| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZc9XeNTuD9nVVDqrF_1W1Vv26SVEwu1bCQ2usqfSPpiOw@mail.gmail.com>
Date: Tue, 20 Aug 2024 19:37:59 +0200
From: Andrey Konovalov <andreyknvl@...il.com>
To: Matthew Maurer <mmaurer@...gle.com>
Cc: dvyukov@...gle.com, ojeda@...nel.org,
Andrey Ryabinin <ryabinin.a.a@...il.com>, Andrew Morton <akpm@...ux-foundation.org>,
Alex Gaynor <alex.gaynor@...il.com>, Wedson Almeida Filho <wedsonaf@...il.com>, aliceryhl@...gle.com,
samitolvanen@...gle.com, kasan-dev@...glegroups.com, linux-mm@...ck.org,
glider@...gle.com, Vincenzo Frascino <vincenzo.frascino@....com>,
Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Benno Lossin <benno.lossin@...ton.me>, Andreas Hindborg <a.hindborg@...sung.com>,
linux-kernel@...r.kernel.org, rust-for-linux@...r.kernel.org
Subject: Re: [PATCH v3 4/4] kasan: rust: Add KASAN smoke test via UAF
On Mon, Aug 19, 2024 at 11:35 PM Matthew Maurer <mmaurer@...gle.com> wrote:
>
> Adds a smoke test to ensure that KASAN in Rust is actually detecting a
> Rust-native UAF. There is significant room to expand this test suite,
> but this will at least ensure that flags are having the intended effect.
>
> Signed-off-by: Matthew Maurer <mmaurer@...gle.com>
> ---
> mm/kasan/Makefile | 9 ++++++++-
> mm/kasan/kasan.h | 1 +
> mm/kasan/{kasan_test.c => kasan_test_c.c} | 11 +++++++++++
> mm/kasan/kasan_test_rust.rs | 19 +++++++++++++++++++
> 4 files changed, 39 insertions(+), 1 deletion(-)
> rename mm/kasan/{kasan_test.c => kasan_test_c.c} (99%)
> create mode 100644 mm/kasan/kasan_test_rust.rs
>
> diff --git a/mm/kasan/Makefile b/mm/kasan/Makefile
> index 7634dd2a6128..d718b0f72009 100644
> --- a/mm/kasan/Makefile
> +++ b/mm/kasan/Makefile
> @@ -44,7 +44,8 @@ ifndef CONFIG_CC_HAS_KASAN_MEMINTRINSIC_PREFIX
> CFLAGS_KASAN_TEST += -fno-builtin
> endif
>
> -CFLAGS_kasan_test.o := $(CFLAGS_KASAN_TEST)
> +CFLAGS_kasan_test_c.o := $(CFLAGS_KASAN_TEST)
> +RUSTFLAGS_kasan_test_rust.o := $(RUSTFLAGS_KASAN)
> CFLAGS_kasan_test_module.o := $(CFLAGS_KASAN_TEST)
>
> obj-y := common.o report.o
> @@ -54,3 +55,9 @@ obj-$(CONFIG_KASAN_SW_TAGS) += init.o report_sw_tags.o shadow.o sw_tags.o tags.o
>
> obj-$(CONFIG_KASAN_KUNIT_TEST) += kasan_test.o
> obj-$(CONFIG_KASAN_MODULE_TEST) += kasan_test_module.o
> +
> +kasan_test-objs := kasan_test_c.o
> +
> +ifdef CONFIG_RUST
> +kasan_test-objs += kasan_test_rust.o
> +endif
Let's put the kasan_test-objs directives before
obj-$(CONFIG_KASAN_KUNIT_TEST): they come first logically.
Also, I wonder, if something like kasan_test-objs-$(CONFIG_RUST) +=
kasan_test_rust.o would work to make this shorter?
> diff --git a/mm/kasan/kasan.h b/mm/kasan/kasan.h
> index fb2b9ac0659a..e5205746cc85 100644
> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -566,6 +566,7 @@ static inline void kasan_kunit_test_suite_end(void) { }
>
> bool kasan_save_enable_multi_shot(void);
> void kasan_restore_multi_shot(bool enabled);
> +char kasan_test_rust_uaf(void);
You need ifdef CONFIG_RUST checks here and an empty definition when
!CONFIG_RUST.
Please build-test and run the KASAN test suite without CONFIG_RUST
before sending the patches.
Also, I think it's better to put this declaration next to
kasan_kunit_test_suite_end: CONFIG_KASAN_MODULE_TEST is not tied to
the added KASAN test.
>
> #endif
>
> diff --git a/mm/kasan/kasan_test.c b/mm/kasan/kasan_test_c.c
> similarity index 99%
> rename from mm/kasan/kasan_test.c
> rename to mm/kasan/kasan_test_c.c
> index 7b32be2a3cf0..3a81e85a083f 100644
> --- a/mm/kasan/kasan_test.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1899,6 +1899,16 @@ static void match_all_mem_tag(struct kunit *test)
> kfree(ptr);
> }
>
> +/*
> + * Check that Rust performing a use-after-free using `unsafe` is detected.
> + * This is a smoke test to make sure that Rust is being sanitized properly.
> + */
> +static void rust_uaf(struct kunit *test)
> +{
KASAN_TEST_NEEDS_CONFIG_ON(test, CONFIG_RUST);
> + KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> +}
> +
> +
> static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(kmalloc_oob_right),
> KUNIT_CASE(kmalloc_oob_left),
> @@ -1971,6 +1981,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> KUNIT_CASE(match_all_not_assigned),
> KUNIT_CASE(match_all_ptr_tag),
> KUNIT_CASE(match_all_mem_tag),
> + KUNIT_CASE(rust_uaf),
> {}
> };
>
> diff --git a/mm/kasan/kasan_test_rust.rs b/mm/kasan/kasan_test_rust.rs
> new file mode 100644
> index 000000000000..7239303b232c
> --- /dev/null
> +++ b/mm/kasan/kasan_test_rust.rs
> @@ -0,0 +1,19 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +//! Helper crate for KASAN testing
> +//! Provides behavior to check the sanitization of Rust code.
> +use kernel::prelude::*;
> +use core::ptr::addr_of_mut;
> +
> +/// Trivial UAF - allocate a big vector, grab a pointer partway through,
> +/// drop the vector, and touch it.
> +#[no_mangle]
> +pub extern "C" fn kasan_test_rust_uaf() -> u8 {
> + let mut v: Vec<u8> = Vec::new();
> + for _ in 0..4096 {
> + v.push(0x42, GFP_KERNEL).unwrap();
> + }
> + let ptr: *mut u8 = addr_of_mut!(v[2048]);
> + drop(v);
> + unsafe { *ptr }
> +}
> --
> 2.46.0.184.g6999bdac58-goog
>
Powered by blists - more mailing lists