From patchwork Fri Sep 10 21:13:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Collingbourne X-Patchwork-Id: 12486055 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_ADSP_CUSTOM_MED,DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38922C433F5 for ; Fri, 10 Sep 2021 21:16:12 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F055761208 for ; Fri, 10 Sep 2021 21:16:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org F055761208 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=8odfwT3eR0LKc9HcvM3LE+L0F20tmkBkmnDMTyfGtj4=; b=uyt 5olwJAgrqplzs2n9dBpewSQ3usaL8hOw+eytuu9/cAqb02UOFygGf7QMEdwflOaiE8yKJcb4Q2vEP li0S36bBMIbpDRP3aHZNsxvuINHba8ZSxZldGY8nk6YXIc8BOc7he+t6EhLSNlxRAhH6J0Ef7+KkD frOl4fj0ecd15fFfbNqILMGoxILV8FkIibPp2HB7gxWU7mMKWc5TPh8vSCV+ReWvDsLj+ZyEgZs4e Bmxwe9IsbXvh+msfGlvs2E26gVcbW7AtbTUwHuxw7LE3CrAPIK7q9fY6pKGJolAfkno7WtTgxPW9x lWTeuUQpq3F0ufWCwWYOIhFPmULsWQQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnqd-00DpGo-A2; Fri, 10 Sep 2021 21:14:11 +0000 Received: from mail-qv1-xf4a.google.com ([2607:f8b0:4864:20::f4a]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mOnqZ-00DpFj-NK for linux-arm-kernel@lists.infradead.org; Fri, 10 Sep 2021 21:14:09 +0000 Received: by mail-qv1-xf4a.google.com with SMTP id jz9-20020a0562140e6900b0037795ee01abso35336996qvb.14 for ; Fri, 10 Sep 2021 14:14:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=zI+eX0B08to4JdtZELlZxZOHyOJV5mDWBytuHVofZfk=; b=PByAfTxd87Sp+6BaR4EyWtbOGGW7Li66+JRzRjbk1vAE1B4kKv4pr8JzZRzBOsDLFV 6Ii+b9Ad0cFgwSQS7crffylQkO9YlzwEnHVIj4vcj9fuH5khf3q4XmH9TAvfferhlgYU olYcCEwo2KuSZytTpegjNY9QvG9DbR6JiezwD3zV4CIJA/Cve1wNXPPQDX6WkLozINQp Y5E3YVKqpO2gPx1BLaRMEoqCFBZ/fQjLm5djl666pIXTeGiw1sbKqYLzTS4M26rJKnSX L4cPRQq59C4dgUaXNJjn7QcJpNakrCXwznFvX5Ti6YucJFeI4+rCXrXyusRxFtqjBKv0 FhBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=zI+eX0B08to4JdtZELlZxZOHyOJV5mDWBytuHVofZfk=; b=NSaHQJsw7prhCb/4DhFtbq/Zr1y1BYvLhTZljqbFTOCgFZZAkiHesH8GiD+DqZEzU+ oASUHU62DxucgrJCnWHKFeTxCMC1M5GFh8CWtaSrJPMLl1PuhEAu/4By4Y0C76Pr8dgw i+9W4efq+Ydwrix8zJ4SbgKkVCuNQOSp8lhMQ7Y12jj288fYD/buCE9LH+8RbFZKm8cc DaxQsWXwGlLDrJEojlc8SrnYSx3np0tsMT4HL3P/4xOCMu7nXh4xTZwltlDrTejU2NBo 5amOKoSoGA9xGLZnLp/co+ICagNXAAYBEgxVivj/XWzZc2HJqWkDTS48ZJMKb6fx2WRn yD9A== X-Gm-Message-State: AOAM532040vqEvHKlIvnoh7mlhn+F8De/uBF+E3tsUs9he2j0v+9ZS1A G1T3gAgPZ9l65BsgnsJPY9gWrsg= X-Google-Smtp-Source: ABdhPJzd24TkxLpkWrWYcJUC+t5TVumV6ZXoGGjEeu/XnKiSsp/KtZ8WyZErg7OfsTtObVVoxsuh3Mc= X-Received: from pcc-desktop.svl.corp.google.com ([2620:15c:2ce:200:90e5:d30e:ae0f:6c1]) (user=pcc job=sendgmr) by 2002:a05:6214:1501:: with SMTP id e1mr10688815qvy.62.1631308444780; Fri, 10 Sep 2021 14:14:04 -0700 (PDT) Date: Fri, 10 Sep 2021 14:13:56 -0700 Message-Id: <20210910211356.3603758-1-pcc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.309.g3052b89438-goog Subject: [PATCH v2] kasan: test: add memcpy test that avoids out-of-bounds write From: Peter Collingbourne To: Robin Murphy , Will Deacon , Catalin Marinas , Andrey Konovalov , Marco Elver Cc: Peter Collingbourne , Mark Rutland , Evgenii Stepanov , Alexander Potapenko , Linux ARM , linux-mm@kvack.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210910_141408_085643_11A62004 X-CRM114-Status: GOOD ( 18.69 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org With HW tag-based KASAN, error checks are performed implicitly by the load and store instructions in the memcpy implementation. A failed check results in tag checks being disabled and execution will keep going. As a result, under HW tag-based KASAN, prior to commit 1b0668be62cf ("kasan: test: disable kmalloc_memmove_invalid_size for HW_TAGS"), this memcpy would end up corrupting memory until it hits an inaccessible page and causes a kernel panic. This is a pre-existing issue that was revealed by commit 285133040e6c ("arm64: Import latest memcpy()/memmove() implementation") which changed the memcpy implementation from using signed comparisons (incorrectly, resulting in the memcpy being terminated early for negative sizes) to using unsigned comparisons. It is unclear how this could be handled by memcpy itself in a reasonable way. One possibility would be to add an exception handler that would force memcpy to return if a tag check fault is detected -- this would make the behavior roughly similar to generic and SW tag-based KASAN. However, this wouldn't solve the problem for asynchronous mode and also makes memcpy behavior inconsistent with manually copying data. This test was added as a part of a series that taught KASAN to detect negative sizes in memory operations, see commit 8cceeff48f23 ("kasan: detect negative size in memory operation function"). Therefore we should keep testing for negative sizes with generic and SW tag-based KASAN. But there is some value in testing small memcpy overflows, so let's add another test with memcpy that does not destabilize the kernel by performing out-of-bounds writes, and run it in all modes. Link: https://linux-review.googlesource.com/id/I048d1e6a9aff766c4a53f989fb0c83de68923882 Signed-off-by: Peter Collingbourne Reviewed-by: Andrey Konovalov Acked-by: Marco Elver --- lib/test_kasan.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/test_kasan.c b/lib/test_kasan.c index 8835e0784578..aa8e42250219 100644 --- a/lib/test_kasan.c +++ b/lib/test_kasan.c @@ -493,7 +493,7 @@ static void kmalloc_oob_in_memset(struct kunit *test) kfree(ptr); } -static void kmalloc_memmove_invalid_size(struct kunit *test) +static void kmalloc_memmove_negative_size(struct kunit *test) { char *ptr; size_t size = 64; @@ -515,6 +515,21 @@ static void kmalloc_memmove_invalid_size(struct kunit *test) kfree(ptr); } +static void kmalloc_memmove_invalid_size(struct kunit *test) +{ + char *ptr; + size_t size = 64; + volatile size_t invalid_size = size; + + ptr = kmalloc(size, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr); + + memset((char *)ptr, 0, 64); + KUNIT_EXPECT_KASAN_FAIL(test, + memmove((char *)ptr, (char *)ptr + 4, invalid_size)); + kfree(ptr); +} + static void kmalloc_uaf(struct kunit *test) { char *ptr; @@ -1129,6 +1144,7 @@ static struct kunit_case kasan_kunit_test_cases[] = { KUNIT_CASE(kmalloc_oob_memset_4), KUNIT_CASE(kmalloc_oob_memset_8), KUNIT_CASE(kmalloc_oob_memset_16), + KUNIT_CASE(kmalloc_memmove_negative_size), KUNIT_CASE(kmalloc_memmove_invalid_size), KUNIT_CASE(kmalloc_uaf), KUNIT_CASE(kmalloc_uaf_memset),