lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANpmjNMBJJ4e8EGkfFB2LmtPNEtzx2K7xLhK8PXdRsO=KiAS0Q@mail.gmail.com>
Date: Fri, 4 Oct 2024 08:55:03 +0200
From: Marco Elver <elver@...gle.com>
To: Sabyrzhan Tasbolatov <snovitoll@...il.com>
Cc: ryabinin.a.a@...il.com, glider@...gle.com, andreyknvl@...il.com, 
	dvyukov@...gle.com, vincenzo.frascino@....com, akpm@...ux-foundation.org, 
	kasan-dev@...glegroups.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: instrument copy_from/to_kernel_nofault

On Wed, 2 Oct 2024 at 18:40, Sabyrzhan Tasbolatov <snovitoll@...il.com> wrote:
>
> On Wed, Oct 2, 2024 at 9:00 PM Marco Elver <elver@...gle.com> wrote:
> >
> > On Fri, 27 Sept 2024 at 17:14, Sabyrzhan Tasbolatov <snovitoll@...il.com> wrote:
> > >
> > > Instrument copy_from_kernel_nofault(), copy_to_kernel_nofault()
> > > with instrument_memcpy_before() for KASAN, KCSAN checks and
> > > instrument_memcpy_after() for KMSAN.
> >
> > There's a fundamental problem with instrumenting
> > copy_from_kernel_nofault() - it's meant to be a non-faulting helper,
> > i.e. if it attempts to read arbitrary kernel addresses, that's not a
> > problem because it won't fault and BUG. These may be used in places
> > that probe random memory, and KASAN may say that some memory is
> > invalid and generate a report - but in reality that's not a problem.
> >
> > In the Bugzilla bug, Andrey wrote:
> >
> > > KASAN should check both arguments of copy_from/to_kernel_nofault() for accessibility when both are fault-safe.
> >
> > I don't see this patch doing it, or at least it's not explained. By
> > looking at the code, I see that it does the instrument_memcpy_before()
> > right after pagefault_disable(), which tells me that KASAN or other
> > tools will complain if a page is not faulted in. These helpers are
> > meant to be usable like that - despite their inherent unsafety,
> > there's little that I see that KASAN can help with.
>
> Hello, thanks for the comment!
> instrument_memcpy_before() has been replaced with
> instrument_read() and instrument_write() in
> commit 9e3f2b1ecdd4("mm, kasan: proper instrument _kernel_nofault"),
> and there are KASAN, KCSAN checks.
>
> > What _might_ be useful, is detecting copying faulted-in but
> > uninitialized memory to user space. So I think the only
> > instrumentation we want to retain is KMSAN instrumentation for the
> > copy_from_kernel_nofault() helper, and only if no fault was
> > encountered.
> >
> > Instrumenting copy_to_kernel_nofault() may be helpful to catch memory
> > corruptions, but only if faulted-in memory was accessed.
>
> If we need to have KMSAN only instrumentation for
> copy_from_user_nofault(), then AFAIU, in mm/kasan/kasan_test.c

Did you mean s/copy_from_user_nofault/copy_from_kernel_nofault/?

> copy_from_to_kernel_nofault_oob() should have only
> copy_to_kernel_nofault() OOB kunit test to trigger KASAN.
> And copy_from_user_nofault() kunit test can be placed in mm/kmsan/kmsan_test.c.

I think in the interest of reducing false positives, I'd proceed with
making copy_from_kernel_nofault() KMSAN only.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ