| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACT4Y+akZ5iu2ohQhRqiUd8zkew-NmrUPrA=xYtS1xxHWZ60Og@mail.gmail.com>
Date: Mon, 6 Jul 2020 08:19:33 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Walter Wu <walter-zh.wu@...iatek.com>
Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Alexander Potapenko <glider@...gle.com>,
Matthias Brugger <matthias.bgg@...il.com>,
kasan-dev <kasan-dev@...glegroups.com>,
Linux-MM <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux ARM <linux-arm-kernel@...ts.infradead.org>,
wsd_upstream <wsd_upstream@...iatek.com>,
linux-mediatek@...ts.infradead.org,
Andrey Konovalov <andreyknvl@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH v2] kasan: fix KASAN unit tests for tag-based KASAN
On Mon, Jul 6, 2020 at 4:21 AM Walter Wu <walter-zh.wu@...iatek.com> wrote:
>
> We use tag-based KASAN, then KASAN unit tests don't detect out-of-bounds
> memory access. They need to be fixed.
>
> With tag-based KASAN, the state of each 16 aligned bytes of memory is
> encoded in one shadow byte and the shadow value is tag of pointer, so
> we need to read next shadow byte, the shadow value is not equal to tag
> value of pointer, so that tag-based KASAN will detect out-of-bounds
> memory access.
>
> Signed-off-by: Walter Wu <walter-zh.wu@...iatek.com>
> Cc: Andrey Ryabinin <aryabinin@...tuozzo.com>
> Cc: Dmitry Vyukov <dvyukov@...gle.com>
> Cc: Alexander Potapenko <glider@...gle.com>
> Cc: Matthias Brugger <matthias.bgg@...il.com>
> Cc: Andrey Konovalov <andreyknvl@...gle.com>
> Cc: Andrew Morton <akpm@...ux-foundation.org>
> ---
>
> changes since v1:
> - Reduce amount of non-compiled code.
> - KUnit-KASAN Integration patchset are not merged yet. My patch should
> have conflict with it, if needed, we can continue to wait it.
>
> ---
>
> lib/test_kasan.c | 81 ++++++++++++++++++++++++++++++++++++++----------
> 1 file changed, 64 insertions(+), 17 deletions(-)
>
> diff --git a/lib/test_kasan.c b/lib/test_kasan.c
> index e3087d90e00d..660664439d52 100644
> --- a/lib/test_kasan.c
> +++ b/lib/test_kasan.c
> @@ -40,7 +40,11 @@ static noinline void __init kmalloc_oob_right(void)
> return;
> }
>
> - ptr[size] = 'x';
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr[size] = 'x';
> + else
> + ptr[size + 5] = 'x';
> +
Hi Walter,
Would if be possible to introduce something like:
#define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : 8)
and then add it throughout as
ptr[size + OOB_TAG_OFF] = 'x';
?
The current version results in quite some amount of additional code
that needs to be read, extended and maintained in the future. So I am
thinking if it's possible to minimize it somehow...
> kfree(ptr);
> }
>
> @@ -92,7 +96,11 @@ static noinline void __init kmalloc_pagealloc_oob_right(void)
> return;
> }
>
> - ptr[size] = 0;
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr[size] = 0;
> + else
> + ptr[size + 6] = 0;
> +
> kfree(ptr);
> }
>
> @@ -162,7 +170,11 @@ static noinline void __init kmalloc_oob_krealloc_more(void)
> return;
> }
>
> - ptr2[size2] = 'x';
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr2[size2] = 'x';
> + else
> + ptr2[size2 + 13] = 'x';
> +
> kfree(ptr2);
> }
>
> @@ -180,7 +192,12 @@ static noinline void __init kmalloc_oob_krealloc_less(void)
> kfree(ptr1);
> return;
> }
> - ptr2[size2] = 'x';
> +
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + ptr2[size2] = 'x';
> + else
> + ptr2[size2 + 2] = 'x';
> +
> kfree(ptr2);
> }
>
> @@ -216,7 +233,11 @@ static noinline void __init kmalloc_oob_memset_2(void)
> return;
> }
>
> - memset(ptr+7, 0, 2);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+7, 0, 2);
> + else
> + memset(ptr+15, 0, 2);
> +
> kfree(ptr);
> }
>
> @@ -232,7 +253,11 @@ static noinline void __init kmalloc_oob_memset_4(void)
> return;
> }
>
> - memset(ptr+5, 0, 4);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+5, 0, 4);
> + else
> + memset(ptr+15, 0, 4);
> +
> kfree(ptr);
> }
>
> @@ -249,7 +274,11 @@ static noinline void __init kmalloc_oob_memset_8(void)
> return;
> }
>
> - memset(ptr+1, 0, 8);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+1, 0, 8);
> + else
> + memset(ptr+15, 0, 8);
> +
> kfree(ptr);
> }
>
> @@ -265,7 +294,11 @@ static noinline void __init kmalloc_oob_memset_16(void)
> return;
> }
>
> - memset(ptr+1, 0, 16);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr+1, 0, 16);
> + else
> + memset(ptr+15, 0, 16);
> +
> kfree(ptr);
> }
>
> @@ -281,7 +314,11 @@ static noinline void __init kmalloc_oob_in_memset(void)
> return;
> }
>
> - memset(ptr, 0, size+5);
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + memset(ptr, 0, size+5);
> + else
> + memset(ptr, 0, size+7);
> +
> kfree(ptr);
> }
>
> @@ -415,7 +452,11 @@ static noinline void __init kmem_cache_oob(void)
> return;
> }
>
> - *p = p[size];
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + *p = p[size];
> + else
> + *p = p[size + 8];
> +
> kmem_cache_free(cache, p);
> kmem_cache_destroy(cache);
> }
> @@ -497,6 +538,7 @@ static noinline void __init copy_user_test(void)
> char __user *usermem;
> size_t size = 10;
> int unused;
> + size_t oob_size;
>
> kmem = kmalloc(size, GFP_KERNEL);
> if (!kmem)
> @@ -511,26 +553,31 @@ static noinline void __init copy_user_test(void)
> return;
> }
>
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC))
> + oob_size = 1;
> + else
> + oob_size = 7;
> +
> pr_info("out-of-bounds in copy_from_user()\n");
> - unused = copy_from_user(kmem, usermem, size + 1);
> + unused = copy_from_user(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in copy_to_user()\n");
> - unused = copy_to_user(usermem, kmem, size + 1);
> + unused = copy_to_user(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_from_user()\n");
> - unused = __copy_from_user(kmem, usermem, size + 1);
> + unused = __copy_from_user(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_to_user()\n");
> - unused = __copy_to_user(usermem, kmem, size + 1);
> + unused = __copy_to_user(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_from_user_inatomic()\n");
> - unused = __copy_from_user_inatomic(kmem, usermem, size + 1);
> + unused = __copy_from_user_inatomic(kmem, usermem, size + oob_size);
>
> pr_info("out-of-bounds in __copy_to_user_inatomic()\n");
> - unused = __copy_to_user_inatomic(usermem, kmem, size + 1);
> + unused = __copy_to_user_inatomic(usermem, kmem, size + oob_size);
>
> pr_info("out-of-bounds in strncpy_from_user()\n");
> - unused = strncpy_from_user(kmem, usermem, size + 1);
> + unused = strncpy_from_user(kmem, usermem, size + oob_size);
>
> vm_munmap((unsigned long)usermem, PAGE_SIZE);
> kfree(kmem);
> --
> 2.18.0
>
> --
> You received this message because you are subscribed to the Google Groups "kasan-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kasan-dev+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kasan-dev/20200706022150.20848-1-walter-zh.wu%40mediatek.com.
Powered by blists - more mailing lists