| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACzwLxhkooTNjijL71AVKm85XChycy1b-Ew11nMbBQWMxNebfw@mail.gmail.com>
Date: Wed, 9 Oct 2024 00:39:24 +0500
From: Sabyrzhan Tasbolatov <snovitoll@...il.com>
To: Marco Elver <elver@...gle.com>
Cc: akpm@...ux-foundation.org, andreyknvl@...il.com, bpf@...r.kernel.org,
dvyukov@...gle.com, glider@...gle.com, kasan-dev@...glegroups.com,
linux-kernel@...r.kernel.org, linux-mm@...ck.org, ryabinin.a.a@...il.com,
syzbot+61123a5daeb9f7454599@...kaller.appspotmail.com,
vincenzo.frascino@....com
Subject: Re: [PATCH v3] mm, kasan, kmsan: copy_from/to_kernel_nofault
On Tue, Oct 8, 2024 at 4:36 PM Marco Elver <elver@...gle.com> wrote:
>
> On Tue, 8 Oct 2024 at 12:14, Sabyrzhan Tasbolatov <snovitoll@...il.com> wrote:
> >
> > Instrument copy_from_kernel_nofault() with KMSAN for uninitialized kernel
> > memory check and copy_to_kernel_nofault() with KASAN, KCSAN to detect
> > the memory corruption.
> >
> > syzbot reported that bpf_probe_read_kernel() kernel helper triggered
> > KASAN report via kasan_check_range() which is not the expected behaviour
> > as copy_from_kernel_nofault() is meant to be a non-faulting helper.
> >
> > Solution is, suggested by Marco Elver, to replace KASAN, KCSAN check in
> > copy_from_kernel_nofault() with KMSAN detection of copying uninitilaized
> > kernel memory. In copy_to_kernel_nofault() we can retain
> > instrument_write() explicitly for the memory corruption instrumentation.
> >
> > copy_to_kernel_nofault() is tested on x86_64 and arm64 with
> > CONFIG_KASAN_SW_TAGS. On arm64 with CONFIG_KASAN_HW_TAGS,
> > kunit test currently fails. Need more clarification on it
> > - currently, disabled in kunit test.
>
> I assume you retested. Did you also test the bpf_probe_read_kernel()
> false positive no longer appears?
I've tested on:
- x86_64 with KMSAN
- x86_64 with KASAN
- arm64 with HW_TAGS -- still failing
- arm64 with SW_TAGS
Please see the testing result in the following link:
https://gist.github.com/novitoll/e2ccb2162340f7f8a63b63ee3e0f9994
I've also tested bpf_probe_read_kernel() in x86_64 KMSAN build,
it does trigger KMSAN, though I don't see explicitly copy_from_kernel*
in stack frame. AFAIU, it's checked prior to it in text_poke_copy().
Attached the PoC in the comment of the link above:
root@...kaller:/tmp# uname -a
Linux syzkaller 6.12.0-rc2-g441b500abd70 #10 SMP PREEMPT_DYNAMIC Wed
Oct 9 00:17:59 +05 2024 x86_64 GNU/Linux
root@...kaller:/tmp# ./exploit
[*] exploit start
[+] program loaded!
[ 139.778255] =====================================================
[ 139.778846] BUG: KMSAN: uninit-value in bcmp+0x155/0x290
[ 139.779311] bcmp+0x155/0x290
[ 139.779591] __text_poke+0xe2d/0x1120
[ 139.779950] text_poke_copy+0x1e7/0x2b0
[ 139.780297] bpf_arch_text_copy+0x41/0xa0
[ 139.780665] bpf_dispatcher_change_prog+0x12dd/0x16b0
[ 139.781324] bpf_prog_test_run_xdp+0xbf0/0x1d20
[ 139.781898] bpf_prog_test_run+0x5d6/0x9a0
[ 139.782372] __sys_bpf+0x758/0xf10
[ 139.782759] __x64_sys_bpf+0xdd/0x130
[ 139.783178] x64_sys_call+0x1a21/0x4e10
[ 139.783610] do_syscall_64+0xcd/0x1b0
[ 139.784039] entry_SYSCALL_64_after_hwframe+0x67/0x6f
[ 139.784597]
[ 139.784779] Uninit was created at:
[ 139.785197] __alloc_pages_noprof+0x717/0xe70
[ 139.785689] alloc_pages_bulk_noprof+0x17e1/0x20e0
[ 139.786223] alloc_pages_bulk_array_mempolicy_noprof+0x49e/0x5b0
[ 139.786873] __vmalloc_node_range_noprof+0xef2/0x24f0
[ 139.787414] execmem_alloc+0x1ec/0x4c0
[ 139.787841] bpf_jit_alloc_exec+0x3e/0x40
[ 139.788299] bpf_dispatcher_change_prog+0x430/0x16b0
[ 139.788837] bpf_prog_test_run_xdp+0xbf0/0x1d20
[ 139.789324] bpf_prog_test_run+0x5d6/0x9a0
[ 139.789774] __sys_bpf+0x758/0xf10
[ 139.790167] __x64_sys_bpf+0xdd/0x130
[ 139.790580] x64_sys_call+0x1a21/0x4e10
[ 139.791007] do_syscall_64+0xcd/0x1b0
[ 139.791423] entry_SYSCALL_64_after_hwframe+0x67/0x6f
>
> > Link: https://lore.kernel.org/linux-mm/CANpmjNMAVFzqnCZhEity9cjiqQ9CVN1X7qeeeAp_6yKjwKo8iw@mail.gmail.com/
> > Suggested-by: Marco Elver <elver@...gle.com>
>
> This looks more reasonable:
>
> Reviewed-by: Marco Elver <elver@...gle.com>
>
> This looks like the most conservative thing to do for now.
Done.
>
> > Reported-by: syzbot+61123a5daeb9f7454599@...kaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=61123a5daeb9f7454599
> > Reported-by: Andrey Konovalov <andreyknvl@...il.com>
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=210505
> > Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@...il.com>
> > ---
> > v2:
> > - squashed previous submitted in -mm tree 2 patches based on Linus tree
> > v3:
> > - moved checks to *_nofault_loop macros per Marco's comments
> > - edited the commit message
> > ---
> > mm/kasan/kasan_test_c.c | 27 +++++++++++++++++++++++++++
> > mm/kmsan/kmsan_test.c | 17 +++++++++++++++++
> > mm/maccess.c | 10 ++++++++--
> > 3 files changed, 52 insertions(+), 2 deletions(-)
> >
> > diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> > index a181e4780d9d..5cff90f831db 100644
> > --- a/mm/kasan/kasan_test_c.c
> > +++ b/mm/kasan/kasan_test_c.c
> > @@ -1954,6 +1954,32 @@ static void rust_uaf(struct kunit *test)
> > KUNIT_EXPECT_KASAN_FAIL(test, kasan_test_rust_uaf());
> > }
> >
> > +static void copy_to_kernel_nofault_oob(struct kunit *test)
> > +{
> > + char *ptr;
> > + char buf[128];
> > + size_t size = sizeof(buf);
> > +
> > + /* Not detecting fails currently with HW_TAGS */
> > + KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_KASAN_HW_TAGS);
> > +
> > + ptr = kmalloc(size - KASAN_GRANULE_SIZE, GFP_KERNEL);
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
> > + OPTIMIZER_HIDE_VAR(ptr);
> > +
> > + if (IS_ENABLED(CONFIG_KASAN_SW_TAGS)) {
> > + /* Check that the returned pointer is tagged. */
> > + KUNIT_EXPECT_GE(test, (u8)get_tag(ptr), (u8)KASAN_TAG_MIN);
> > + KUNIT_EXPECT_LT(test, (u8)get_tag(ptr), (u8)KASAN_TAG_KERNEL);
> > + }
> > +
> > + KUNIT_EXPECT_KASAN_FAIL(test,
> > + copy_to_kernel_nofault(&buf[0], ptr, size));
> > + KUNIT_EXPECT_KASAN_FAIL(test,
> > + copy_to_kernel_nofault(ptr, &buf[0], size));
> > + kfree(ptr);
> > +}
> > +
> > static struct kunit_case kasan_kunit_test_cases[] = {
> > KUNIT_CASE(kmalloc_oob_right),
> > KUNIT_CASE(kmalloc_oob_left),
> > @@ -2027,6 +2053,7 @@ static struct kunit_case kasan_kunit_test_cases[] = {
> > KUNIT_CASE(match_all_not_assigned),
> > KUNIT_CASE(match_all_ptr_tag),
> > KUNIT_CASE(match_all_mem_tag),
> > + KUNIT_CASE(copy_to_kernel_nofault_oob),
> > KUNIT_CASE(rust_uaf),
> > {}
> > };
> > diff --git a/mm/kmsan/kmsan_test.c b/mm/kmsan/kmsan_test.c
> > index 13236d579eba..9733a22c46c1 100644
> > --- a/mm/kmsan/kmsan_test.c
> > +++ b/mm/kmsan/kmsan_test.c
> > @@ -640,6 +640,22 @@ static void test_unpoison_memory(struct kunit *test)
> > KUNIT_EXPECT_TRUE(test, report_matches(&expect));
> > }
> >
> > +static void test_copy_from_kernel_nofault(struct kunit *test)
> > +{
> > + long ret;
> > + char buf[4], src[4];
> > + size_t size = sizeof(buf);
> > +
> > + EXPECTATION_UNINIT_VALUE_FN(expect, "copy_from_kernel_nofault");
> > + kunit_info(
> > + test,
> > + "testing copy_from_kernel_nofault with uninitialized memory\n");
> > +
> > + ret = copy_from_kernel_nofault((char *)&buf[0], (char *)&src[0], size);
> > + USE(ret);
> > + KUNIT_EXPECT_TRUE(test, report_matches(&expect));
> > +}
> > +
> > static struct kunit_case kmsan_test_cases[] = {
> > KUNIT_CASE(test_uninit_kmalloc),
> > KUNIT_CASE(test_init_kmalloc),
> > @@ -664,6 +680,7 @@ static struct kunit_case kmsan_test_cases[] = {
> > KUNIT_CASE(test_long_origin_chain),
> > KUNIT_CASE(test_stackdepot_roundtrip),
> > KUNIT_CASE(test_unpoison_memory),
> > + KUNIT_CASE(test_copy_from_kernel_nofault),
> > {},
> > };
> >
> > diff --git a/mm/maccess.c b/mm/maccess.c
> > index 518a25667323..3ca55ec63a6a 100644
> > --- a/mm/maccess.c
> > +++ b/mm/maccess.c
> > @@ -13,9 +13,14 @@ bool __weak copy_from_kernel_nofault_allowed(const void *unsafe_src,
> > return true;
> > }
> >
> > +/*
> > + * The below only uses kmsan_check_memory() to ensure uninitialized kernel
> > + * memory isn't leaked.
> > + */
> > #define copy_from_kernel_nofault_loop(dst, src, len, type, err_label) \
> > while (len >= sizeof(type)) { \
> > - __get_kernel_nofault(dst, src, type, err_label); \
> > + __get_kernel_nofault(dst, src, type, err_label); \
> > + kmsan_check_memory(src, sizeof(type)); \
> > dst += sizeof(type); \
> > src += sizeof(type); \
> > len -= sizeof(type); \
> > @@ -49,7 +54,8 @@ EXPORT_SYMBOL_GPL(copy_from_kernel_nofault);
> >
> > #define copy_to_kernel_nofault_loop(dst, src, len, type, err_label) \
> > while (len >= sizeof(type)) { \
> > - __put_kernel_nofault(dst, src, type, err_label); \
> > + __put_kernel_nofault(dst, src, type, err_label); \
> > + instrument_write(dst, sizeof(type)); \
> > dst += sizeof(type); \
> > src += sizeof(type); \
> > len -= sizeof(type); \
> > --
> > 2.34.1
> >
Powered by blists - more mailing lists