From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04242C433EF for ; Mon, 13 Sep 2021 18:18:37 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 73C6860F23 for ; Mon, 13 Sep 2021 18:18:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 73C6860F23 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 102C76B006C; Mon, 13 Sep 2021 14:18:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 08C236B0071; Mon, 13 Sep 2021 14:18:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E9596900002; Mon, 13 Sep 2021 14:18:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0119.hostedemail.com [216.40.44.119]) by kanga.kvack.org (Postfix) with ESMTP id D3BE16B006C for ; Mon, 13 Sep 2021 14:18:35 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 6A0A68249980 for ; Mon, 13 Sep 2021 18:18:35 +0000 (UTC) X-FDA: 78583360590.39.C31D4B2 Received: from mail-io1-f44.google.com (mail-io1-f44.google.com [209.85.166.44]) by imf12.hostedemail.com (Postfix) with ESMTP id 17BED100009D for ; Mon, 13 Sep 2021 18:18:34 +0000 (UTC) Received: by mail-io1-f44.google.com with SMTP id j18so13336213ioj.8 for ; Mon, 13 Sep 2021 11:18:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FPq7uqz8p8bwmYXp3FEKNuE8YtZIQJpR3ok5eQi2qgM=; b=g/UB56wkLuiqHPE3OFKbIYfNFd2iLaaOWQD6SE9IwpbdXB0f+IyxWoPiiBxNFLDKlD takgNn43zyqZfP2AnrQkkdmQFh2bL3O1vbnthxnWPkOn/Z9H087nhQftSERTQYw6zb+8 xTkfcF8mhv2TTfWQIwVVJRfLquzl78Xf73DUBa8nJaTXuA/+aRX9ZwCfSSN3ZiTYnRhF bqGAemwaSyLMxQn3YqKQRe6h0viqc/GQ7yMZuLWQr1jeNGna6OtOTgwyO/mzDQR+uKX3 3VRMCPayfXeaszRuhLli0vJuJnAjKfWjxUM5MRSiQDsir4Tx2oZMcanKpKV681wvhusS DecQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FPq7uqz8p8bwmYXp3FEKNuE8YtZIQJpR3ok5eQi2qgM=; b=OLdcfbxyVmUNgEPMAMbLwDgR0ufVaKtzLE6O8cfR3zw1jAufjkxAcluy/pbB6kIQDy NNyal66j0Af852qJbGVOgJFMXM/7f8+qBnzn4Yy3tHxocJZwB4Y4wQ8XYWxQIARbXK0y 0jVO1zu8qbPC6AWJDX9sd7gfR7LoRkUThpIvIBT1jLGez50Ek+I3KkhL8ZD4bu4/F7Ig atHSbyue60YkQYffuNGeUFqasNUfKcsOSitnkxrJwOOd1ntXM6pt/6cHNT1enTfH8DE1 VFIadSY5yNGuD3Cf1pbUF61cTeeqBXrKSF8XFEBpdFRDkrFubK2T6hRuCxPa5WNQ1Z19 bE1w== X-Gm-Message-State: AOAM533U570fRZL6q2GvAAZQ5zPupJkdQfWLddyCUSqJ3FAkzwEdqeAB ObTgi4+c6glPeLJsKzb/c3x5wWkah1v3ORU3qSt+tg== X-Google-Smtp-Source: ABdhPJxYCEd61dZY2yQSU4plgsoGN6ldchoKnFo5zAgzWiqTLSATSEXe7zjg3swNXlHvdqcEeORoDK/2HN/fpBprNc0= X-Received: by 2002:a05:6638:3782:: with SMTP id w2mr10814257jal.56.1631557114148; Mon, 13 Sep 2021 11:18:34 -0700 (PDT) MIME-Version: 1.0 References: <20210910211356.3603758-1-pcc@google.com> <622d97a2-c7b7-d46b-dee5-cf8d9fa205da@arm.com> In-Reply-To: <622d97a2-c7b7-d46b-dee5-cf8d9fa205da@arm.com> From: Peter Collingbourne Date: Mon, 13 Sep 2021 11:18:22 -0700 Message-ID: Subject: Re: [PATCH v2] kasan: test: add memcpy test that avoids out-of-bounds write To: Robin Murphy Cc: Will Deacon , Catalin Marinas , Andrey Konovalov , Marco Elver , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , Linux Memory Management List , Walter Wu Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 17BED100009D X-Stat-Signature: tf8kaqu3ngs3ykhpkdseeumekwixdpex Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b="g/UB56wk"; spf=pass (imf12.hostedemail.com: domain of pcc@google.com designates 209.85.166.44 as permitted sender) smtp.mailfrom=pcc@google.com; dmarc=pass (policy=reject) header.from=google.com X-HE-Tag: 1631557114-667277 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Sep 13, 2021 at 2:42 AM Robin Murphy wrote: > > On 2021-09-10 22:13, Peter Collingbourne wrote: > > With HW tag-based KASAN, error checks are performed implicitly by the > > load and store instructions in the memcpy implementation. A failed check > > results in tag checks being disabled and execution will keep going. As a > > result, under HW tag-based KASAN, prior to commit 1b0668be62cf ("kasan: > > test: disable kmalloc_memmove_invalid_size for HW_TAGS"), this memcpy > > would end up corrupting memory until it hits an inaccessible page and > > causes a kernel panic. > > > > This is a pre-existing issue that was revealed by commit 285133040e6c > > ("arm64: Import latest memcpy()/memmove() implementation") which changed > > the memcpy implementation from using signed comparisons (incorrectly, > > resulting in the memcpy being terminated early for negative sizes) > > to using unsigned comparisons. > > > > It is unclear how this could be handled by memcpy itself in a reasonable > > way. One possibility would be to add an exception handler that would force > > memcpy to return if a tag check fault is detected -- this would make the > > behavior roughly similar to generic and SW tag-based KASAN. However, > > this wouldn't solve the problem for asynchronous mode and also makes > > memcpy behavior inconsistent with manually copying data. > > > > This test was added as a part of a series that taught KASAN to detect > > negative sizes in memory operations, see commit 8cceeff48f23 ("kasan: > > detect negative size in memory operation function"). Therefore we > > should keep testing for negative sizes with generic and SW tag-based > > KASAN. But there is some value in testing small memcpy overflows, so > > let's add another test with memcpy that does not destabilize the kernel > > by performing out-of-bounds writes, and run it in all modes. > > The only thing is, that's nonsense. You can't pass a negative size to > memmove()/memcpy(), any more than you could pass a negative address. You > can use the usual integer conversions to pass a very large size, but > that's no different from just passing a very large size, and the > language does not make any restrictions on the validity of very large > sizes. Indeed in general a 32-bit program could legitimately memcpy() > exactly half its address space to the other half, or memmove() a 3GB > buffer a small distance. > > I'm not sure what we're trying to enforce there, other than arbitrary > restrictions on how we think it makes sense to call library functions. > The only way to say that a size is actually invalid is if it leads to an > out-of-bounds access relative to the source or destination buffer, but > to provoke that the given size only ever needs to be at least 1 byte > larger than the object - making it excessively large only generates > excessively large numbers of invalid accesses, and I fail to see what > use that has. By all means introduce KAROHWTIMSTCLFSAN, but I'm not > convinced it's meaningfully within the scope of *address* sanitisation. This is an orthogonal issue, isn't it? It may make sense to make the memmove()/memcpy() behavior controllable separately, but that can be done separately from this change. Peter