lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5a8a3c85760c19be66965630418e09a820f79277.camel@linux.ibm.com>
Date: Fri, 14 Jun 2024 01:44:39 +0200
From: Ilya Leoshkevich <iii@...ux.ibm.com>
To: SeongJae Park <sj@...nel.org>, Alexander Potapenko <glider@...gle.com>
Cc: Alexander Gordeev <agordeev@...ux.ibm.com>,
        Andrew Morton
 <akpm@...ux-foundation.org>,
        Christoph Lameter <cl@...ux.com>,
        David
 Rientjes <rientjes@...gle.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Joonsoo
 Kim <iamjoonsoo.kim@....com>, Marco Elver <elver@...gle.com>,
        Masami
 Hiramatsu <mhiramat@...nel.org>,
        Pekka Enberg <penberg@...nel.org>,
        Steven
 Rostedt <rostedt@...dmis.org>,
        Vasily Gorbik <gor@...ux.ibm.com>, Vlastimil
 Babka <vbabka@...e.cz>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Hyeonggon Yoo <42.hyeyoo@...il.com>, kasan-dev@...glegroups.com,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        linux-s390@...r.kernel.org, linux-trace-kernel@...r.kernel.org,
        Mark Rutland <mark.rutland@....com>,
        Roman Gushchin <roman.gushchin@...ux.dev>,
        Sven Schnelle
 <svens@...ux.ibm.com>
Subject: Re: [PATCH v4 12/35] kmsan: Support SLAB_POISON

On Thu, 2024-06-13 at 16:30 -0700, SeongJae Park wrote:
> Hi Ilya,
> 
> On Thu, 13 Jun 2024 17:34:14 +0200 Ilya Leoshkevich
> <iii@...ux.ibm.com> wrote:
> 
> > Avoid false KMSAN negatives with SLUB_DEBUG by allowing
> > kmsan_slab_free() to poison the freed memory, and by preventing
> > init_object() from unpoisoning new allocations by using __memset().
> > 
> > There are two alternatives to this approach. First, init_object()
> > can be marked with __no_sanitize_memory. This annotation should be
> > used
> > with great care, because it drops all instrumentation from the
> > function, and any shadow writes will be lost. Even though this is
> > not a
> > concern with the current init_object() implementation, this may
> > change
> > in the future.
> > 
> > Second, kmsan_poison_memory() calls may be added after memset()
> > calls.
> > The downside is that init_object() is called from
> > free_debug_processing(), in which case poisoning will erase the
> > distinction between simply uninitialized memory and UAF.
> > 
> > Signed-off-by: Ilya Leoshkevich <iii@...ux.ibm.com>
> > ---
> >  mm/kmsan/hooks.c |  2 +-
> >  mm/slub.c        | 13 +++++++++----
> >  2 files changed, 10 insertions(+), 5 deletions(-)
> > 
> [...]
> > --- a/mm/slub.c
> > +++ b/mm/slub.c
> > @@ -1139,7 +1139,12 @@ static void init_object(struct kmem_cache
> > *s, void *object, u8 val)
> >  	unsigned int poison_size = s->object_size;
> >  
> >  	if (s->flags & SLAB_RED_ZONE) {
> > -		memset(p - s->red_left_pad, val, s->red_left_pad);
> > +		/*
> > +		 * Use __memset() here and below in order to avoid
> > overwriting
> > +		 * the KMSAN shadow. Keeping the shadow makes it
> > possible to
> > +		 * distinguish uninit-value from use-after-free.
> > +		 */
> > +		__memset(p - s->red_left_pad, val, s-
> > >red_left_pad);
> 
> I found my build test[1] fails with below error on latest mm-unstable
> branch.
> 'git bisect' points me this patch.
> 
>       CC      mm/slub.o
>     /mm/slub.c: In function 'init_object':
>     /mm/slub.c:1147:17: error: implicit declaration of function
> '__memset'; did you mean 'memset'? [-Werror=implicit-function-
> declaration]
>      1147 |                 __memset(p - s->red_left_pad, val, s-
> >red_left_pad);
>           |                 ^~~~~~~~
>           |                 memset
>     cc1: some warnings being treated as errors
> 
> I haven't looked in deep, but reporting first.  Do you have any idea?
> 
> [1]
> https://github.com/awslabs/damon-tests/blob/next/corr/tests/build_m68k.sh
> 
> 
> Thanks,
> SJ
> 
> [...]

Thanks for the report.

Apparently not all architectures have __memset(). We should probably go
back to memset_no_sanitize_memory() [1], but this time mark it with
noinline __maybe_unused __no_sanitize_memory, like it's done in, e.g.,
32/35.

Alexander, what do you think?

[1]
https://lore.kernel.org/lkml/20231121220155.1217090-14-iii@linux.ibm.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ