From patchwork Fri Oct 21 03:24:02 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Feng Tang <feng.tang@intel.com>
X-Patchwork-Id: 13014237
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C9F5CC4332F
	for <linux-mm@archiver.kernel.org>; Fri, 21 Oct 2022 03:24:14 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 444198E0002; Thu, 20 Oct 2022 23:24:14 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3F41D8E0001; Thu, 20 Oct 2022 23:24:14 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2BCCA8E0002; Thu, 20 Oct 2022 23:24:14 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
 [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 18A3D8E0001
	for <linux-mm@kvack.org>; Thu, 20 Oct 2022 23:24:14 -0400 (EDT)
Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id E2D77A0386
	for <linux-mm@kvack.org>; Fri, 21 Oct 2022 03:24:13 +0000 (UTC)
X-FDA: 80043513186.29.C16518D
Received: from mga09.intel.com (mga09.intel.com [134.134.136.24])
	by imf27.hostedemail.com (Postfix) with ESMTP id 8423F40006
	for <linux-mm@kvack.org>; Fri, 21 Oct 2022 03:24:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
  t=1666322652; x=1697858652;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=lxJEukWGnKCepPojAgWRbHEwkob3SF5ucbXYsWWNJCU=;
  b=OeIKpTgE83n+WuHR1Nm/6+A0lNGGpopnZfEom+1CPHxDjYhsTQO+5c57
   TiIgPY80z4nNi5HhhFdmewf7Ejw9s8EwD9PyyWHehATYqpAGHT/Elj1zo
   aR5FfXJanCa0hmLJZmZ8pKLXip8bgJvtsTt4f8JShGyvNtVIWMg5S9kmb
   TZqvVuPhed+fQDhkZ5y5tFuHqaXKtsif7cfGwju3VTG3HZUdMPMlzVOVz
   KeHfJlUnoR/rZOdHprs2ugTZPuVb4odnIRv2fVFW3JOrmAFkw2XxhUz5d
   GEAQ0XFqq/Hx4kDTTpM87qb68jO5KUi2iY6coirAsUlgMkBU150SnHYNf
   w==;
X-IronPort-AV: E=McAfee;i="6500,9779,10506"; a="307997999"
X-IronPort-AV: E=Sophos;i="5.95,200,1661842800";
   d="scan'208";a="307997999"
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 20 Oct 2022 20:24:11 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10506"; a="719459530"
X-IronPort-AV: E=Sophos;i="5.95,200,1661842800";
   d="scan'208";a="719459530"
Received: from feng-clx.sh.intel.com ([10.238.200.228])
  by FMSMGA003.fm.intel.com with ESMTP; 20 Oct 2022 20:24:07 -0700
From: Feng Tang <feng.tang@intel.com>
To: Andrew Morton <akpm@linux-foundation.org>,
	Vlastimil Babka <vbabka@suse.cz>,
	Christoph Lameter <cl@linux.com>,
	Pekka Enberg <penberg@kernel.org>,
	David Rientjes <rientjes@google.com>,
	Joonsoo Kim <iamjoonsoo.kim@lge.com>,
	Roman Gushchin <roman.gushchin@linux.dev>,
	Hyeonggon Yoo <42.hyeyoo@gmail.com>,
	Dmitry Vyukov <dvyukov@google.com>,
	Andrey Konovalov <andreyknvl@gmail.com>,
	Kees Cook <keescook@chromium.org>
Cc: Dave Hansen <dave.hansen@intel.com>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	kasan-dev@googlegroups.com,
	Feng Tang <feng.tang@intel.com>
Subject: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects 
Date: Fri, 21 Oct 2022 11:24:02 +0800
Message-Id: <20221021032405.1825078-1-feng.tang@intel.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666322653; a=rsa-sha256;
	cv=none;
	b=wjGJBRhzevrMlKW7wgXVwitLBTc8U9yZdYGz0/z1IvM+eDrOV9yFAFSL1reHXxxm1bTPT9
	P8Sgdx35EE1jZCtzziMUinWEUzjlIegM+WUUMurcho2ceNoWQg7pWjPNyEXMh3g8pKTgQB
	5PaeDX+ZkDqUbbK2q20NkFpBxmMD0ZM=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=OeIKpTgE;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf27.hostedemail.com: domain of feng.tang@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=feng.tang@intel.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1666322653;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references:dkim-signature;
	bh=dC2A/rL7A2O3RZ+6eRWTY11NX70whx7Aj8RzyV9j+tc=;
	b=OhzNseUnd5bkfgH7whmflNHc0M1g2lvAS1dSwaI0/fxYY5ZClQQvGq+Sq4Dr56KTajhFRL
	pwZHnU9+OI277cgNE5qS17i2RT3Y6BZTK0LyoU5Z82twYv6vOLqVHRoFg/bYvfPPWNF1JB
	xlDDWPMZ/8ac7BlYDtHqo9Y9aIsmU4M=
X-Stat-Signature: osn6e3pys9ezttbxo65pduwxi68n6hh1
X-Rspamd-Queue-Id: 8423F40006
X-Rspam-User: 
Authentication-Results: imf27.hostedemail.com;
	dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel
 header.b=OeIKpTgE;
	dmarc=pass (policy=none) header.from=intel.com;
	spf=pass (imf27.hostedemail.com: domain of feng.tang@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=feng.tang@intel.com
X-Rspamd-Server: rspam11
X-HE-Tag: 1666322652-113337
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

kmalloc's API family is critical for mm, and one of its nature is that
it will round up the request size to a fixed one (mostly power of 2).
When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes
could be allocated, so there is an extra space than what is originally
requested.

This patchset tries to extend the redzone sanity check to the extra
kmalloced buffer than requested, to better detect un-legitimate access
to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE)

The redzone part has been tested with code below:

	for (shift = 3; shift <= 12; shift++) {
		size = 1 << shift;
		buf = kmalloc(size + 4, GFP_KERNEL);
		/* We have 96, 196 kmalloc size, which is not power of 2 */
		if (size == 64 || size == 128)
			oob_size = 16;
		else
			oob_size = size - 4;
		memset(buf + size + 4, 0xee, oob_size);
		kfree(buf);
	}

(This is against slab tree's 'for-6.2/slub-sysfs' branch, with
HEAD 54736f702526)

Please help to review, thanks!

- Feng
Signed-off-by: Feng Tang <feng.tang@intel.com>
---
Changelogs:

  since v6:
    * 1/4 patch of kmalloc memory wastage debug patch was merged
      to 6.1-rc1, so drop it
    * refine the kasan patch by extending existing APIs and hiding
      kasan internal data structure info (Andrey Konovalov)
    * only reduce zeroing size when slub debug is enabled to
      avoid security risk (Kees Cook/Andrey Konovalov)
    * collect Acked-by tag from Hyeonggon Yoo

  since v5:
    * Refine code/comments and add more perf info in commit log for
      kzalloc change (Hyeonggoon Yoo)
    * change the kasan param name and refine comments about
      kasan+redzone handling (Andrey Konovalov)
    * put free pointer in meta data to make redzone check cover all
      kmalloc objects (Hyeonggoon Yoo)

  since v4:
    * fix a race issue in v3, by moving kmalloc debug init into
      alloc_debug_processing (Hyeonggon Yoo)
    * add 'partial_conext' for better parameter passing in get_partial()
      call chain (Vlastimil Babka)
    * update 'slub.rst' for 'alloc_traces' part (Hyeonggon Yoo)
    * update code comments for 'orig_size'

  since v3:
    * rebase against latest post 6.0-rc1 slab tree's 'for-next' branch
    * fix a bug reported by 0Day, that kmalloc-redzoned data and kasan's
      free meta data overlaps in the same kmalloc object data area

  since v2:
    * rebase against slab tree's 'for-next' branch
    * fix pointer handling (Kefeng Wang)
    * move kzalloc zeroing handling change to a separate patch (Vlastimil Babka)
    * make 'orig_size' only depend on KMALLOC & STORE_USER flag
      bits (Vlastimil Babka)

  since v1:
    * limit the 'orig_size' to kmalloc objects only, and save
      it after track in metadata (Vlastimil Babka)
    * fix a offset calculation problem in print_trailer

  since RFC:
    * fix problems in kmem_cache_alloc_bulk() and records sorting,
      improve the print format (Hyeonggon Yoo)
    * fix a compiling issue found by 0Day bot
    * update the commit log based info from iova developers


Feng Tang (3):
  mm/slub: only zero requested size of buffer for kzalloc when debug
    enabled
  mm: kasan: Extend kasan_metadata_size() to also cover in-object size
  mm/slub: extend redzone check to extra allocated kmalloc space than
    requested

 include/linux/kasan.h |  5 ++--
 mm/kasan/generic.c    | 19 +++++++++----
 mm/slab.c             |  7 +++--
 mm/slab.h             | 22 +++++++++++++--
 mm/slab_common.c      |  4 +++
 mm/slub.c             | 65 +++++++++++++++++++++++++++++++++++++------
 6 files changed, 100 insertions(+), 22 deletions(-)