; > + size_t size =3D 128 - KASAN_GRANULE_SIZE; > + int __maybe_unused unused; > + > + kmem =3D kunit_kmalloc(test, size, GFP_KERNEL); > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, kmem); > + > + useraddr =3D kunit_vm_mmap(test, NULL, 0, PAGE_SIZE, > + PROT_READ | PROT_WRITE | PROT_EXE= C, > + MAP_ANONYMOUS | MAP_PRIVATE, 0); > + KUNIT_ASSERT_NE_MSG(test, useraddr, 0, > + "Could not create userspace mm"); > + KUNIT_ASSERT_LT_MSG(test, useraddr, (unsigned long)TASK_SIZE, > + "Failed to allocate user memory"); > + > + OPTIMIZER_HIDE_VAR(size); > + usermem =3D (char __user *)useraddr; > + > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D copy_from_user(kmem, usermem, size + 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D copy_to_user(usermem, kmem, size + 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D __copy_from_user(kmem, usermem, size + 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D __copy_to_user(usermem, kmem, size + 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D __copy_from_user_inatomic(kmem, usermem, size = + 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D __copy_to_user_inatomic(usermem, kmem, size + = 1)); > + KUNIT_EXPECT_KASAN_FAIL(test, > + unused =3D strncpy_from_user(kmem, usermem, size + 1)); > +} > + > static struct kunit_case kasan_kunit_test_cases[] =3D { > KUNIT_CASE(kmalloc_oob_right), > KUNIT_CASE(kmalloc_oob_left), > @@ -2028,6 +2066,7 @@ static struct kunit_case kasan_kunit_test_cases[] = =3D { > KUNIT_CASE(match_all_ptr_tag), > KUNIT_CASE(match_all_mem_tag), > KUNIT_CASE(rust_uaf), > + KUNIT_CASE(copy_user_test_oob), > {} > }; > > diff --git a/mm/kasan/kasan_test_module.c b/mm/kasan/kasan_test_module.c > deleted file mode 100644 > index 27ec22767e42..000000000000 > --- a/mm/kasan/kasan_test_module.c > +++ /dev/null > @@ -1,81 +0,0 @@ > -// SPDX-License-Identifier: GPL-2.0-only > -/* > - * > - * Copyright (c) 2014 Samsung Electronics Co., Ltd. > - * Author: Andrey Ryabinin > - */ > - > -#define pr_fmt(fmt) "kasan: test: " fmt > - > -#include > -#include > -#include > -#include > -#include > - > -#include "kasan.h" > - > -static noinline void __init copy_user_test(void) > -{ > - char *kmem; > - char __user *usermem; > - size_t size =3D 128 - KASAN_GRANULE_SIZE; > - int __maybe_unused unused; > - > - kmem =3D kmalloc(size, GFP_KERNEL); > - if (!kmem) > - return; > - > - usermem =3D (char __user *)vm_mmap(NULL, 0, PAGE_SIZE, > - PROT_READ | PROT_WRITE | PROT_EXEC, > - MAP_ANONYMOUS | MAP_PRIVATE, 0); > - if (IS_ERR(usermem)) { > - pr_err("Failed to allocate user memory\n"); > - kfree(kmem); > - return; > - } > - > - OPTIMIZER_HIDE_VAR(size); > - > - pr_info("out-of-bounds in copy_from_user()\n"); > - unused =3D copy_from_user(kmem, usermem, size + 1); > - > - pr_info("out-of-bounds in copy_to_user()\n"); > - unused =3D copy_to_user(usermem, kmem, size + 1); > - > - pr_info("out-of-bounds in __copy_from_user()\n"); > - unused =3D __copy_from_user(kmem, usermem, size + 1); > - > - pr_info("out-of-bounds in __copy_to_user()\n"); > - unused =3D __copy_to_user(usermem, kmem, size + 1); > - > - pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); > - unused =3D __copy_from_user_inatomic(kmem, usermem, size + 1); > - > - pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); > - unused =3D __copy_to_user_inatomic(usermem, kmem, size + 1); > - > - pr_info("out-of-bounds in strncpy_from_user()\n"); > - unused =3D strncpy_from_user(kmem, usermem, size + 1); > - > - vm_munmap((unsigned long)usermem, PAGE_SIZE); > - kfree(kmem); > -} > - > -static int __init kasan_test_module_init(void) > -{ > - /* > - * Temporarily enable multi-shot mode. Otherwise, KASAN would onl= y > - * report the first detected bug and panic the kernel if panic_on= _warn > - * is enabled. > - */ > - bool multishot =3D kasan_save_enable_multi_shot(); > - > - copy_user_test(); > - > - kasan_restore_multi_shot(multishot); > - return -EAGAIN; > -} > - > -module_init(kasan_test_module_init); > -MODULE_LICENSE("GPL"); > -- > 2.34.1 > This has been tested on: - x86_64 with CONFIG_KASAN_GENERIC - arm64 with CONFIG_KASAN_SW_TAGS - arm64 with CONFIG_KASAN_HW_TAGS - arm64 SW_TAGS has 1 failing test which is in the mainline, will try to address it in different patch, not related to changes in this P= R: [ 9.480716] # vmalloc_percpu: EXPECTATION FAILED at mm/kasan/kasan_test_c.c:1830 [ 9.480716] Expected (u8)(__u8)((u64)(c_ptr) >> 56) < (u8)0xFF, but [ 9.480716] (u8)(__u8)((u64)(c_ptr) >> 56) =3D=3D 255 (0xff) [ 9.480716] (u8)0xFF =3D=3D 255 (0xff) [ 9.481936] # vmalloc_percpu: EXPECTATION FAILED at mm/kasan/kasan_test_c.c:1830 [ 9.481936] Expected (u8)(__u8)((u64)(c_ptr) >> 56) < (u8)0xFF, but [ 9.481936] (u8)(__u8)((u64)(c_ptr) >> 56) =3D=3D 255 (0xff) [ 9.481936] (u8)0xFF =3D=3D 255 (0xff) Here is my full console log of arm64-sw.log: https://gist.githubusercontent.com/novitoll/7ab93edca1f7d71925735075e84fc2e= c/raw/6ef05758bcc396cd2f5796a5bcb5e41a091224cf/arm64-sw.log - arm64 HW_TAGS has 1 failing test related to new changes and AFAIU, it's known issue related to HW_TAGS: [ 11.167324] # copy_user_test_oob: EXPECTATION FAILED at mm/kasan/kasan_test_c.c:1992 [ 11.167324] KASAN failure expected in "unused =3D strncpy_from_user(kmem, usermem, size + 1)", but none occurred Here is the console log of arm64-hw.log: https://gist.github.com/novitoll/7ab93edca1f7d71925735075e84fc2ec#file-arm6= 4-hw-log-L11208