| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20200623072653.114563-1-elver@google.com>
Date: Tue, 23 Jun 2020 09:26:54 +0200
From: Marco Elver <elver@...gle.com>
To: elver@...gle.com, akpm@...ux-foundation.org
Cc: paulmck@...nel.org, dvyukov@...gle.com, glider@...gle.com,
andreyknvl@...gle.com, linux-kernel@...r.kernel.org,
kasan-dev@...glegroups.com, cl@...ux.com, penberg@...nel.org,
rientjes@...gle.com, iamjoonsoo.kim@....com, linux-mm@...ck.org
Subject: [PATCH v2] mm, kcsan: Instrument SLAB/SLUB free with "ASSERT_EXCLUSIVE_ACCESS"
Provide the necessary KCSAN checks to assist with debugging racy
use-after-frees. While KASAN is more reliable at generally catching such
use-after-frees (due to its use of a quarantine), it can be difficult to
debug racy use-after-frees. If a reliable reproducer exists, KCSAN can
assist in debugging such issues.
Note: ASSERT_EXCLUSIVE_ACCESS is a convenience wrapper if the size is
simply sizeof(var). Instead, here we just use __kcsan_check_access()
explicitly to pass the correct size.
Signed-off-by: Marco Elver <elver@...gle.com>
---
v2:
* SLAB_TYPESAFE_BY_RCU allows racy use after free within RCU grace
period. If slab is SLAB_TYPESAFE_BY_RCU do not check access.
---
mm/slab.c | 5 +++++
mm/slub.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/mm/slab.c b/mm/slab.c
index 9350062ffc1a..cba71d88e89c 100644
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -3426,6 +3426,11 @@ static __always_inline void __cache_free(struct kmem_cache *cachep, void *objp,
if (kasan_slab_free(cachep, objp, _RET_IP_))
return;
+ /* Use KCSAN to help debug racy use-after-free. */
+ if (!(cachep->flags & SLAB_TYPESAFE_BY_RCU))
+ __kcsan_check_access(objp, cachep->object_size,
+ KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
+
___cache_free(cachep, objp, caller);
}
diff --git a/mm/slub.c b/mm/slub.c
index b8f798b50d44..4a9d43fda669 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1470,6 +1470,11 @@ static __always_inline bool slab_free_hook(struct kmem_cache *s, void *x)
if (!(s->flags & SLAB_DEBUG_OBJECTS))
debug_check_no_obj_freed(x, s->object_size);
+ /* Use KCSAN to help debug racy use-after-free. */
+ if (!(s->flags & SLAB_TYPESAFE_BY_RCU))
+ __kcsan_check_access(x, s->object_size,
+ KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT);
+
/* KASAN might put x into memory quarantine, delaying its reuse */
return kasan_slab_free(s, x, _RET_IP_);
}
--
2.27.0.111.gc72c7da667-goog
Powered by blists - more mailing lists