From patchwork Fri Oct 21 03:24:02 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Feng Tang X-Patchwork-Id: 13014237 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9F5CC4332F for ; Fri, 21 Oct 2022 03:24:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 444198E0002; Thu, 20 Oct 2022 23:24:14 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 3F41D8E0001; Thu, 20 Oct 2022 23:24:14 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2BCCA8E0002; Thu, 20 Oct 2022 23:24:14 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 18A3D8E0001 for ; Thu, 20 Oct 2022 23:24:14 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id E2D77A0386 for ; Fri, 21 Oct 2022 03:24:13 +0000 (UTC) X-FDA: 80043513186.29.C16518D Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by imf27.hostedemail.com (Postfix) with ESMTP id 8423F40006 for ; Fri, 21 Oct 2022 03:24:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1666322652; x=1697858652; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=lxJEukWGnKCepPojAgWRbHEwkob3SF5ucbXYsWWNJCU=; b=OeIKpTgE83n+WuHR1Nm/6+A0lNGGpopnZfEom+1CPHxDjYhsTQO+5c57 TiIgPY80z4nNi5HhhFdmewf7Ejw9s8EwD9PyyWHehATYqpAGHT/Elj1zo aR5FfXJanCa0hmLJZmZ8pKLXip8bgJvtsTt4f8JShGyvNtVIWMg5S9kmb TZqvVuPhed+fQDhkZ5y5tFuHqaXKtsif7cfGwju3VTG3HZUdMPMlzVOVz KeHfJlUnoR/rZOdHprs2ugTZPuVb4odnIRv2fVFW3JOrmAFkw2XxhUz5d GEAQ0XFqq/Hx4kDTTpM87qb68jO5KUi2iY6coirAsUlgMkBU150SnHYNf w==; X-IronPort-AV: E=McAfee;i="6500,9779,10506"; a="307997999" X-IronPort-AV: E=Sophos;i="5.95,200,1661842800"; d="scan'208";a="307997999" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 20 Oct 2022 20:24:11 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10506"; a="719459530" X-IronPort-AV: E=Sophos;i="5.95,200,1661842800"; d="scan'208";a="719459530" Received: from feng-clx.sh.intel.com ([10.238.200.228]) by FMSMGA003.fm.intel.com with ESMTP; 20 Oct 2022 20:24:07 -0700 From: Feng Tang To: Andrew Morton , Vlastimil Babka , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com>, Dmitry Vyukov , Andrey Konovalov , Kees Cook Cc: Dave Hansen , linux-mm@kvack.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Feng Tang Subject: [PATCH v7 0/3] mm/slub: extend redzone check for kmalloc objects Date: Fri, 21 Oct 2022 11:24:02 +0800 Message-Id: <20221021032405.1825078-1-feng.tang@intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1666322653; a=rsa-sha256; cv=none; b=wjGJBRhzevrMlKW7wgXVwitLBTc8U9yZdYGz0/z1IvM+eDrOV9yFAFSL1reHXxxm1bTPT9 P8Sgdx35EE1jZCtzziMUinWEUzjlIegM+WUUMurcho2ceNoWQg7pWjPNyEXMh3g8pKTgQB 5PaeDX+ZkDqUbbK2q20NkFpBxmMD0ZM= ARC-Authentication-Results: i=1; imf27.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=OeIKpTgE; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf27.hostedemail.com: domain of feng.tang@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=feng.tang@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1666322653; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=dC2A/rL7A2O3RZ+6eRWTY11NX70whx7Aj8RzyV9j+tc=; b=OhzNseUnd5bkfgH7whmflNHc0M1g2lvAS1dSwaI0/fxYY5ZClQQvGq+Sq4Dr56KTajhFRL pwZHnU9+OI277cgNE5qS17i2RT3Y6BZTK0LyoU5Z82twYv6vOLqVHRoFg/bYvfPPWNF1JB xlDDWPMZ/8ac7BlYDtHqo9Y9aIsmU4M= X-Stat-Signature: osn6e3pys9ezttbxo65pduwxi68n6hh1 X-Rspamd-Queue-Id: 8423F40006 X-Rspam-User: Authentication-Results: imf27.hostedemail.com; dkim=none ("invalid DKIM record") header.d=intel.com header.s=Intel header.b=OeIKpTgE; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf27.hostedemail.com: domain of feng.tang@intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=feng.tang@intel.com X-Rspamd-Server: rspam11 X-HE-Tag: 1666322652-113337 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: kmalloc's API family is critical for mm, and one of its nature is that it will round up the request size to a fixed one (mostly power of 2). When user requests memory for '2^n + 1' bytes, actually 2^(n+1) bytes could be allocated, so there is an extra space than what is originally requested. This patchset tries to extend the redzone sanity check to the extra kmalloced buffer than requested, to better detect un-legitimate access to it. (dependson SLAB_STORE_USER & SLAB_RED_ZONE) The redzone part has been tested with code below: for (shift = 3; shift <= 12; shift++) { size = 1 << shift; buf = kmalloc(size + 4, GFP_KERNEL); /* We have 96, 196 kmalloc size, which is not power of 2 */ if (size == 64 || size == 128) oob_size = 16; else oob_size = size - 4; memset(buf + size + 4, 0xee, oob_size); kfree(buf); } (This is against slab tree's 'for-6.2/slub-sysfs' branch, with HEAD 54736f702526) Please help to review, thanks! - Feng Signed-off-by: Feng Tang --- Changelogs: since v6: * 1/4 patch of kmalloc memory wastage debug patch was merged to 6.1-rc1, so drop it * refine the kasan patch by extending existing APIs and hiding kasan internal data structure info (Andrey Konovalov) * only reduce zeroing size when slub debug is enabled to avoid security risk (Kees Cook/Andrey Konovalov) * collect Acked-by tag from Hyeonggon Yoo since v5: * Refine code/comments and add more perf info in commit log for kzalloc change (Hyeonggoon Yoo) * change the kasan param name and refine comments about kasan+redzone handling (Andrey Konovalov) * put free pointer in meta data to make redzone check cover all kmalloc objects (Hyeonggoon Yoo) since v4: * fix a race issue in v3, by moving kmalloc debug init into alloc_debug_processing (Hyeonggon Yoo) * add 'partial_conext' for better parameter passing in get_partial() call chain (Vlastimil Babka) * update 'slub.rst' for 'alloc_traces' part (Hyeonggon Yoo) * update code comments for 'orig_size' since v3: * rebase against latest post 6.0-rc1 slab tree's 'for-next' branch * fix a bug reported by 0Day, that kmalloc-redzoned data and kasan's free meta data overlaps in the same kmalloc object data area since v2: * rebase against slab tree's 'for-next' branch * fix pointer handling (Kefeng Wang) * move kzalloc zeroing handling change to a separate patch (Vlastimil Babka) * make 'orig_size' only depend on KMALLOC & STORE_USER flag bits (Vlastimil Babka) since v1: * limit the 'orig_size' to kmalloc objects only, and save it after track in metadata (Vlastimil Babka) * fix a offset calculation problem in print_trailer since RFC: * fix problems in kmem_cache_alloc_bulk() and records sorting, improve the print format (Hyeonggon Yoo) * fix a compiling issue found by 0Day bot * update the commit log based info from iova developers Feng Tang (3): mm/slub: only zero requested size of buffer for kzalloc when debug enabled mm: kasan: Extend kasan_metadata_size() to also cover in-object size mm/slub: extend redzone check to extra allocated kmalloc space than requested include/linux/kasan.h | 5 ++-- mm/kasan/generic.c | 19 +++++++++---- mm/slab.c | 7 +++-- mm/slab.h | 22 +++++++++++++-- mm/slab_common.c | 4 +++ mm/slub.c | 65 +++++++++++++++++++++++++++++++++++++------ 6 files changed, 100 insertions(+), 22 deletions(-)