lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240613233044.117000-1-sj@kernel.org>
Date: Thu, 13 Jun 2024 16:30:44 -0700
From: SeongJae Park <sj@...nel.org>
To: Ilya Leoshkevich <iii@...ux.ibm.com>
Cc: SeongJae Park <sj@...nel.org>,
	Alexander Gordeev <agordeev@...ux.ibm.com>,
	Alexander Potapenko <glider@...gle.com>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christoph Lameter <cl@...ux.com>,
	David Rientjes <rientjes@...gle.com>,
	Heiko Carstens <hca@...ux.ibm.com>,
	Joonsoo Kim <iamjoonsoo.kim@....com>,
	Marco Elver <elver@...gle.com>,
	Masami Hiramatsu <mhiramat@...nel.org>,
	Pekka Enberg <penberg@...nel.org>,
	Steven Rostedt <rostedt@...dmis.org>,
	Vasily Gorbik <gor@...ux.ibm.com>,
	Vlastimil Babka <vbabka@...e.cz>,
	Christian Borntraeger <borntraeger@...ux.ibm.com>,
	Dmitry Vyukov <dvyukov@...gle.com>,
	Hyeonggon Yoo <42.hyeyoo@...il.com>,
	kasan-dev@...glegroups.com,
	linux-kernel@...r.kernel.org,
	linux-mm@...ck.org,
	linux-s390@...r.kernel.org,
	linux-trace-kernel@...r.kernel.org,
	Mark Rutland <mark.rutland@....com>,
	Roman Gushchin <roman.gushchin@...ux.dev>,
	Sven Schnelle <svens@...ux.ibm.com>
Subject: Re: [PATCH v4 12/35] kmsan: Support SLAB_POISON

Hi Ilya,

On Thu, 13 Jun 2024 17:34:14 +0200 Ilya Leoshkevich <iii@...ux.ibm.com> wrote:

> Avoid false KMSAN negatives with SLUB_DEBUG by allowing
> kmsan_slab_free() to poison the freed memory, and by preventing
> init_object() from unpoisoning new allocations by using __memset().
> 
> There are two alternatives to this approach. First, init_object()
> can be marked with __no_sanitize_memory. This annotation should be used
> with great care, because it drops all instrumentation from the
> function, and any shadow writes will be lost. Even though this is not a
> concern with the current init_object() implementation, this may change
> in the future.
> 
> Second, kmsan_poison_memory() calls may be added after memset() calls.
> The downside is that init_object() is called from
> free_debug_processing(), in which case poisoning will erase the
> distinction between simply uninitialized memory and UAF.
> 
> Signed-off-by: Ilya Leoshkevich <iii@...ux.ibm.com>
> ---
>  mm/kmsan/hooks.c |  2 +-
>  mm/slub.c        | 13 +++++++++----
>  2 files changed, 10 insertions(+), 5 deletions(-)
> 
[...]
> --- a/mm/slub.c
> +++ b/mm/slub.c
> @@ -1139,7 +1139,12 @@ static void init_object(struct kmem_cache *s, void *object, u8 val)
>  	unsigned int poison_size = s->object_size;
>  
>  	if (s->flags & SLAB_RED_ZONE) {
> -		memset(p - s->red_left_pad, val, s->red_left_pad);
> +		/*
> +		 * Use __memset() here and below in order to avoid overwriting
> +		 * the KMSAN shadow. Keeping the shadow makes it possible to
> +		 * distinguish uninit-value from use-after-free.
> +		 */
> +		__memset(p - s->red_left_pad, val, s->red_left_pad);

I found my build test[1] fails with below error on latest mm-unstable branch.
'git bisect' points me this patch.

      CC      mm/slub.o
    /mm/slub.c: In function 'init_object':
    /mm/slub.c:1147:17: error: implicit declaration of function '__memset'; did you mean 'memset'? [-Werror=implicit-function-declaration]
     1147 |                 __memset(p - s->red_left_pad, val, s->red_left_pad);
          |                 ^~~~~~~~
          |                 memset
    cc1: some warnings being treated as errors

I haven't looked in deep, but reporting first.  Do you have any idea?

[1] https://github.com/awslabs/damon-tests/blob/next/corr/tests/build_m68k.sh


Thanks,
SJ

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ