| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZfWpCsW-mkKLc55+cRoBQJTeB1ecuown45zchRneNFLhg@mail.gmail.com>
Date: Wed, 14 Aug 2024 00:53:42 +0200
From: Andrey Konovalov <andreyknvl@...il.com>
To: Matthew Maurer <mmaurer@...gle.com>
Cc: dvyukov@...gle.com, ojeda@...nel.org,
Andrey Ryabinin <ryabinin.a.a@...il.com>, Andrew Morton <akpm@...ux-foundation.org>,
Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, aliceryhl@...gle.com,
samitolvanen@...gle.com, Alexander Potapenko <glider@...gle.com>,
Vincenzo Frascino <vincenzo.frascino@....com>, Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>,
linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com, linux-mm@...ck.org,
rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v2 3/3] kasan: rust: Add KASAN smoke test via UAF
On Tue, Aug 13, 2024 at 1:29 AM Matthew Maurer <mmaurer@...gle.com> wrote:
>
> Adds a smoke test to ensure that KASAN in Rust is actually detecting a
> Rust-native UAF. There is significant room to expand this test suite,
> but this will at least ensure that flags are having the intended effect.
>
> Signed-off-by: Matthew Maurer <mmaurer@...gle.com>
> ---
> mm/kasan/Makefile | 9 ++++++++-
> mm/kasan/{kasan_test.c => kasan_test_c.c} | 13 +++++++++++++
> mm/kasan/kasan_test_rust.rs | 17 +++++++++++++++++
> 3 files changed, 38 insertions(+), 1 deletion(-)
> rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
> create mode 100644 mm/kasan/kasan_test_rust.rs
>
> diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile
> index 7634dd2a6128..d718b0f72009 100644
> --- a/mm/kasan/Makefile
> +++ b/mm/kasan/Makefile
> @@ -44,7 +44,8 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
> CFLAGS_KASAN_TEST += -fno-builtin
> endif
>
> -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST)
> +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST)
Let's keep the kasan_test.c name for the C tests to avoid changing the
module name. Naming Rust tests as kasan_test_rust.rs seems to be
sufficient.
> +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN)
> CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST)
>
> obj-y := common.o report.o
> @@ -54,3 +55,9 @@ obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o
>
> obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o
> obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o
> +
> +kasan_test-objs := kasan_test_c.o
> +
> +ifdef CONFIG_RUST
> +kasan_test-objs += kasan_test_rust.o
> +endif
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c
> similarity index 99%
> rename from mm/kasan/kasan_test.c
> rename to mm/kasan/kasan_test_c.c
> index 7b32be2a3cf0..28821c90840e 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -30,6 +30,7 @@
> #include <asm/page.h>
>
> #include "kasan.h"
> +#include "kasan_test_rust.h"
You forgot to include this file into the patch.
But I don't think you even need to create a new include file: just put
the new test function's declaration to kasan.h next to the other
test-related functions (e.g. after the part with
kasan_restore_multi_shot).
>
> #define OOB_TAG_OFF (IS_ENABLED(CONFIG_KASAN_GENERIC) ? 0 : KASAN_GRANULE_SIZE)
>
> @@ -1899,6 +1900,17 @@ static void match_all_mem_tag(struct kunit *test)
> kfree(ptr);
> }
>
> +/*
> + * Check that Rust performing a uaf using `unsafe` is detected.
uaf -> use-after-free or UAF
> + * This is an undirected smoke test to make sure that Rust is being sanitized
> + * appropriately.
What is an undirected test? Let's drop this word, it is confusing.
> + */
> +static void rust_uaf(struct kunit *test)
> +{
> + KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> +}
> +
> +
> static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kmalloc_oob_right),
> KUNIT_CASE(kmalloc_oob_left),
> @@ -1971,6 +1983,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(match_all_not_assigned),
> KUNIT_CASE(match_all_ptr_tag),
> KUNIT_CASE(match_all_mem_tag),
> + KUNIT_CASE(rust_uaf),
> {}
> };
>
> diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs
> new file mode 100644
> index 000000000000..6f4b43ea488c
> --- /dev/null
> +++ b/mm/kasan/kasan_test_rust.rs
> @@ -0,0 +1,17 @@
> +//! Helper crate for KASAN testing
> +//! Provides behavior to check the sanitization of Rust code.
> +use kernel::prelude::*;
> +use core::ptr::addr_of_mut;
> +
> +/// Trivial UAF - allocate a big vector, grab a pointer partway through,
> +/// drop the vector, and touch it.
> +#[no_mangle]
> +pub extern "C" fn kasan_test_rust_uaf() -> u8 {
> + let mut v: Vec<u8> = Vec::new();
> + for _ in 0..4096 {
> + v.push(0x42, GFP_KERNEL).unwrap();
> + }
> + let ptr: *mut u8 = addr_of_mut!(v[2048]);
> + drop(v);
> + unsafe { *ptr }
> +}
> --
> 2.46.0.76.ge559c4bf1a-goog
>
Powered by blists - more mailing lists