lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 Jun 2024 17:05:10 +0200
From: Alexander Potapenko <glider@...gle.com>
To: Ilya Leoshkevich <iii@...ux.ibm.com>
Cc: SeongJae Park <sj@...nel.org>, Alexander Gordeev <agordeev@...ux.ibm.com>, 
	Andrew Morton <akpm@...ux-foundation.org>, Christoph Lameter <cl@...ux.com>, 
	David Rientjes <rientjes@...gle.com>, Heiko Carstens <hca@...ux.ibm.com>, 
	Joonsoo Kim <iamjoonsoo.kim@....com>, Marco Elver <elver@...gle.com>, 
	Masami Hiramatsu <mhiramat@...nel.org>, Pekka Enberg <penberg@...nel.org>, 
	Steven Rostedt <rostedt@...dmis.org>, Vasily Gorbik <gor@...ux.ibm.com>, 
	Vlastimil Babka <vbabka@...e.cz>, Christian Borntraeger <borntraeger@...ux.ibm.com>, 
	Dmitry Vyukov <dvyukov@...gle.com>, Hyeonggon Yoo <42.hyeyoo@...il.com>, kasan-dev@...glegroups.com, 
	linux-kernel@...r.kernel.org, linux-mm@...ck.org, linux-s390@...r.kernel.org, 
	linux-trace-kernel@...r.kernel.org, Mark Rutland <mark.rutland@....com>, 
	Roman Gushchin <roman.gushchin@...ux.dev>, Sven Schnelle <svens@...ux.ibm.com>
Subject: Re: [PATCH v4 12/35] kmsan: Support SLAB_POISON

On Fri, Jun 14, 2024 at 1:44 AM Ilya Leoshkevich <iii@...ux.ibm.com> wrote:
>
> On Thu, 2024-06-13 at 16:30 -0700, SeongJae Park wrote:
> > Hi Ilya,
> >
> > On Thu, 13 Jun 2024 17:34:14 +0200 Ilya Leoshkevich
> > <iii@...ux.ibm.com> wrote:
> >
> > > Avoid false KMSAN negatives with SLUB_DEBUG by allowing
> > > kmsan_slab_free() to poison the freed memory, and by preventing
> > > init_object() from unpoisoning new allocations by using __memset().
> > >
> > > There are two alternatives to this approach. First, init_object()
> > > can be marked with __no_sanitize_memory. This annotation should be
> > > used
> > > with great care, because it drops all instrumentation from the
> > > function, and any shadow writes will be lost. Even though this is
> > > not a
> > > concern with the current init_object() implementation, this may
> > > change
> > > in the future.
> > >
> > > Second, kmsan_poison_memory() calls may be added after memset()
> > > calls.
> > > The downside is that init_object() is called from
> > > free_debug_processing(), in which case poisoning will erase the
> > > distinction between simply uninitialized memory and UAF.
> > >
> > > Signed-off-by: Ilya Leoshkevich <iii@...ux.ibm.com>
> > > ---
> > >  mm/kmsan/hooks.c |  2 +-
> > >  mm/slub.c        | 13 +++++++++----
> > >  2 files changed, 10 insertions(+), 5 deletions(-)
> > >
> > [...]
> > > --- a/mm/slub.c
> > > +++ b/mm/slub.c
> > > @@ -1139,7 +1139,12 @@ static void init_object(struct kmem_cache
> > > *s, void *object, u8 val)
> > >     unsigned int poison_size = s->object_size;
> > >
> > >     if (s->flags & SLAB_RED_ZONE) {
> > > -           memset(p - s->red_left_pad, val, s->red_left_pad);
> > > +           /*
> > > +            * Use __memset() here and below in order to avoid
> > > overwriting
> > > +            * the KMSAN shadow. Keeping the shadow makes it
> > > possible to
> > > +            * distinguish uninit-value from use-after-free.
> > > +            */
> > > +           __memset(p - s->red_left_pad, val, s-
> > > >red_left_pad);
> >
> > I found my build test[1] fails with below error on latest mm-unstable
> > branch.
> > 'git bisect' points me this patch.
> >
> >       CC      mm/slub.o
> >     /mm/slub.c: In function 'init_object':
> >     /mm/slub.c:1147:17: error: implicit declaration of function
> > '__memset'; did you mean 'memset'? [-Werror=implicit-function-
> > declaration]
> >      1147 |                 __memset(p - s->red_left_pad, val, s-
> > >red_left_pad);
> >           |                 ^~~~~~~~
> >           |                 memset
> >     cc1: some warnings being treated as errors
> >
> > I haven't looked in deep, but reporting first.  Do you have any idea?
> >
> > [1]
> > https://github.com/awslabs/damon-tests/blob/next/corr/tests/build_m68k.sh
> >
> >
> > Thanks,
> > SJ
> >
> > [...]
>
> Thanks for the report.
>
> Apparently not all architectures have __memset(). We should probably go
> back to memset_no_sanitize_memory() [1], but this time mark it with
> noinline __maybe_unused __no_sanitize_memory, like it's done in, e.g.,
> 32/35.
>
> Alexander, what do you think?

We could probably go without __no_sanitize_memory assuming that
platforms supporting KMSAN always have __memset():

  #if defined(CONFIG_KMSAN)
  static inline void *memset_no_sanitize_memory(void *s, int c, size_t n)
  {
          return __memset(s, c, n);
  }
  #else
  static inline void *memset_no_sanitize_memory(void *s, int c, size_t n)
  {
          return memset(s, c, n);
  }
  #endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ