lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CA+fCnZc9XeNTuD9nVVDqrF_1W1Vv26SVEwu1bCQ2usqfSPpiOw@mail.gmail.com>
Date: Tue, 20 Aug 2024 19:37:59 +0200
From: Andrey Konovalov <andreyknvl@...il.com>
To: Matthew Maurer <mmaurer@...gle.com>
Cc: dvyukov@...gle.com, ojeda@...nel.org, 
	Andrey Ryabinin <ryabinin.a.a@...il.com>, Andrew Morton <akpm@...ux-foundation.org>, 
	Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, aliceryhl@...gle.com, 
	samitolvanen@...gle.com, kasan-dev@...glegroups.com, linux-mm@...ck.org, 
	glider@...gle.com, Vincenzo Frascino <vincenzo.frascino@....com>, 
	Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, 
	Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
	Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>, 
	linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v3 4/4] kasan: rust: Add KASAN smoke test via UAF

On Mon, Aug 19, 2024 at 11:35 PM Matthew Maurer <mmaurer@...gle.com> wrote:
>
> Adds a smoke test to ensure that KASAN in Rust is actually detecting a
> Rust-native UAF. There is significant room to expand this test suite,
> but this will at least ensure that flags are having the intended effect.
>
> Signed-off-by: Matthew Maurer <mmaurer@...gle.com>
> ---
>  mm/kasan/Makefile                         |  9 ++++++++-
>  mm/kasan/kasan.h                          |  1 +
>  mm/kasan/{kasan_test.c => kasan_test_c.c} | 11 +++++++++++
>  mm/kasan/kasan_test_rust.rs               | 19 +++++++++++++++++++
>  4 files changed, 39 insertions(+), 1 deletion(-)
>  rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
>  create mode 100644 mm/kasan/kasan_test_rust.rs
>
> diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile
> index 7634dd2a6128..d718b0f72009 100644
> --- a/mm/kasan/Makefile
> +++ b/mm/kasan/Makefile
> @@ -44,7 +44,8 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
>  CFLAGS_KASAN_TEST += -fno-builtin
>  endif
>
> -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST)
> +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST)
> +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN)
>  CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST)
>
>  obj-y := common.o report.o
> @@ -54,3 +55,9 @@ obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o
>
>  obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o
>  obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o
> +
> +kasan_test-objs := kasan_test_c.o
> +
> +ifdef CONFIG_RUST
> +kasan_test-objs += kasan_test_rust.o
> +endif

Let's put the kasan_test-objs directives before
obj-$(CONFIG_KASAN_KUNIT_TEST): they come first logically.

Also, I wonder, if something like kasan_test-objs-$(CONFIG_RUST) +=
kasan_test_rust.o would work to make this shorter?

> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index fb2b9ac0659a..e5205746cc85 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -566,6 +566,7 @@ static inline void kasan_kunit_test_suite_end(void) { }
>
>  bool kasan_save_enable_multi_shot(void);
>  void kasan_restore_multi_shot(bool enabled);
> +char kasan_test_rust_uaf(void);

You need ifdef CONFIG_RUST checks here and an empty definition when
!CONFIG_RUST.

Please build-test and run the KASAN test suite without CONFIG_RUST
before sending the patches.

Also, I think it's better to put this declaration next to
kasan_kunit_test_suite_end: CONFIG_KASAN_MODULE_TEST is not tied to
the added KASAN test.

>
>  #endif
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c
> similarity index 99%
> rename from mm/kasan/kasan_test.c
> rename to mm/kasan/kasan_test_c.c
> index 7b32be2a3cf0..3a81e85a083f 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1899,6 +1899,16 @@ static void match_all_mem_tag(struct kunit *test)
>         kfree(ptr);
>  }
>
> +/*
> + * Check that Rust performing a use-after-free using `unsafe` is detected.
> + * This is a smoke test to make sure that Rust is being sanitized properly.
> + */
> +static void rust_uaf(struct kunit *test)
> +{

KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST);


> +       KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> +}
> +
> +
>  static struct kunit_case kasan_kunit_test_cases[] = {
>         KUNIT_CASE(kmalloc_oob_right),
>         KUNIT_CASE(kmalloc_oob_left),
> @@ -1971,6 +1981,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
>         KUNIT_CASE(match_all_not_assigned),
>         KUNIT_CASE(match_all_ptr_tag),
>         KUNIT_CASE(match_all_mem_tag),
> +       KUNIT_CASE(rust_uaf),
>         {}
>  };
>
> diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs
> new file mode 100644
> index 000000000000..7239303b232c
> --- /dev/null
> +++ b/mm/kasan/kasan_test_rust.rs
> @@ -0,0 +1,19 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Helper crate for KASAN testing
> +//! Provides behavior to check the sanitization of Rust code.
> +use kernel::prelude::*;
> +use core::ptr::addr_of_mut;
> +
> +/// Trivial UAF - allocate a big vector, grab a pointer partway through,
> +/// drop the vector, and touch it.
> +#[no_mangle]
> +pub extern "C" fn kasan_test_rust_uaf() -> u8 {
> +    let mut v: Vec<u8> = Vec::new();
> +    for _ in 0..4096 {
> +        v.push(0x42, GFP_KERNEL).unwrap();
> +    }
> +    let ptr: *mut u8 = addr_of_mut!(v[2048]);
> +    drop(v);
> +    unsafe { *ptr }
> +}
> --
> 2.46.0.184.g6999bdac58-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ