| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez19raco+s+UF8eiXqTvaDEoMAo6_qmW2KdO24QDpmZpFQ@mail.gmail.com>
Date: Wed, 6 Oct 2021 05:22:06 +0200
From: Jann Horn <jannh@...gle.com>
To: Kees Cook <keescook@...omium.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Vlastimil Babka <vbabka@...e.cz>,
Andy Whitcroft <apw@...onical.com>,
Dennis Zhou <dennis@...nel.org>,
Dwaipayan Ray <dwaipayanray1@...il.com>,
Joe Perches <joe@...ches.com>,
Lukas Bulwahn <lukas.bulwahn@...il.com>,
Miguel Ojeda <ojeda@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
Tejun Heo <tj@...nel.org>,
Daniel Micay <danielmicay@...il.com>,
Nick Desaulniers <ndesaulniers@...gle.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
clang-built-linux@...glegroups.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v3 4/8] slab: Add __alloc_size attributes for better
bounds checking
On Wed, Oct 6, 2021 at 5:06 AM Kees Cook <keescook@...omium.org> wrote:
> On Tue, Oct 05, 2021 at 06:47:17PM -0700, Andrew Morton wrote:
> > On Thu, 30 Sep 2021 15:27:00 -0700 Kees Cook <keescook@...omium.org> wrote:
> >
> > > As already done in GrapheneOS, add the __alloc_size attribute for regular
> > > kmalloc interfaces, to provide additional hinting for better bounds
> > > checking, assisting CONFIG_FORTIFY_SOURCE and other compiler
> > > optimizations.
> >
> > x86_64 allmodconfig:
>
> What compiler and version?
>
> >
> > In file included from ./arch/x86/include/asm/preempt.h:7,
> > from ./include/linux/preempt.h:78,
> > from ./include/linux/spinlock.h:55,
> > from ./include/linux/mmzone.h:8,
> > from ./include/linux/gfp.h:6,
> > from ./include/linux/mm.h:10,
> > from ./include/linux/mman.h:5,
> > from lib/test_kasan_module.c:10:
> > In function 'check_copy_size',
> > inlined from 'copy_user_test' at ./include/linux/uaccess.h:191:6:
> > ./include/linux/thread_info.h:213:4: error: call to '__bad_copy_to' declared with attribute error: copy destination size is too small
> > 213 | __bad_copy_to();
> > | ^~~~~~~~~~~~~~~
> > In function 'check_copy_size',
> > inlined from 'copy_user_test' at ./include/linux/uaccess.h:199:6:
> > ./include/linux/thread_info.h:211:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small
> > 211 | __bad_copy_from();
> > | ^~~~~~~~~~~~~~~~~
> > make[1]: *** [lib/test_kasan_module.o] Error 1
> > make: *** [lib] Error 2
>
> Hah, yes, it caught an intentionally bad copy. This may bypass the
> check, as I've had to do in LKDTM before. I will test...
>
> diff --git a/lib/test_kasan_module.c b/lib/test_kasan_module.c
> index 7ebf433edef3..9fb2fb2937da 100644
> --- a/lib/test_kasan_module.c
> +++ b/lib/test_kasan_module.c
> @@ -19,7 +19,12 @@ static noinline void __init copy_user_test(void)
> {
> char *kmem;
> char __user *usermem;
> - size_t size = 128 - KASAN_GRANULE_SIZE;
> + /*
> + * This is marked volatile to avoid __alloc_size()
> + * noticing the intentionally out-of-bounds copys
> + * being done on the allocation.
> + */
> + volatile size_t size = 128 - KASAN_GRANULE_SIZE;
Maybe OPTIMIZER_HIDE_VAR()? The normal version of that abuses an empty
asm statement to hide the value from the compiler.
Powered by blists - more mailing lists