| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez0OnAPbnm73a+22mpBjvGHKFGqYAA8z+XocZEHXJCcQiQ@mail.gmail.com>
Date: Thu, 14 Aug 2025 17:04:23 +0200
From: Jann Horn <jannh@...gle.com>
To: Andrey Konovalov <andreyknvl@...il.com>
Cc: Andrey Ryabinin <ryabinin.a.a@...il.com>, Alexander Potapenko <glider@...gle.com>,
Dmitry Vyukov <dvyukov@...gle.com>, Vincenzo Frascino <vincenzo.frascino@....com>,
Andrew Morton <akpm@...ux-foundation.org>, Vlastimil Babka <vbabka@...e.cz>, kasan-dev@...glegroups.com,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] kasan: add test for SLAB_TYPESAFE_BY_RCU quarantine skipping
On Thu, Aug 14, 2025 at 7:10 AM Andrey Konovalov <andreyknvl@...il.com> wrote:
> On Tue, Jul 29, 2025 at 6:49 PM Jann Horn <jannh@...gle.com> wrote:
> > Verify that KASAN does not quarantine objects in SLAB_TYPESAFE_BY_RCU slabs
> > if CONFIG_SLUB_RCU_DEBUG is off.
> >
> > Signed-off-by: Jann Horn <jannh@...gle.com>
> > ---
> > changes in v2:
> > - disable migration to ensure that all SLUB operations use the same
> > percpu state (vbabka)
> > - use EXPECT instead of ASSERT for pointer equality check so that
> > expectation failure doesn't terminate the test with migration still
> > disabled
> > ---
> > mm/kasan/kasan_test_c.c | 38 ++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 38 insertions(+)
> >
> > diff --git a/mm/kasan/kasan_test_c.c b/mm/kasan/kasan_test_c.c
> > index 5f922dd38ffa..0d50402d492c 100644
> > --- a/mm/kasan/kasan_test_c.c
> > +++ b/mm/kasan/kasan_test_c.c
> > @@ -1073,6 +1073,43 @@ static void kmem_cache_rcu_uaf(struct kunit *test)
> > kmem_cache_destroy(cache);
> > }
> >
> > +/*
> > + * Check that SLAB_TYPESAFE_BY_RCU objects are immediately reused when
> > + * CONFIG_SLUB_RCU_DEBUG is off, and stay at the same address.
>
> Would be great to also add an explanation of why we want to test for
> this (or a reference to the related fix commit?).
Okay, I'll add a sentence here, will send v3 in a bit.
> > + */
> > +static void kmem_cache_rcu_reuse(struct kunit *test)
> > +{
> > + char *p, *p2;
> > + struct kmem_cache *cache;
> > +
> > + KASAN_TEST_NEEDS_CONFIG_OFF(test, CONFIG_SLUB_RCU_DEBUG);
> > +
> > + cache = kmem_cache_create("test_cache", 16, 0, SLAB_TYPESAFE_BY_RCU,
> > + NULL);
> > + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cache);
> > +
> > + migrate_disable();
> > + p = kmem_cache_alloc(cache, GFP_KERNEL);
> > + if (!p) {
> > + kunit_err(test, "Allocation failed: %s\n", __func__);
> > + goto out;
> > + }
> > +
> > + kmem_cache_free(cache, p);
> > + p2 = kmem_cache_alloc(cache, GFP_KERNEL);
> > + if (!p2) {
> > + kunit_err(test, "Allocation failed: %s\n", __func__);
> > + goto out;
> > + }
> > + KUNIT_EXPECT_PTR_EQ(test, p, p2);
>
> I think this might fail for the HW_TAGS mode? The location will be
> reused, but the tag will be different.
No, it's a SLAB_TYPESAFE_BY_RCU cache, so the tag can't really be
different. poison_slab_object() will bail out, and assign_tag() will
reuse the already-assigned tag.
Powered by blists - more mailing lists