lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1587476272.5870.15.camel@mtksdccf07>
Date:   Tue, 21 Apr 2020 21:37:52 +0800
From:   Walter Wu <walter-zh.wu@...iatek.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>
CC:     David Gow <davidgow@...gle.com>,
        Brendan Higgins <brendanhiggins@...gle.com>,
        Patricia Alfonso <trishalfonso@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Alexander Potapenko <glider@...gle.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        "Andrey Konovalov" <andreyknvl@...gle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        kasan-dev <kasan-dev@...glegroups.com>,
        Linux-MM <linux-mm@...ck.org>,
        LKML <linux-kernel@...r.kernel.org>,
        "Linux ARM" <linux-arm-kernel@...ts.infradead.org>,
        wsd_upstream <wsd_upstream@...iatek.com>,
        <linux-mediatek@...ts.infradead.org>
Subject: Re: [PATCH] kasan: fix KASAN unit tests for tag-based KASAN

On Tue, 2020-04-21 at 15:01 +0200, 'Dmitry Vyukov' via kasan-dev wrote:
> On Tue, Apr 21, 2020 at 2:26 PM Walter Wu <walter-zh.wu@...iatek.com> wrote:
> >
> > Hi Dmitry,
> >
> > On Tue, 2020-04-21 at 13:56 +0200, Dmitry Vyukov wrote:
> > > On Tue, Apr 21, 2020 at 3:40 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:
> > > >
> > > > When we use tag-based KASAN, then KASAN unit tests don't detect
> > > > out-of-bounds memory access. Because with tag-based KASAN the state
> > > > of each 16 aligned bytes of memory is encoded in one shadow byte
> > > > and the shadow value is tag of pointer, so we need to read next
> > > > shadow byte, the shadow value is not equal to tag of pointer,
> > > > then tag-based KASAN will detect out-of-bounds memory access.
> > > >
> > > > Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
> > > > Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
> > > > Cc: Dmitry Vyukov <dvyukov@...gle.com>
> > > > Cc: Alexander Potapenko <glider@...gle.com>
> > > > Cc: Matthias Brugger <matthias.bgg@...il.com>
> > > > Cc: Andrey Konovalov <andreyknvl@...gle.com>
> > > > Cc: Andrew Morton <akpm@...ux-foundation.org>
> > > > ---
> > > >  lib/test_kasan.c | 62 ++++++++++++++++++++++++++++++++++++++++++------
> > > >  1 file changed, 55 insertions(+), 7 deletions(-)
> > > >
> > > > diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> > > > index e3087d90e00d..a164f6b47fe5 100644
> > > > --- a/lib/test_kasan.c
> > > > +++ b/lib/test_kasan.c
> > > > @@ -40,7 +40,12 @@ static noinline void __init kmalloc_oob_right(void)
> > > >                 return;
> > > >         }
> > >
> > > Hi Walter,
> > >
> > > This would be great to have!
> > > But I am concerned about these series that port KASAN tests to KUNIT:
> > > https://lkml.org/lkml/2020/4/17/1144
> > > I suspect it will be one large merge conflict. Not sure what is the
> > > proper way to resovle this. I've added authors to CC.
> > >
> > Yes, it should have conflicts. Thanks for your reminder.
> > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         ptr[size] = 'x';
> > > > +#else
> > > > +       ptr[size + 5] = 'x';
> > > > +#endif
> > > > +
> > >
> > > For this particular snippet I think we can reduce amount of idef'ery
> > > and amount of non-compiled code in each configuration with something
> > > like:
> > >
> > >   ptr[size + 5] = 'x';
> > >   if (ENABLED(CONFIG_KASAN_GENERIC))
> > >       ptr[size] = 'x';
> > >
> > > One check runs always (it should pass in both configs, right?). The
> >
> > There is a problem, With generic KASAN it may trigger two KASAN reports.
> 
> Why is this a problem? If there are 2, fine. KUNIT can check that if
> we expect 2, there are indeed 2.
> 
Sorry, I originally assume my patch doesn't include in KUNIT. so I think
there is a problem. but I know your meaning. Can my patch upstream
first?

> > if we change it like:
> >
> > if (ENABLED(CONFIG_KASAN_GENERIC))
> >     ptr[size] = 'x';
> > else
> >     ptr[size + 5] = 'x';
> >
> > > only only in GENERIC, but it's C-level if rather than preprocessor.
> > > KUNIT should make 2 bugs per test easily expressable (and testable).
> > >
> >
> > >
> > >
> > >
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -92,7 +97,12 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         ptr[size] = 0;
> > > > +#else
> > > > +       ptr[size + 6] = 0;
> > > > +#endif
> > > > +
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -162,7 +172,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         ptr2[size2] = 'x';
> > > > +#else
> > > > +       ptr2[size2 + 13] = 'x';
> > > > +#endif
> > > >         kfree(ptr2);
> > > >  }
> > > >
> > > > @@ -180,7 +194,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
> > > >                 kfree(ptr1);
> > > >                 return;
> > > >         }
> > > > +
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         ptr2[size2] = 'x';
> > > > +#else
> > > > +       ptr2[size2 + 2] = 'x';
> > > > +#endif
> > > >         kfree(ptr2);
> > > >  }
> > > >
> > > > @@ -216,7 +235,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         memset(ptr+7, 0, 2);
> > > > +#else
> > > > +       memset(ptr+15, 0, 2);
> > > > +#endif
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -232,7 +255,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         memset(ptr+5, 0, 4);
> > > > +#else
> > > > +       memset(ptr+15, 0, 4);
> > > > +#endif
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -249,7 +276,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         memset(ptr+1, 0, 8);
> > > > +#else
> > > > +       memset(ptr+15, 0, 8);
> > > > +#endif
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -265,7 +296,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         memset(ptr+1, 0, 16);
> > > > +#else
> > > > +       memset(ptr+15, 0, 16);
> > > > +#endif
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -281,7 +316,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         memset(ptr, 0, size+5);
> > > > +#else
> > > > +       memset(ptr, 0, size+7);
> > > > +#endif
> > > >         kfree(ptr);
> > > >  }
> > > >
> > > > @@ -415,7 +454,11 @@ static noinline void __init kmem_cache_oob(void)
> > > >                 return;
> > > >         }
> > > >
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > >         *p = p[size];
> > > > +#else
> > > > +       *p = p[size + 8];
> > > > +#endif
> > > >         kmem_cache_free(cache, p);
> > > >         kmem_cache_destroy(cache);
> > > >  }
> > > > @@ -497,6 +540,11 @@ static noinline void __init copy_user_test(void)
> > > >         char __user *usermem;
> > > >         size_t size = 10;
> > > >         int unused;
> > > > +#ifdef CONFIG_KASAN_GENERIC
> > > > +       size_t oob_size = 1;
> > > > +#else
> > > > +       size_t oob_size = 7;
> > > > +#endif
> > > >
> > > >         kmem = kmalloc(size, GFP_KERNEL);
> > > >         if (!kmem)
> > > > @@ -512,25 +560,25 @@ static noinline void __init copy_user_test(void)
> > > >         }
> > > >
> > > >         pr_info("out-of-bounds in copy_from_user()\n");
> > > > -       unused = copy_from_user(kmem, usermem, size + 1);
> > > > +       unused = copy_from_user(kmem, usermem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in copy_to_user()\n");
> > > > -       unused = copy_to_user(usermem, kmem, size + 1);
> > > > +       unused = copy_to_user(usermem, kmem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in __copy_from_user()\n");
> > > > -       unused = __copy_from_user(kmem, usermem, size + 1);
> > > > +       unused = __copy_from_user(kmem, usermem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in __copy_to_user()\n");
> > > > -       unused = __copy_to_user(usermem, kmem, size + 1);
> > > > +       unused = __copy_to_user(usermem, kmem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
> > > > -       unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
> > > > +       unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
> > > > -       unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
> > > > +       unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
> > > >
> > > >         pr_info("out-of-bounds in strncpy_from_user()\n");
> > > > -       unused = strncpy_from_user(kmem, usermem, size + 1);
> > > > +       unused = strncpy_from_user(kmem, usermem, size + oob_size);
> > > >
> > > >         vm_munmap((unsigned long)usermem, PAGE_SIZE);
> > > >         kfree(kmem);
> > > > --
> > > > 2.18.0
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@...glegroups.com.
> > > > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200421014007.6012-1-walter-zh.wu%40mediatek.com.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@...glegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/1587472005.5870.7.camel%40mtksdccf07.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ