| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZe+KzyBOBPsJonEhDV-5ZH57QPfTCREawXiwvpTcspNug@mail.gmail.com>
Date: Fri, 28 Mar 2025 04:22:37 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Peter Collingbourne <pcc@...gle.com>
Cc: Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <kees@...nel.org>,
Andy Shevchenko <andy@...nel.org>, Catalin Marinas <catalin.marinas@....com>,
Mark Rutland <mark.rutland@....com>, Vincenzo Frascino <vincenzo.frascino@....com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
Will Deacon <will@...nel.org>
Subject: Re: [PATCH v3 2/2] kasan: Add strscpy() test to trigger tag fault on arm64
On Tue, Mar 25, 2025 at 2:56 AM Peter Collingbourne <pcc@...gle.com> wrote:
>
> From: Vincenzo Frascino <vincenzo.frascino@....com>
>
> When we invoke strscpy() with a maximum size of N bytes, it assumes
> that:
> - It can always read N bytes from the source.
> - It always write N bytes (zero-padded) to the destination.
>
> On aarch64 with Memory Tagging Extension enabled if we pass an N that is
> bigger then the source buffer, it triggers an MTE fault.
>
> Implement a KASAN KUnit test that triggers the issue with the current
> implementation of read_word_at_a_time() on aarch64 with MTE enabled.
I think the wording here is confusing, makes it sound like the issue
is not fixed.
> Cc: Will Deacon <will@...nel.org>
> Signed-off-by: Vincenzo Frascino <vincenzo.frascino@....com>
> Signed-off-by: Catalin Marinas <catalin.marinas@....com>
> Co-developed-by: Peter Collingbourne <pcc@...gle.com>
> Signed-off-by: Peter Collingbourne <pcc@...gle.com>
> Link: https://linux-review.googlesource.com/id/If88e396b9e7c058c1a4b5a252274120e77b1898a
> ---
> v3:
> - simplify test case
>
> v2:
> - rebased
> - fixed test failure
>
> mm/kasan/kasan_test_c.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> index 59d673400085f..b69f66b7eda1d 100644
> --- a/mm/kasan/kasan_test_c.c
> +++ b/mm/kasan/kasan_test_c.c
> @@ -1570,6 +1570,7 @@ static void kasan_memcmp(struct kunit *test)
> static void kasan_strings(struct kunit *test)
> {
> char *ptr;
> + char *src;
> size_t size = 24;
>
> /*
> @@ -1581,6 +1582,18 @@ static void kasan_strings(struct kunit *test)
> ptr = kmalloc(size, GFP_KERNEL | __GFP_ZERO);
> KUNIT_ASSERT_NOT_ERR_OR_NULL(test, ptr);
>
> + src = kmalloc(KASAN_GRANULE_SIZE, GFP_KERNEL | __GFP_ZERO);
> + strscpy(src, "f0cacc1a0000000", KASAN_GRANULE_SIZE);
> +
> + /*
Please also extend the comment here to say something like: "Make sure
that strscpy() does not trigger KASAN if it overreads into poisoned
memory".
> + * The expected size does not include the terminator '\0'
> + * so it is (KASAN_GRANULE_SIZE - 2) ==
> + * KASAN_GRANULE_SIZE - ("initial removed character" + "\0").
> + */
> + KUNIT_EXPECT_EQ(test, KASAN_GRANULE_SIZE - 2,
> + strscpy(ptr, src + 1, KASAN_GRANULE_SIZE));
> +
> + kfree(src);
> kfree(ptr);
>
> /*
> --
> 2.49.0.395.g12beb8f557-goog
>
The code looks much better!
Reviewed-by: Andrey Konovalov <andreyknvl@...il.com>
Powered by blists - more mailing lists