From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 016CAC433EF for ; Fri, 10 Sep 2021 21:14:47 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A3F5B61209 for ; Fri, 10 Sep 2021 21:14:46 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A3F5B61209 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 1AA7F940007; Fri, 10 Sep 2021 17:14:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 159DA900002; Fri, 10 Sep 2021 17:14:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0481D940007; Fri, 10 Sep 2021 17:14:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0074.hostedemail.com [216.40.44.74]) by kanga.kvack.org (Postfix) with ESMTP id EADE8900002 for ; Fri, 10 Sep 2021 17:14:45 -0400 (EDT) Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 95E2F267C8 for ; Fri, 10 Sep 2021 21:14:45 +0000 (UTC) X-FDA: 78572918130.19.15877CC Received: from mail-il1-f182.google.com (mail-il1-f182.google.com [209.85.166.182]) by imf04.hostedemail.com (Postfix) with ESMTP id 59A9E50000B2 for ; Fri, 10 Sep 2021 21:14:45 +0000 (UTC) Received: by mail-il1-f182.google.com with SMTP id h20so2491037ilj.13 for ; Fri, 10 Sep 2021 14:14:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=EUXkIZ8Ae2C4wPNLkjM8cOni1MkSMmEZVRvv7hbDnC7ugPeahSlnqzSQTs3afVPqYT 3o4UxtN7vc573y3Qg+72O2W5mZ3swH7aMI1SGvsF3QNKHf/uu2iqt0YsoZl51l2FhA7n DjTcS7GWWVTL0OOVaEB7P8/Ys6xvL/CpZGEn+yv7afcnN6AUjXAxen7pRpeq3V8ZFJ3H Xn9Y5lvK5CrE8Uk6NrGLYN5pCI5zI5PnrpjwgXq1dnXjHmcsU5Bp3XapTIVivCuIhbjH 2H3HehRxduAQLKzGKEKxVnEHV40xmvoE4XeVo432nLt3i2fOXkh4dx9gM69TJam7Lv7I r2yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DuSlVyr+5xS5bZwED0X+aUt0gfAYibtOB6SYwgXsJm8=; b=uchGmYKw9poyFu6V3keK0nw82wGm7ORCdKwrZviO9Epm3MkQxVF804P/cqC6tzIEhS 8NfeZHsFanYtFjOywDE8WSCkmvnsZXVBqH4uUhDdguJhvfojxMbmQzDJwvoamIcVxMhf AvDDYaBC3M5JR1pHhqywJqtFFgGczAXLw8ngbV+EPRk+S4MhacLmICWkkqtjW9bDGzNy pF/+QrjiATkFtKy944wlm8zMR0g7G301Ws1cN7j6QYGKWLWp9VslERinV1wPjbYjYnXv b4Yd88xDsG3DHbmXzM9H+86wUl1XOlQZx5VYygpYh5GC2NIowqV3+1OAW3y732XHWtHp 0F1Q== X-Gm-Message-State: AOAM533VcE+EOvJHtEKgWkGWy1lHio/oWiHSu4PxoIbN2u4Z0KcXg72H AkrX1CG3YMJtRWuhn2/4G4jRBfrwkiFwJfjoLuOCUI+tJ5M= X-Google-Smtp-Source: ABdhPJwpo0eKQqLuK54CFso/B5fYqTElx9Hk5mSko68NTE3Jpb1Nvdvc5CraH12/+2ng5uTgsIDXRIEIsF65Lj2DI5Q= X-Received: by 2002:a05:6e02:1564:: with SMTP id k4mr7981434ilu.146.1631308484555; Fri, 10 Sep 2021 14:14:44 -0700 (PDT) MIME-Version: 1.0 References: <20210910203152.3549236-1-pcc@google.com> In-Reply-To: From: Peter Collingbourne Date: Fri, 10 Sep 2021 14:14:33 -0700 Message-ID: Subject: Re: [PATCH] kasan: test: don't copy more than size bytes in memcpy test To: Andrey Konovalov Cc: Robin Murphy , Will Deacon , Catalin Marinas , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: 7n14emy6dnhaij6gio48jbzcejksacp7 Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=EUXkIZ8A; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf04.hostedemail.com: domain of pcc@google.com designates 209.85.166.182 as permitted sender) smtp.mailfrom=pcc@google.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 59A9E50000B2 X-HE-Tag: 1631308485-31735 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Sep 10, 2021 at 1:44 PM Andrey Konovalov wrote: > > On Fri, Sep 10, 2021 at 10:32 PM Peter Collingbourne wrote: > > > > With HW tag-based KASAN, error checks are performed implicitly by the load > > and store instructions in the memcpy implementation. A failed check results > > in tag checks being disabled and execution will keep going. As a result, > > under HW tag-based KASAN, this memcpy would end up corrupting memory until > > it hits an inaccessible page and causes a kernel panic. > > > > This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: > > Import latest memcpy()/memmove() implementation") which changed the memcpy > > implementation from using signed comparisons (incorrectly, resulting in > > the memcpy being terminated early for negative sizes) to using unsigned > > comparisons. > > > > It is unclear how this could be handled by memcpy itself in a reasonable > > way. One possibility would be to add an exception handler that would force > > memcpy to return if a tag check fault is detected -- this would make the > > behavior roughly similar to generic and SW tag-based KASAN. However, this > > wouldn't solve the problem for asynchronous mode and also makes memcpy > > behavior inconsistent with manually copying data. > > > > It may be more accurate to consider this a bug in the test: what we really > > want to test here is that a memcpy overflow, however small, is caught, and any > > further copying after the initial overflow is unnecessary and may affect system > > stability. Therefore, adjust the test to pass the allocation size as the memcpy > > size, ensuring that the memcpy will not result in an out-of-bounds write. > > > > Commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for > > HW_TAGS") disabled this test in HW tags mode, but there is some value in > > testing small memcpy overflows, so let's re-enable it with this fix. > > > > Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 > > Signed-off-by: Peter Collingbourne > > --- > > lib/test_kasan.c | 9 +-------- > > 1 file changed, 1 insertion(+), 8 deletions(-) > > > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c > > index 8835e0784578..9af51e1f692d 100644 > > --- a/lib/test_kasan.c > > +++ b/lib/test_kasan.c > > @@ -497,14 +497,7 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) > > { > > char *ptr; > > size_t size = 64; > > - volatile size_t invalid_size = -2; > > - > > - /* > > - * Hardware tag-based mode doesn't check memmove for negative size. > > - * As a result, this test introduces a side-effect memory corruption, > > - * which can result in a crash. > > - */ > > - KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS); > > + volatile size_t invalid_size = size; > > > > ptr = kmalloc(size, GFP_KERNEL); > > KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); > > -- > > 2.33.0.309.g3052b89438-goog > > > > Hi Peter, > > This test was added as a part of series that taught KASAN to detect > negative sizes in memory operations, see 8cceeff48f23 ("kasan: detect > negative size in memory operation function"). So we need to keep it > using negative sizes. > > I think we should rename kmalloc_memmove_invalid_size to > kmalloc_memmove_negative_size, and keep it disabled with HW_TAGS. And > add another test named kmalloc_memmove_invalid_size, which does what > you did in this patch. Makes sense, done in v2. Peter