From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.2 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17116C4320A for ; Thu, 12 Aug 2021 08:50:57 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B050461038 for ; Thu, 12 Aug 2021 08:50:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B050461038 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 38B656B007E; Thu, 12 Aug 2021 04:50:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 33BFC8D0009; Thu, 12 Aug 2021 04:50:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 251596B0081; Thu, 12 Aug 2021 04:50:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0064.hostedemail.com [216.40.44.64]) by kanga.kvack.org (Postfix) with ESMTP id 090B66B007E for ; Thu, 12 Aug 2021 04:50:56 -0400 (EDT) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 96D57181C9919 for ; Thu, 12 Aug 2021 08:50:55 +0000 (UTC) X-FDA: 78465808470.30.AAC3065 Received: from mail-ot1-f49.google.com (mail-ot1-f49.google.com [209.85.210.49]) by imf05.hostedemail.com (Postfix) with ESMTP id EE2555038F74 for ; Thu, 12 Aug 2021 08:50:54 +0000 (UTC) Received: by mail-ot1-f49.google.com with SMTP id 108-20020a9d01750000b029050e5cc11ae3so6870869otu.5 for ; Thu, 12 Aug 2021 01:50:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L6hRQLk+mDuzM1tU9wPV9OpAoS0YdU979SiyLqR9lWg=; b=tNp1TxiRYJy2MGgWr4EvL6owOqgDQyzN2IUYbSgj6mySD33StDfMV/dKqh4aO3NRDu 3fSLh2Eh3w/3meKn++MDnyTHzyFbFHyVUHXVk02nIg3UuMrNNG+/93O59Qo/Q9X2VCkD 5XUy44q/T6C48y8mwrqwNmJ3+s0gRrUWcw6vLmOcWrpj59UL6t9inlLQ0L9i5Fjtr7ya rHUu+umhvG9bK0WvdEAQPc/ibl3+0GOOazlluG4JEzAFJO73r6on2N7zHPp8BEBcqyXM H/hQhbwVkqMeoRSHL4ZeXcYb0H9l+x03uOZkManey/4y46Zez7ige0/4dzrm5fVvo3c3 YoLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L6hRQLk+mDuzM1tU9wPV9OpAoS0YdU979SiyLqR9lWg=; b=IchExrSjTi4kCcOYCeXhzMBO+9vBEQVvqQcfaU1AWBCfZT0lPRxzistkMCdqLPhB+V 6s0ApMdmb3YzrZQV624k6VSmTAMM6MXHpL7uJkWhpu04cE6QHvrUBRly/kiBl0wnZ/G3 2qfnEJdXv9F3wQidgrdVd+Zygox5hPfzFYKwydcoMi73XhzLgaVL3RqSXZV1rjGilUM5 ghLciPoC2YBWgsj1TfLDD3f2FL/+5CfhdILo+Dyg3CON7CXW18wl54nSTQnbhdG4pCRa B3YhOYe6XoBFu0J+mDppIWX4Cc4jwEzdzuigouoFLQtEEgNdJ6EVGY1rIwJy+o+fb80N 40Zg== X-Gm-Message-State: AOAM533EWftfbKaB7ltqUDzgWNrw69Ecfgie3jXuSJ2MBnBSs/ENLzsg DRtcw/HTjnGXh0hFoe+rvqQ4BYs2uaL23rOJPDSUnA== X-Google-Smtp-Source: ABdhPJxREciDWAvw2hXJoSNgwGzwAgfrsH/9ESk5Gp+0a5WDvKPxkb7At1Mz00fE9R8WAj7OmLftA00Br1JhwbCe4D4= X-Received: by 2002:a9d:d04:: with SMTP id 4mr2681205oti.251.1628758254073; Thu, 12 Aug 2021 01:50:54 -0700 (PDT) MIME-Version: 1.0 References: <17b812a3c28024acfca9b1a9e45c8235b35efa32.1628709663.git.andreyknvl@gmail.com> In-Reply-To: <17b812a3c28024acfca9b1a9e45c8235b35efa32.1628709663.git.andreyknvl@gmail.com> From: Marco Elver Date: Thu, 12 Aug 2021 10:50:42 +0200 Message-ID: Subject: Re: [PATCH 7/8] kasan: test: avoid corrupting memory in copy_user_test To: andrey.konovalov@linux.dev Cc: Andrew Morton , Andrey Konovalov , Andrey Ryabinin , Dmitry Vyukov , Alexander Potapenko , kasan-dev@googlegroups.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: EE2555038F74 X-Stat-Signature: w7wthh58mf9fs8o9jcdgtb461jpeg7ww Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20161025 header.b=tNp1TxiR; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf05.hostedemail.com: domain of elver@google.com designates 209.85.210.49 as permitted sender) smtp.mailfrom=elver@google.com X-HE-Tag: 1628758254-365317 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 11 Aug 2021 at 21:30, wrote: > From: Andrey Konovalov > > copy_user_test() does writes past the allocated object. As the result, > it corrupts kernel memory, which might lead to crashes with the HW_TAGS > mode, as it neither uses quarantine nor redzones. > > (Technically, this test can't yet be enabled with the HW_TAGS mode, but > this will be implemented in the future.) > > Adjust the test to only write memory within the aligned kmalloc object. > > Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver > --- > lib/test_kasan_module.c | 18 ++++++++---------- > 1 file changed, 8 insertions(+), 10 deletions(-) > > diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c > index f1017f345d6c..fa73b9df0be4 100644 > --- a/lib/test_kasan_module.c > +++ b/lib/test_kasan_module.c > @@ -15,13 +15,11 @@ > > #include "../mm/kasan/kasan.h" > > -#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE) > - > static noinline void __init copy_user_test(void) > { > char *kmem; > char __user *usermem; > - size_t size = 10; > + size_t size = 128 - KASAN_GRANULE_SIZE; > int __maybe_unused unused; > > kmem = kmalloc(size, GFP_KERNEL); > @@ -38,25 +36,25 @@ static noinline void __init copy_user_test(void) > } > > pr_info("out-of-bounds in copy_from_user()\n"); > - unused = copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF); > + unused = copy_from_user(kmem, usermem, size + 1); > > pr_info("out-of-bounds in copy_to_user()\n"); > - unused = copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF); > + unused = copy_to_user(usermem, kmem, size + 1); > > pr_info("out-of-bounds in __copy_from_user()\n"); > - unused = __copy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF); > + unused = __copy_from_user(kmem, usermem, size + 1); > > pr_info("out-of-bounds in __copy_to_user()\n"); > - unused = __copy_to_user(usermem, kmem, size + 1 + OOB_TAG_OFF); > + unused = __copy_to_user(usermem, kmem, size + 1); > > pr_info("out-of-bounds in __copy_from_user_inatomic()\n"); > - unused = __copy_from_user_inatomic(kmem, usermem, size + 1 + OOB_TAG_OFF); > + unused = __copy_from_user_inatomic(kmem, usermem, size + 1); > > pr_info("out-of-bounds in __copy_to_user_inatomic()\n"); > - unused = __copy_to_user_inatomic(usermem, kmem, size + 1 + OOB_TAG_OFF); > + unused = __copy_to_user_inatomic(usermem, kmem, size + 1); > > pr_info("out-of-bounds in strncpy_from_user()\n"); > - unused = strncpy_from_user(kmem, usermem, size + 1 + OOB_TAG_OFF); > + unused = strncpy_from_user(kmem, usermem, size + 1); > > vm_munmap((unsigned long)usermem, PAGE_SIZE); > kfree(kmem); > -- > 2.25.1 >