[RFC,v3,27/36] kmsan: hooks for copy_to_user() and friends

Message ID	20191122112621.204798-28-glider@google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=DNi/=ZO=kvack.org=owner-linux-mm@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 612E220672 Date: Fri, 22 Nov 2019 12:26:12 +0100 In-Reply-To: <20191122112621.204798-1-glider@google.com> Message-Id: <20191122112621.204798-28-glider@google.com> Mime-Version: 1.0 References: <20191122112621.204798-1-glider@google.com> Subject: [PATCH RFC v3 27/36] kmsan: hooks for copy_to_user() and friends From: glider@google.com To: Alexander Viro <viro@zeniv.linux.org.uk>, Vegard Nossum <vegard.nossum@oracle.com>, Dmitry Vyukov <dvyukov@google.com>, linux-mm@kvack.org Cc: glider@google.com, adilger.kernel@dilger.ca, akpm@linux-foundation.org, andreyknvl@google.com, aryabinin@virtuozzo.com, luto@kernel.org, ard.biesheuvel@linaro.org, arnd@arndb.de, hch@infradead.org, hch@lst.de, darrick.wong@oracle.com, davem@davemloft.net, dmitry.torokhov@gmail.com, ebiggers@google.com, edumazet@google.com, ericvh@gmail.com, gregkh@linuxfoundation.org, harry.wentland@amd.com, herbert@gondor.apana.org.au, iii@linux.ibm.com, mingo@elte.hu, jasowang@redhat.com, axboe@kernel.dk, m.szyprowski@samsung.com, elver@google.com, mark.rutland@arm.com, martin.petersen@oracle.com, schwidefsky@de.ibm.com, willy@infradead.org, mst@redhat.com, monstr@monstr.eu, pmladek@suse.com, cai@lca.pw, rdunlap@infradead.org, robin.murphy@arm.com, sergey.senozhatsky@gmail.com, rostedt@goodmis.org, tiwai@suse.com, tytso@mit.edu, tglx@linutronix.de, gor@linux.ibm.com, wsa@the-dreams.de Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Add KernelMemorySanitizer infrastructure \| expand [RFC,v3,00/36] Add KernelMemorySanitizer infrastructure [RFC,v3,01/36] stackdepot: check depot_index before accessing the stack slab [RFC,v3,02/36] stackdepot: build with -fno-builtin [RFC,v3,03/36] kasan: stackdepot: move filter_irq_stacks() to stackdepot.c [RFC,v3,04/36] stackdepot: reserve 5 extra bits in depot_stack_handle_t [RFC,v3,05/36] kmsan: add ReST documentation [RFC,v3,06/36] kmsan: gfp: introduce __GFP_NO_KMSAN_SHADOW [RFC,v3,07/36] kmsan: introduce __no_sanitize_memory and __SANITIZE_MEMORY__ [RFC,v3,08/36] kmsan: reduce vmalloc space [RFC,v3,09/36] kmsan: add KMSAN bits to struct page and struct task_struct [RFC,v3,10/36] kmsan: add KMSAN runtime [RFC,v3,11/36] kmsan: stackdepot: don't allocate KMSAN metadata for stackdepot [RFC,v3,12/36] kmsan: define READ_ONCE_NOCHECK() [RFC,v3,13/36] kmsan: make READ_ONCE_TASK_STACK() return initialized values [RFC,v3,14/36] kmsan: x86: sync metadata pages on page fault [RFC,v3,15/36] kmsan: add tests for KMSAN [RFC,v3,16/36] crypto: kmsan: disable accelerated configs under KMSAN [RFC,v3,17/36] kmsan: x86: disable UNWINDER_ORC under KMSAN [RFC,v3,18/36] kmsan: disable LOCK_DEBUGGING_SUPPORT [RFC,v3,20/36] kmsan: x86: increase stack sizes in KMSAN builds [RFC,v3,21/36] kmsan: disable KMSAN instrumentation for certain kernel parts [RFC,v3,22/36] kmsan: mm: call KMSAN hooks from SLUB code [RFC,v3,23/36] kmsan: call KMSAN hooks where needed [RFC,v3,24/36] kmsan: disable instrumentation of certain functions [RFC,v3,25/36] kmsan: unpoison \|tlb\| in arch_tlb_gather_mmu() [RFC,v3,26/36] kmsan: use __msan_memcpy() where possible. [RFC,v3,27/36] kmsan: hooks for copy_to_user() and friends [RFC,v3,28/36] kmsan: enable KMSAN builds [RFC,v3,29/36] kmsan: handle /dev/[u]random [RFC,v3,30/36] kmsan: virtio: check/unpoison scatterlist in vring_map_one_sg() [RFC,v3,31/36] kmsan: disable strscpy() optimization under KMSAN [RFC,v3,32/36] kmsan: add iomap support [RFC,v3,33/36] kmsan: dma: unpoison memory mapped by dma_direct_map_page() [RFC,v3,34/36] kmsan: disable physical page merging in biovec [RFC,v3,35/36] kmsan: ext4: skip block merging logic in ext4_mpage_readpages for KMSAN [RFC,v3,36/36] net: kasan: kmsan: support CONFIG_GENERIC_CSUM on x86, enable it for KASAN/KMSAN

Message ID

20191122112621.204798-28-glider@google.com (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 612E220672
Date: Fri, 22 Nov 2019 12:26:12 +0100
In-Reply-To: <20191122112621.204798-1-glider@google.com>
Message-Id: <20191122112621.204798-28-glider@google.com>
Mime-Version: 1.0
References: <20191122112621.204798-1-glider@google.com>
Subject: [PATCH RFC v3 27/36] kmsan: hooks for copy_to_user() and friends
From: glider@google.com
To: Alexander Viro <viro@zeniv.linux.org.uk>,
 Vegard Nossum <vegard.nossum@oracle.com>,
	Dmitry Vyukov <dvyukov@google.com>, linux-mm@kvack.org
Cc: glider@google.com, adilger.kernel@dilger.ca, akpm@linux-foundation.org,
	andreyknvl@google.com, aryabinin@virtuozzo.com, luto@kernel.org,
	ard.biesheuvel@linaro.org, arnd@arndb.de, hch@infradead.org, hch@lst.de,
	darrick.wong@oracle.com, davem@davemloft.net, dmitry.torokhov@gmail.com,
	ebiggers@google.com, edumazet@google.com, ericvh@gmail.com,
	gregkh@linuxfoundation.org, harry.wentland@amd.com,
	herbert@gondor.apana.org.au, iii@linux.ibm.com, mingo@elte.hu,
	jasowang@redhat.com, axboe@kernel.dk, m.szyprowski@samsung.com,
	elver@google.com, mark.rutland@arm.com, martin.petersen@oracle.com,
	schwidefsky@de.ibm.com, willy@infradead.org, mst@redhat.com,
 monstr@monstr.eu,
	pmladek@suse.com, cai@lca.pw, rdunlap@infradead.org, robin.murphy@arm.com,
	sergey.senozhatsky@gmail.com, rostedt@goodmis.org, tiwai@suse.com,
	tytso@mit.edu, tglx@linutronix.de, gor@linux.ibm.com, wsa@the-dreams.de
Content-Type: text/plain; charset="UTF-8"
Sender: owner-linux-mm@kvack.org
Precedence: bulk

Series

Add KernelMemorySanitizer infrastructure | expand

Commit Message

Alexander Potapenko Nov. 22, 2019, 11:26 a.m. UTC

Memory that is copied from userspace must be unpoisoned.
Before copying memory to userspace, check it and report an error if it
contains uninitialized bits.

Signed-off-by: Alexander Potapenko <glider@google.com>
To: Alexander Potapenko <glider@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: linux-mm@kvack.org
---
v3:
 - fixed compilation errors reported by kbuild test bot

Change-Id: I38428b9c7d1909b8441dcec1749b080494a7af99
---
 arch/x86/include/asm/uaccess.h   | 12 ++++++++++++
 include/asm-generic/cacheflush.h |  7 ++++++-
 include/asm-generic/uaccess.h    | 12 ++++++++++--
 include/linux/uaccess.h          | 32 +++++++++++++++++++++++++++-----
 lib/iov_iter.c                   |  6 ++++++
 lib/usercopy.c                   |  6 +++++-
 6 files changed, 66 insertions(+), 9 deletions(-)

Comments

Andrey Konovalov Nov. 29, 2019, 3:34 p.m. UTC | #1

On Fri, Nov 22, 2019 at 12:27 PM <glider@google.com> wrote:
>
> Memory that is copied from userspace must be unpoisoned.
> Before copying memory to userspace, check it and report an error if it
> contains uninitialized bits.
>
> Signed-off-by: Alexander Potapenko <glider@google.com>
> To: Alexander Potapenko <glider@google.com>
> Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> Cc: Vegard Nossum <vegard.nossum@oracle.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Cc: linux-mm@kvack.org
> ---
> v3:
>  - fixed compilation errors reported by kbuild test bot
>
> Change-Id: I38428b9c7d1909b8441dcec1749b080494a7af99
> ---
>  arch/x86/include/asm/uaccess.h   | 12 ++++++++++++
>  include/asm-generic/cacheflush.h |  7 ++++++-
>  include/asm-generic/uaccess.h    | 12 ++++++++++--
>  include/linux/uaccess.h          | 32 +++++++++++++++++++++++++++-----
>  lib/iov_iter.c                   |  6 ++++++
>  lib/usercopy.c                   |  6 +++++-
>  6 files changed, 66 insertions(+), 9 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 61d93f062a36..ac4b26583f7c 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -6,6 +6,7 @@
>   */
>  #include <linux/compiler.h>
>  #include <linux/kasan-checks.h>
> +#include <linux/kmsan-checks.h>
>  #include <linux/string.h>
>  #include <asm/asm.h>
>  #include <asm/page.h>
> @@ -174,6 +175,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
>                         ASM_CALL_CONSTRAINT                             \
>                      : "0" (ptr), "i" (sizeof(*(ptr))));                \
>         (x) = (__force __typeof__(*(ptr))) __val_gu;                    \
> +       kmsan_unpoison_shadow(&(x), sizeof(*(ptr)));                    \
>         __builtin_expect(__ret_gu, 0);                                  \
>  })
>
> @@ -248,6 +250,7 @@ extern void __put_user_8(void);
>         __chk_user_ptr(ptr);                                    \
>         might_fault();                                          \
>         __pu_val = x;                                           \
> +       kmsan_check_memory(&(__pu_val), sizeof(*(ptr)));        \
>         switch (sizeof(*(ptr))) {                               \
>         case 1:                                                 \
>                 __put_user_x(1, __pu_val, ptr, __ret_pu);       \
> @@ -270,7 +273,9 @@ extern void __put_user_8(void);
>
>  #define __put_user_size(x, ptr, size, label)                           \
>  do {                                                                   \
> +       __typeof__(*(ptr)) __pus_val = x;                               \
>         __chk_user_ptr(ptr);                                            \
> +       kmsan_check_memory(&(__pus_val), size);                         \
>         switch (size) {                                                 \
>         case 1:                                                         \
>                 __put_user_goto(x, ptr, "b", "b", "iq", label); \
> @@ -295,7 +300,10 @@ do {                                                                       \
>   */
>  #define __put_user_size_ex(x, ptr, size)                               \
>  do {                                                                   \
> +       __typeof__(*(ptr)) __puse_val;                                  \

Can we do = x here?

>         __chk_user_ptr(ptr);                                            \
> +       __puse_val = x;                                                 \
> +       kmsan_check_memory(&(__puse_val), size);                        \
>         switch (size) {                                                 \
>         case 1:                                                         \
>                 __put_user_asm_ex(x, ptr, "b", "b", "iq");              \
> @@ -363,6 +371,7 @@ do {                                                                        \
>         default:                                                        \
>                 (x) = __get_user_bad();                                 \
>         }                                                               \
> +       kmsan_unpoison_shadow(&(x), size);                              \
>  } while (0)
>
>  #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret)      \
> @@ -413,6 +422,7 @@ do {                                                                        \
>         default:                                                        \
>                 (x) = __get_user_bad();                                 \
>         }                                                               \
> +       kmsan_unpoison_shadow(&(x), size);                              \
>  } while (0)
>
>  #define __get_user_asm_ex(x, addr, itype, rtype, ltype)                        \
> @@ -428,11 +438,13 @@ do {                                                                      \
>  #define __put_user_nocheck(x, ptr, size)                       \
>  ({                                                             \
>         __label__ __pu_label;                                   \
> +       __typeof__(*(ptr)) __pun_val = x;                       \

Not sure if this matters, but two lines below do (x).

Also, why can't we use __pu_val instead of defining __pun_val?


>         int __pu_err = -EFAULT;                                 \
>         __typeof__(*(ptr)) __pu_val = (x);                      \
>         __typeof__(ptr) __pu_ptr = (ptr);                       \
>         __typeof__(size) __pu_size = (size);                    \
>         __uaccess_begin();                                      \
> +       kmsan_check_memory(&(__pun_val), size);                 \
>         __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);     \
>         __pu_err = 0;                                           \
>  __pu_label:                                                    \
> diff --git a/include/asm-generic/cacheflush.h b/include/asm-generic/cacheflush.h
> index a950a22c4890..707531dccf5e 100644
> --- a/include/asm-generic/cacheflush.h
> +++ b/include/asm-generic/cacheflush.h
> @@ -4,6 +4,7 @@
>
>  /* Keep includes the same across arches.  */
>  #include <linux/mm.h>
> +#include <linux/kmsan-checks.h>
>
>  #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 0
>
> @@ -72,10 +73,14 @@ static inline void flush_cache_vunmap(unsigned long start, unsigned long end)
>
>  #define copy_to_user_page(vma, page, vaddr, dst, src, len) \
>         do { \
> +               kmsan_check_memory(src, len); \
>                 memcpy(dst, src, len); \
>                 flush_icache_user_range(vma, page, vaddr, len); \
>         } while (0)
>  #define copy_from_user_page(vma, page, vaddr, dst, src, len) \
> -       memcpy(dst, src, len)
> +       do { \
> +               memcpy(dst, src, len); \
> +               kmsan_unpoison_shadow(dst, len); \
> +       } while (0)
>
>  #endif /* __ASM_CACHEFLUSH_H */
> diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
> index e935318804f8..508ee649aeef 100644
> --- a/include/asm-generic/uaccess.h
> +++ b/include/asm-generic/uaccess.h
> @@ -142,7 +142,11 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
>
>  static inline int __put_user_fn(size_t size, void __user *ptr, void *x)
>  {
> -       return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0;
> +       int n;
> +
> +       n = raw_copy_to_user(ptr, x, size);
> +       kmsan_copy_to_user(ptr, x, size, n);
> +       return unlikely(n) ? -EFAULT : 0;
>  }
>
>  #define __put_user_fn(sz, u, k)        __put_user_fn(sz, u, k)
> @@ -203,7 +207,11 @@ extern int __put_user_bad(void) __attribute__((noreturn));
>  #ifndef __get_user_fn
>  static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
>  {
> -       return unlikely(raw_copy_from_user(x, ptr, size)) ? -EFAULT : 0;
> +       int copied, to_copy = size;
> +
> +       copied = raw_copy_from_user(x, ptr, size);
> +       kmsan_unpoison_shadow(x, to_copy - copied);
> +       return unlikely(copied) ? -EFAULT : 0;
>  }
>
>  #define __get_user_fn(sz, u, k)        __get_user_fn(sz, u, k)
> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> index d4ee6e942562..7550d11a8077 100644
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -5,6 +5,7 @@
>  #include <linux/sched.h>
>  #include <linux/thread_info.h>
>  #include <linux/kasan-checks.h>
> +#include <linux/kmsan-checks.h>
>
>  #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
>
> @@ -58,18 +59,26 @@
>  static __always_inline __must_check unsigned long
>  __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;
> +
>         kasan_check_write(to, n);
>         check_object_size(to, n, false);
> -       return raw_copy_from_user(to, from, n);
> +       n = raw_copy_from_user(to, from, n);
> +       kmsan_unpoison_shadow(to, to_copy - n);
> +       return n;
>  }
>
>  static __always_inline __must_check unsigned long
>  __copy_from_user(void *to, const void __user *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;

This is confusing. I think we need a var for raw_copy_from_user()
return value instead. Same in functions above and below.

> +
>         might_fault();
>         kasan_check_write(to, n);
>         check_object_size(to, n, false);
> -       return raw_copy_from_user(to, from, n);
> +       n = raw_copy_from_user(to, from, n);
> +       kmsan_unpoison_shadow(to, to_copy - n);
> +       return n;
>  }
>
>  /**
> @@ -88,29 +97,39 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
>  static __always_inline __must_check unsigned long
>  __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;
> +
>         kasan_check_read(from, n);
>         check_object_size(from, n, true);
> -       return raw_copy_to_user(to, from, n);
> +       n = raw_copy_to_user(to, from, n);
> +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> +       return n;
>  }
>
>  static __always_inline __must_check unsigned long
>  __copy_to_user(void __user *to, const void *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;
> +
>         might_fault();
>         kasan_check_read(from, n);
>         check_object_size(from, n, true);
> -       return raw_copy_to_user(to, from, n);
> +       n = raw_copy_to_user(to, from, n);
> +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> +       return n;
>  }
>
>  #ifdef INLINE_COPY_FROM_USER
>  static inline __must_check unsigned long
>  _copy_from_user(void *to, const void __user *from, unsigned long n)
>  {
> -       unsigned long res = n;
> +       unsigned long res = n, to_copy = n;
> +
>         might_fault();
>         if (likely(access_ok(from, n))) {
>                 kasan_check_write(to, n);
>                 res = raw_copy_from_user(to, from, n);
> +               kmsan_unpoison_shadow(to, to_copy - res);
>         }
>         if (unlikely(res))
>                 memset(to + (n - res), 0, res);
> @@ -125,10 +144,13 @@ _copy_from_user(void *, const void __user *, unsigned long);
>  static inline __must_check unsigned long
>  _copy_to_user(void __user *to, const void *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;
> +
>         might_fault();
>         if (access_ok(to, n)) {
>                 kasan_check_read(from, n);
>                 n = raw_copy_to_user(to, from, n);
> +               kmsan_copy_to_user(to, from, to_copy, n);
>         }
>         return n;
>  }
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 639d5e7014c1..f038676068b2 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -137,18 +137,24 @@
>
>  static int copyout(void __user *to, const void *from, size_t n)
>  {
> +       size_t to_copy = n;
> +
>         if (access_ok(to, n)) {
>                 kasan_check_read(from, n);
>                 n = raw_copy_to_user(to, from, n);
> +               kmsan_copy_to_user(to, from, to_copy, n);
>         }
>         return n;
>  }
>
>  static int copyin(void *to, const void __user *from, size_t n)
>  {
> +       size_t to_copy = n;
> +
>         if (access_ok(from, n)) {
>                 kasan_check_write(to, n);
>                 n = raw_copy_from_user(to, from, n);
> +               kmsan_unpoison_shadow(to, to_copy - n);
>         }
>         return n;
>  }
> diff --git a/lib/usercopy.c b/lib/usercopy.c
> index cbb4d9ec00f2..abfd93edecba 100644
> --- a/lib/usercopy.c
> +++ b/lib/usercopy.c
> @@ -1,4 +1,5 @@
>  // SPDX-License-Identifier: GPL-2.0
> +#include <linux/kmsan-checks.h>
>  #include <linux/uaccess.h>
>  #include <linux/bitops.h>
>
> @@ -7,11 +8,12 @@
>  #ifndef INLINE_COPY_FROM_USER
>  unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n)
>  {
> -       unsigned long res = n;
> +       unsigned long res = n, to_copy = n;
>         might_fault();
>         if (likely(access_ok(from, n))) {
>                 kasan_check_write(to, n);
>                 res = raw_copy_from_user(to, from, n);
> +               kmsan_unpoison_shadow(to, to_copy - res);
>         }
>         if (unlikely(res))
>                 memset(to + (n - res), 0, res);
> @@ -23,10 +25,12 @@ EXPORT_SYMBOL(_copy_from_user);
>  #ifndef INLINE_COPY_TO_USER
>  unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
>  {
> +       unsigned long to_copy = n;
>         might_fault();
>         if (likely(access_ok(to, n))) {
>                 kasan_check_read(from, n);
>                 n = raw_copy_to_user(to, from, n);
> +               kmsan_copy_to_user(to, from, to_copy, n);
>         }
>         return n;
>  }
> --
> 2.24.0.432.g9d3f5f5b63-goog
>

Alexander Potapenko Dec. 5, 2019, 4 p.m. UTC | #2

On Fri, Nov 29, 2019 at 4:34 PM Andrey Konovalov <andreyknvl@google.com> wrote:
>
> On Fri, Nov 22, 2019 at 12:27 PM <glider@google.com> wrote:
> >
> > Memory that is copied from userspace must be unpoisoned.
> > Before copying memory to userspace, check it and report an error if it
> > contains uninitialized bits.
> >
> > Signed-off-by: Alexander Potapenko <glider@google.com>
> > To: Alexander Potapenko <glider@google.com>
> > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > Cc: Dmitry Vyukov <dvyukov@google.com>
> > Cc: linux-mm@kvack.org
> > ---
> > v3:
> >  - fixed compilation errors reported by kbuild test bot
> >
> > Change-Id: I38428b9c7d1909b8441dcec1749b080494a7af99
> > ---
> >  arch/x86/include/asm/uaccess.h   | 12 ++++++++++++
> >  include/asm-generic/cacheflush.h |  7 ++++++-
> >  include/asm-generic/uaccess.h    | 12 ++++++++++--
> >  include/linux/uaccess.h          | 32 +++++++++++++++++++++++++++-----
> >  lib/iov_iter.c                   |  6 ++++++
> >  lib/usercopy.c                   |  6 +++++-
> >  6 files changed, 66 insertions(+), 9 deletions(-)
> >
> > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> > index 61d93f062a36..ac4b26583f7c 100644
> > --- a/arch/x86/include/asm/uaccess.h
> > +++ b/arch/x86/include/asm/uaccess.h
> > @@ -6,6 +6,7 @@
> >   */
> >  #include <linux/compiler.h>
> >  #include <linux/kasan-checks.h>
> > +#include <linux/kmsan-checks.h>
> >  #include <linux/string.h>
> >  #include <asm/asm.h>
> >  #include <asm/page.h>
> > @@ -174,6 +175,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
> >                         ASM_CALL_CONSTRAINT                             \
> >                      : "0" (ptr), "i" (sizeof(*(ptr))));                \
> >         (x) = (__force __typeof__(*(ptr))) __val_gu;                    \
> > +       kmsan_unpoison_shadow(&(x), sizeof(*(ptr)));                    \
> >         __builtin_expect(__ret_gu, 0);                                  \
> >  })
> >
> > @@ -248,6 +250,7 @@ extern void __put_user_8(void);
> >         __chk_user_ptr(ptr);                                    \
> >         might_fault();                                          \
> >         __pu_val = x;                                           \
> > +       kmsan_check_memory(&(__pu_val), sizeof(*(ptr)));        \
> >         switch (sizeof(*(ptr))) {                               \
> >         case 1:                                                 \
> >                 __put_user_x(1, __pu_val, ptr, __ret_pu);       \
> > @@ -270,7 +273,9 @@ extern void __put_user_8(void);
> >
> >  #define __put_user_size(x, ptr, size, label)                           \
> >  do {                                                                   \
> > +       __typeof__(*(ptr)) __pus_val = x;                               \
> >         __chk_user_ptr(ptr);                                            \
> > +       kmsan_check_memory(&(__pus_val), size);                         \
> >         switch (size) {                                                 \
> >         case 1:                                                         \
> >                 __put_user_goto(x, ptr, "b", "b", "iq", label); \
> > @@ -295,7 +300,10 @@ do {                                                                       \
> >   */
> >  #define __put_user_size_ex(x, ptr, size)                               \
> >  do {                                                                   \
> > +       __typeof__(*(ptr)) __puse_val;                                  \
>
> Can we do = x here?
Yes. Fixed, thanks!
> >         __chk_user_ptr(ptr);                                            \
> > +       __puse_val = x;                                                 \
> > +       kmsan_check_memory(&(__puse_val), size);                        \
> >         switch (size) {                                                 \
> >         case 1:                                                         \
> >                 __put_user_asm_ex(x, ptr, "b", "b", "iq");              \
> > @@ -363,6 +371,7 @@ do {                                                                        \
> >         default:                                                        \
> >                 (x) = __get_user_bad();                                 \
> >         }                                                               \
> > +       kmsan_unpoison_shadow(&(x), size);                              \
> >  } while (0)
> >
> >  #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret)      \
> > @@ -413,6 +422,7 @@ do {                                                                        \
> >         default:                                                        \
> >                 (x) = __get_user_bad();                                 \
> >         }                                                               \
> > +       kmsan_unpoison_shadow(&(x), size);                              \
> >  } while (0)
> >
> >  #define __get_user_asm_ex(x, addr, itype, rtype, ltype)                        \
> > @@ -428,11 +438,13 @@ do {                                                                      \
> >  #define __put_user_nocheck(x, ptr, size)                       \
> >  ({                                                             \
> >         __label__ __pu_label;                                   \
> > +       __typeof__(*(ptr)) __pun_val = x;                       \
>
> Not sure if this matters, but two lines below do (x).
Right.
> Also, why can't we use __pu_val instead of defining __pun_val?
Will do.
>
> >         int __pu_err = -EFAULT;                                 \
> >         __typeof__(*(ptr)) __pu_val = (x);                      \
> >         __typeof__(ptr) __pu_ptr = (ptr);                       \
> >         __typeof__(size) __pu_size = (size);                    \
> >         __uaccess_begin();                                      \
> > +       kmsan_check_memory(&(__pun_val), size);                 \
> >         __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);     \
> >         __pu_err = 0;                                           \
> >  __pu_label:                                                    \
> > diff --git a/include/asm-generic/cacheflush.h b/include/asm-generic/cacheflush.h
> > index a950a22c4890..707531dccf5e 100644
> > --- a/include/asm-generic/cacheflush.h
> > +++ b/include/asm-generic/cacheflush.h
> > @@ -4,6 +4,7 @@
> >
> >  /* Keep includes the same across arches.  */
> >  #include <linux/mm.h>
> > +#include <linux/kmsan-checks.h>
> >
> >  #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 0
> >
> > @@ -72,10 +73,14 @@ static inline void flush_cache_vunmap(unsigned long start, unsigned long end)
> >
> >  #define copy_to_user_page(vma, page, vaddr, dst, src, len) \
> >         do { \
> > +               kmsan_check_memory(src, len); \
> >                 memcpy(dst, src, len); \
> >                 flush_icache_user_range(vma, page, vaddr, len); \
> >         } while (0)
> >  #define copy_from_user_page(vma, page, vaddr, dst, src, len) \
> > -       memcpy(dst, src, len)
> > +       do { \
> > +               memcpy(dst, src, len); \
> > +               kmsan_unpoison_shadow(dst, len); \
> > +       } while (0)
> >
> >  #endif /* __ASM_CACHEFLUSH_H */
> > diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
> > index e935318804f8..508ee649aeef 100644
> > --- a/include/asm-generic/uaccess.h
> > +++ b/include/asm-generic/uaccess.h
> > @@ -142,7 +142,11 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
> >
> >  static inline int __put_user_fn(size_t size, void __user *ptr, void *x)
> >  {
> > -       return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0;
> > +       int n;
> > +
> > +       n = raw_copy_to_user(ptr, x, size);
> > +       kmsan_copy_to_user(ptr, x, size, n);
> > +       return unlikely(n) ? -EFAULT : 0;
> >  }
> >
> >  #define __put_user_fn(sz, u, k)        __put_user_fn(sz, u, k)
> > @@ -203,7 +207,11 @@ extern int __put_user_bad(void) __attribute__((noreturn));
> >  #ifndef __get_user_fn
> >  static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
> >  {
> > -       return unlikely(raw_copy_from_user(x, ptr, size)) ? -EFAULT : 0;
> > +       int copied, to_copy = size;
> > +
> > +       copied = raw_copy_from_user(x, ptr, size);
> > +       kmsan_unpoison_shadow(x, to_copy - copied);
> > +       return unlikely(copied) ? -EFAULT : 0;
> >  }
> >
> >  #define __get_user_fn(sz, u, k)        __get_user_fn(sz, u, k)
> > diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> > index d4ee6e942562..7550d11a8077 100644
> > --- a/include/linux/uaccess.h
> > +++ b/include/linux/uaccess.h
> > @@ -5,6 +5,7 @@
> >  #include <linux/sched.h>
> >  #include <linux/thread_info.h>
> >  #include <linux/kasan-checks.h>
> > +#include <linux/kmsan-checks.h>
> >
> >  #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
> >
> > @@ -58,18 +59,26 @@
> >  static __always_inline __must_check unsigned long
> >  __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
> > +
> >         kasan_check_write(to, n);
> >         check_object_size(to, n, false);
> > -       return raw_copy_from_user(to, from, n);
> > +       n = raw_copy_from_user(to, from, n);
> > +       kmsan_unpoison_shadow(to, to_copy - n);
> > +       return n;
> >  }
> >
> >  static __always_inline __must_check unsigned long
> >  __copy_from_user(void *to, const void __user *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
>
> This is confusing. I think we need a var for raw_copy_from_user()
> return value instead. Same in functions above and below.
raw_copy_from_user() returns the number of bytes _not_ copied from
userspace. So in the case it returns 0 we need to unpoison to_copy
bytes.
> > +
> >         might_fault();
> >         kasan_check_write(to, n);
> >         check_object_size(to, n, false);
> > -       return raw_copy_from_user(to, from, n);
> > +       n = raw_copy_from_user(to, from, n);
> > +       kmsan_unpoison_shadow(to, to_copy - n);
> > +       return n;
> >  }
> >
> >  /**
> > @@ -88,29 +97,39 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
> >  static __always_inline __must_check unsigned long
> >  __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
> > +
> >         kasan_check_read(from, n);
> >         check_object_size(from, n, true);
> > -       return raw_copy_to_user(to, from, n);
> > +       n = raw_copy_to_user(to, from, n);
> > +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> > +       return n;
> >  }
> >
> >  static __always_inline __must_check unsigned long
> >  __copy_to_user(void __user *to, const void *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
> > +
> >         might_fault();
> >         kasan_check_read(from, n);
> >         check_object_size(from, n, true);
> > -       return raw_copy_to_user(to, from, n);
> > +       n = raw_copy_to_user(to, from, n);
> > +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> > +       return n;
> >  }
> >
> >  #ifdef INLINE_COPY_FROM_USER
> >  static inline __must_check unsigned long
> >  _copy_from_user(void *to, const void __user *from, unsigned long n)
> >  {
> > -       unsigned long res = n;
> > +       unsigned long res = n, to_copy = n;
> > +
> >         might_fault();
> >         if (likely(access_ok(from, n))) {
> >                 kasan_check_write(to, n);
> >                 res = raw_copy_from_user(to, from, n);
> > +               kmsan_unpoison_shadow(to, to_copy - res);
> >         }
> >         if (unlikely(res))
> >                 memset(to + (n - res), 0, res);
> > @@ -125,10 +144,13 @@ _copy_from_user(void *, const void __user *, unsigned long);
> >  static inline __must_check unsigned long
> >  _copy_to_user(void __user *to, const void *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
> > +
> >         might_fault();
> >         if (access_ok(to, n)) {
> >                 kasan_check_read(from, n);
> >                 n = raw_copy_to_user(to, from, n);
> > +               kmsan_copy_to_user(to, from, to_copy, n);
> >         }
> >         return n;
> >  }
> > diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> > index 639d5e7014c1..f038676068b2 100644
> > --- a/lib/iov_iter.c
> > +++ b/lib/iov_iter.c
> > @@ -137,18 +137,24 @@
> >
> >  static int copyout(void __user *to, const void *from, size_t n)
> >  {
> > +       size_t to_copy = n;
> > +
> >         if (access_ok(to, n)) {
> >                 kasan_check_read(from, n);
> >                 n = raw_copy_to_user(to, from, n);
> > +               kmsan_copy_to_user(to, from, to_copy, n);
> >         }
> >         return n;
> >  }
> >
> >  static int copyin(void *to, const void __user *from, size_t n)
> >  {
> > +       size_t to_copy = n;
> > +
> >         if (access_ok(from, n)) {
> >                 kasan_check_write(to, n);
> >                 n = raw_copy_from_user(to, from, n);
> > +               kmsan_unpoison_shadow(to, to_copy - n);
> >         }
> >         return n;
> >  }
> > diff --git a/lib/usercopy.c b/lib/usercopy.c
> > index cbb4d9ec00f2..abfd93edecba 100644
> > --- a/lib/usercopy.c
> > +++ b/lib/usercopy.c
> > @@ -1,4 +1,5 @@
> >  // SPDX-License-Identifier: GPL-2.0
> > +#include <linux/kmsan-checks.h>
> >  #include <linux/uaccess.h>
> >  #include <linux/bitops.h>
> >
> > @@ -7,11 +8,12 @@
> >  #ifndef INLINE_COPY_FROM_USER
> >  unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n)
> >  {
> > -       unsigned long res = n;
> > +       unsigned long res = n, to_copy = n;
> >         might_fault();
> >         if (likely(access_ok(from, n))) {
> >                 kasan_check_write(to, n);
> >                 res = raw_copy_from_user(to, from, n);
> > +               kmsan_unpoison_shadow(to, to_copy - res);
> >         }
> >         if (unlikely(res))
> >                 memset(to + (n - res), 0, res);
> > @@ -23,10 +25,12 @@ EXPORT_SYMBOL(_copy_from_user);
> >  #ifndef INLINE_COPY_TO_USER
> >  unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
> >  {
> > +       unsigned long to_copy = n;
> >         might_fault();
> >         if (likely(access_ok(to, n))) {
> >                 kasan_check_read(from, n);
> >                 n = raw_copy_to_user(to, from, n);
> > +               kmsan_copy_to_user(to, from, to_copy, n);
> >         }
> >         return n;
> >  }
> > --
> > 2.24.0.432.g9d3f5f5b63-goog
> >

Andrey Konovalov Dec. 5, 2019, 4:44 p.m. UTC | #3

On Thu, Dec 5, 2019 at 5:00 PM Alexander Potapenko <glider@google.com> wrote:
>
> On Fri, Nov 29, 2019 at 4:34 PM Andrey Konovalov <andreyknvl@google.com> wrote:
> >
> > On Fri, Nov 22, 2019 at 12:27 PM <glider@google.com> wrote:
> > >
> > > Memory that is copied from userspace must be unpoisoned.
> > > Before copying memory to userspace, check it and report an error if it
> > > contains uninitialized bits.
> > >
> > > Signed-off-by: Alexander Potapenko <glider@google.com>
> > > To: Alexander Potapenko <glider@google.com>
> > > Cc: Alexander Viro <viro@zeniv.linux.org.uk>
> > > Cc: Vegard Nossum <vegard.nossum@oracle.com>
> > > Cc: Dmitry Vyukov <dvyukov@google.com>
> > > Cc: linux-mm@kvack.org
> > > ---
> > > v3:
> > >  - fixed compilation errors reported by kbuild test bot
> > >
> > > Change-Id: I38428b9c7d1909b8441dcec1749b080494a7af99
> > > ---
> > >  arch/x86/include/asm/uaccess.h   | 12 ++++++++++++
> > >  include/asm-generic/cacheflush.h |  7 ++++++-
> > >  include/asm-generic/uaccess.h    | 12 ++++++++++--
> > >  include/linux/uaccess.h          | 32 +++++++++++++++++++++++++++-----
> > >  lib/iov_iter.c                   |  6 ++++++
> > >  lib/usercopy.c                   |  6 +++++-
> > >  6 files changed, 66 insertions(+), 9 deletions(-)
> > >
> > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> > > index 61d93f062a36..ac4b26583f7c 100644
> > > --- a/arch/x86/include/asm/uaccess.h
> > > +++ b/arch/x86/include/asm/uaccess.h
> > > @@ -6,6 +6,7 @@
> > >   */
> > >  #include <linux/compiler.h>
> > >  #include <linux/kasan-checks.h>
> > > +#include <linux/kmsan-checks.h>
> > >  #include <linux/string.h>
> > >  #include <asm/asm.h>
> > >  #include <asm/page.h>
> > > @@ -174,6 +175,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
> > >                         ASM_CALL_CONSTRAINT                             \
> > >                      : "0" (ptr), "i" (sizeof(*(ptr))));                \
> > >         (x) = (__force __typeof__(*(ptr))) __val_gu;                    \
> > > +       kmsan_unpoison_shadow(&(x), sizeof(*(ptr)));                    \
> > >         __builtin_expect(__ret_gu, 0);                                  \
> > >  })
> > >
> > > @@ -248,6 +250,7 @@ extern void __put_user_8(void);
> > >         __chk_user_ptr(ptr);                                    \
> > >         might_fault();                                          \
> > >         __pu_val = x;                                           \
> > > +       kmsan_check_memory(&(__pu_val), sizeof(*(ptr)));        \
> > >         switch (sizeof(*(ptr))) {                               \
> > >         case 1:                                                 \
> > >                 __put_user_x(1, __pu_val, ptr, __ret_pu);       \
> > > @@ -270,7 +273,9 @@ extern void __put_user_8(void);
> > >
> > >  #define __put_user_size(x, ptr, size, label)                           \
> > >  do {                                                                   \
> > > +       __typeof__(*(ptr)) __pus_val = x;                               \
> > >         __chk_user_ptr(ptr);                                            \
> > > +       kmsan_check_memory(&(__pus_val), size);                         \
> > >         switch (size) {                                                 \
> > >         case 1:                                                         \
> > >                 __put_user_goto(x, ptr, "b", "b", "iq", label); \
> > > @@ -295,7 +300,10 @@ do {                                                                       \
> > >   */
> > >  #define __put_user_size_ex(x, ptr, size)                               \
> > >  do {                                                                   \
> > > +       __typeof__(*(ptr)) __puse_val;                                  \
> >
> > Can we do = x here?
> Yes. Fixed, thanks!
> > >         __chk_user_ptr(ptr);                                            \
> > > +       __puse_val = x;                                                 \
> > > +       kmsan_check_memory(&(__puse_val), size);                        \
> > >         switch (size) {                                                 \
> > >         case 1:                                                         \
> > >                 __put_user_asm_ex(x, ptr, "b", "b", "iq");              \
> > > @@ -363,6 +371,7 @@ do {                                                                        \
> > >         default:                                                        \
> > >                 (x) = __get_user_bad();                                 \
> > >         }                                                               \
> > > +       kmsan_unpoison_shadow(&(x), size);                              \
> > >  } while (0)
> > >
> > >  #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret)      \
> > > @@ -413,6 +422,7 @@ do {                                                                        \
> > >         default:                                                        \
> > >                 (x) = __get_user_bad();                                 \
> > >         }                                                               \
> > > +       kmsan_unpoison_shadow(&(x), size);                              \
> > >  } while (0)
> > >
> > >  #define __get_user_asm_ex(x, addr, itype, rtype, ltype)                        \
> > > @@ -428,11 +438,13 @@ do {                                                                      \
> > >  #define __put_user_nocheck(x, ptr, size)                       \
> > >  ({                                                             \
> > >         __label__ __pu_label;                                   \
> > > +       __typeof__(*(ptr)) __pun_val = x;                       \
> >
> > Not sure if this matters, but two lines below do (x).
> Right.
> > Also, why can't we use __pu_val instead of defining __pun_val?
> Will do.
> >
> > >         int __pu_err = -EFAULT;                                 \
> > >         __typeof__(*(ptr)) __pu_val = (x);                      \
> > >         __typeof__(ptr) __pu_ptr = (ptr);                       \
> > >         __typeof__(size) __pu_size = (size);                    \
> > >         __uaccess_begin();                                      \
> > > +       kmsan_check_memory(&(__pun_val), size);                 \
> > >         __put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);     \
> > >         __pu_err = 0;                                           \
> > >  __pu_label:                                                    \
> > > diff --git a/include/asm-generic/cacheflush.h b/include/asm-generic/cacheflush.h
> > > index a950a22c4890..707531dccf5e 100644
> > > --- a/include/asm-generic/cacheflush.h
> > > +++ b/include/asm-generic/cacheflush.h
> > > @@ -4,6 +4,7 @@
> > >
> > >  /* Keep includes the same across arches.  */
> > >  #include <linux/mm.h>
> > > +#include <linux/kmsan-checks.h>
> > >
> > >  #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 0
> > >
> > > @@ -72,10 +73,14 @@ static inline void flush_cache_vunmap(unsigned long start, unsigned long end)
> > >
> > >  #define copy_to_user_page(vma, page, vaddr, dst, src, len) \
> > >         do { \
> > > +               kmsan_check_memory(src, len); \
> > >                 memcpy(dst, src, len); \
> > >                 flush_icache_user_range(vma, page, vaddr, len); \
> > >         } while (0)
> > >  #define copy_from_user_page(vma, page, vaddr, dst, src, len) \
> > > -       memcpy(dst, src, len)
> > > +       do { \
> > > +               memcpy(dst, src, len); \
> > > +               kmsan_unpoison_shadow(dst, len); \
> > > +       } while (0)
> > >
> > >  #endif /* __ASM_CACHEFLUSH_H */
> > > diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
> > > index e935318804f8..508ee649aeef 100644
> > > --- a/include/asm-generic/uaccess.h
> > > +++ b/include/asm-generic/uaccess.h
> > > @@ -142,7 +142,11 @@ static inline int __access_ok(unsigned long addr, unsigned long size)
> > >
> > >  static inline int __put_user_fn(size_t size, void __user *ptr, void *x)
> > >  {
> > > -       return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0;
> > > +       int n;
> > > +
> > > +       n = raw_copy_to_user(ptr, x, size);
> > > +       kmsan_copy_to_user(ptr, x, size, n);
> > > +       return unlikely(n) ? -EFAULT : 0;
> > >  }
> > >
> > >  #define __put_user_fn(sz, u, k)        __put_user_fn(sz, u, k)
> > > @@ -203,7 +207,11 @@ extern int __put_user_bad(void) __attribute__((noreturn));
> > >  #ifndef __get_user_fn
> > >  static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
> > >  {
> > > -       return unlikely(raw_copy_from_user(x, ptr, size)) ? -EFAULT : 0;
> > > +       int copied, to_copy = size;
> > > +
> > > +       copied = raw_copy_from_user(x, ptr, size);
> > > +       kmsan_unpoison_shadow(x, to_copy - copied);
> > > +       return unlikely(copied) ? -EFAULT : 0;
> > >  }
> > >
> > >  #define __get_user_fn(sz, u, k)        __get_user_fn(sz, u, k)
> > > diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
> > > index d4ee6e942562..7550d11a8077 100644
> > > --- a/include/linux/uaccess.h
> > > +++ b/include/linux/uaccess.h
> > > @@ -5,6 +5,7 @@
> > >  #include <linux/sched.h>
> > >  #include <linux/thread_info.h>
> > >  #include <linux/kasan-checks.h>
> > > +#include <linux/kmsan-checks.h>
> > >
> > >  #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
> > >
> > > @@ -58,18 +59,26 @@
> > >  static __always_inline __must_check unsigned long
> > >  __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> > > +
> > >         kasan_check_write(to, n);
> > >         check_object_size(to, n, false);
> > > -       return raw_copy_from_user(to, from, n);
> > > +       n = raw_copy_from_user(to, from, n);
> > > +       kmsan_unpoison_shadow(to, to_copy - n);
> > > +       return n;
> > >  }
> > >
> > >  static __always_inline __must_check unsigned long
> > >  __copy_from_user(void *to, const void __user *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> >
> > This is confusing. I think we need a var for raw_copy_from_user()
> > return value instead. Same in functions above and below.
> raw_copy_from_user() returns the number of bytes _not_ copied from
> userspace. So in the case it returns 0 we need to unpoison to_copy
> bytes.

My point was that reasiggning the value of n to the return value of
raw_copy_from_user(), but saving the original n into to_copy is
confusing. It would be easier to read this code, is n was left as is,
and there was a new var for raw_copy_from_user() return value.

> > > +
> > >         might_fault();
> > >         kasan_check_write(to, n);
> > >         check_object_size(to, n, false);
> > > -       return raw_copy_from_user(to, from, n);
> > > +       n = raw_copy_from_user(to, from, n);
> > > +       kmsan_unpoison_shadow(to, to_copy - n);
> > > +       return n;
> > >  }
> > >
> > >  /**
> > > @@ -88,29 +97,39 @@ __copy_from_user(void *to, const void __user *from, unsigned long n)
> > >  static __always_inline __must_check unsigned long
> > >  __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> > > +
> > >         kasan_check_read(from, n);
> > >         check_object_size(from, n, true);
> > > -       return raw_copy_to_user(to, from, n);
> > > +       n = raw_copy_to_user(to, from, n);
> > > +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> > > +       return n;
> > >  }
> > >
> > >  static __always_inline __must_check unsigned long
> > >  __copy_to_user(void __user *to, const void *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> > > +
> > >         might_fault();
> > >         kasan_check_read(from, n);
> > >         check_object_size(from, n, true);
> > > -       return raw_copy_to_user(to, from, n);
> > > +       n = raw_copy_to_user(to, from, n);
> > > +       kmsan_copy_to_user((const void *)to, from, to_copy, n);
> > > +       return n;
> > >  }
> > >
> > >  #ifdef INLINE_COPY_FROM_USER
> > >  static inline __must_check unsigned long
> > >  _copy_from_user(void *to, const void __user *from, unsigned long n)
> > >  {
> > > -       unsigned long res = n;
> > > +       unsigned long res = n, to_copy = n;
> > > +
> > >         might_fault();
> > >         if (likely(access_ok(from, n))) {
> > >                 kasan_check_write(to, n);
> > >                 res = raw_copy_from_user(to, from, n);
> > > +               kmsan_unpoison_shadow(to, to_copy - res);
> > >         }
> > >         if (unlikely(res))
> > >                 memset(to + (n - res), 0, res);
> > > @@ -125,10 +144,13 @@ _copy_from_user(void *, const void __user *, unsigned long);
> > >  static inline __must_check unsigned long
> > >  _copy_to_user(void __user *to, const void *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> > > +
> > >         might_fault();
> > >         if (access_ok(to, n)) {
> > >                 kasan_check_read(from, n);
> > >                 n = raw_copy_to_user(to, from, n);
> > > +               kmsan_copy_to_user(to, from, to_copy, n);
> > >         }
> > >         return n;
> > >  }
> > > diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> > > index 639d5e7014c1..f038676068b2 100644
> > > --- a/lib/iov_iter.c
> > > +++ b/lib/iov_iter.c
> > > @@ -137,18 +137,24 @@
> > >
> > >  static int copyout(void __user *to, const void *from, size_t n)
> > >  {
> > > +       size_t to_copy = n;
> > > +
> > >         if (access_ok(to, n)) {
> > >                 kasan_check_read(from, n);
> > >                 n = raw_copy_to_user(to, from, n);
> > > +               kmsan_copy_to_user(to, from, to_copy, n);
> > >         }
> > >         return n;
> > >  }
> > >
> > >  static int copyin(void *to, const void __user *from, size_t n)
> > >  {
> > > +       size_t to_copy = n;
> > > +
> > >         if (access_ok(from, n)) {
> > >                 kasan_check_write(to, n);
> > >                 n = raw_copy_from_user(to, from, n);
> > > +               kmsan_unpoison_shadow(to, to_copy - n);
> > >         }
> > >         return n;
> > >  }
> > > diff --git a/lib/usercopy.c b/lib/usercopy.c
> > > index cbb4d9ec00f2..abfd93edecba 100644
> > > --- a/lib/usercopy.c
> > > +++ b/lib/usercopy.c
> > > @@ -1,4 +1,5 @@
> > >  // SPDX-License-Identifier: GPL-2.0
> > > +#include <linux/kmsan-checks.h>
> > >  #include <linux/uaccess.h>
> > >  #include <linux/bitops.h>
> > >
> > > @@ -7,11 +8,12 @@
> > >  #ifndef INLINE_COPY_FROM_USER
> > >  unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n)
> > >  {
> > > -       unsigned long res = n;
> > > +       unsigned long res = n, to_copy = n;
> > >         might_fault();
> > >         if (likely(access_ok(from, n))) {
> > >                 kasan_check_write(to, n);
> > >                 res = raw_copy_from_user(to, from, n);
> > > +               kmsan_unpoison_shadow(to, to_copy - res);
> > >         }
> > >         if (unlikely(res))
> > >                 memset(to + (n - res), 0, res);
> > > @@ -23,10 +25,12 @@ EXPORT_SYMBOL(_copy_from_user);
> > >  #ifndef INLINE_COPY_TO_USER
> > >  unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
> > >  {
> > > +       unsigned long to_copy = n;
> > >         might_fault();
> > >         if (likely(access_ok(to, n))) {
> > >                 kasan_check_read(from, n);
> > >                 n = raw_copy_to_user(to, from, n);
> > > +               kmsan_copy_to_user(to, from, to_copy, n);
> > >         }
> > >         return n;
> > >  }
> > > --
> > > 2.24.0.432.g9d3f5f5b63-goog
> > >
>
>
>
> --
> Alexander Potapenko
> Software Engineer
>
> Google Germany GmbH
> Erika-Mann-Straße, 33
> 80636 München
>
> Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg

Alexander Potapenko Dec. 11, 2019, 2:22 p.m. UTC | #4

> My point was that reasiggning the value of n to the return value of
> raw_copy_from_user(), but saving the original n into to_copy is
> confusing. It would be easier to read this code, is n was left as is,
> and there was a new var for raw_copy_from_user() return value.
>
Ok, will do in v4.
Thanks!

diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 61d93f062a36..ac4b26583f7c 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -6,6 +6,7 @@ 
  */
 #include <linux/compiler.h>
 #include <linux/kasan-checks.h>
+#include <linux/kmsan-checks.h>
 #include <linux/string.h>
 #include <asm/asm.h>
 #include <asm/page.h>
@@ -174,6 +175,7 @@  __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
 			ASM_CALL_CONSTRAINT				\
 		     : "0" (ptr), "i" (sizeof(*(ptr))));		\
 	(x) = (__force __typeof__(*(ptr))) __val_gu;			\
+	kmsan_unpoison_shadow(&(x), sizeof(*(ptr)));			\
 	__builtin_expect(__ret_gu, 0);					\
 })
 
@@ -248,6 +250,7 @@  extern void __put_user_8(void);
 	__chk_user_ptr(ptr);					\
 	might_fault();						\
 	__pu_val = x;						\
+	kmsan_check_memory(&(__pu_val), sizeof(*(ptr)));	\
 	switch (sizeof(*(ptr))) {				\
 	case 1:							\
 		__put_user_x(1, __pu_val, ptr, __ret_pu);	\
@@ -270,7 +273,9 @@  extern void __put_user_8(void);
 
 #define __put_user_size(x, ptr, size, label)				\
 do {									\
+	__typeof__(*(ptr)) __pus_val = x;				\
 	__chk_user_ptr(ptr);						\
+	kmsan_check_memory(&(__pus_val), size);				\
 	switch (size) {							\
 	case 1:								\
 		__put_user_goto(x, ptr, "b", "b", "iq", label);	\
@@ -295,7 +300,10 @@  do {									\
  */
 #define __put_user_size_ex(x, ptr, size)				\
 do {									\
+	__typeof__(*(ptr)) __puse_val;					\
 	__chk_user_ptr(ptr);						\
+	__puse_val = x;							\
+	kmsan_check_memory(&(__puse_val), size);			\
 	switch (size) {							\
 	case 1:								\
 		__put_user_asm_ex(x, ptr, "b", "b", "iq");		\
@@ -363,6 +371,7 @@  do {									\
 	default:							\
 		(x) = __get_user_bad();					\
 	}								\
+	kmsan_unpoison_shadow(&(x), size);				\
 } while (0)
 
 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret)	\
@@ -413,6 +422,7 @@  do {									\
 	default:							\
 		(x) = __get_user_bad();					\
 	}								\
+	kmsan_unpoison_shadow(&(x), size);				\
 } while (0)
 
 #define __get_user_asm_ex(x, addr, itype, rtype, ltype)			\
@@ -428,11 +438,13 @@  do {									\
 #define __put_user_nocheck(x, ptr, size)			\
 ({								\
 	__label__ __pu_label;					\
+	__typeof__(*(ptr)) __pun_val = x;			\
 	int __pu_err = -EFAULT;					\
 	__typeof__(*(ptr)) __pu_val = (x);			\
 	__typeof__(ptr) __pu_ptr = (ptr);			\
 	__typeof__(size) __pu_size = (size);			\
 	__uaccess_begin();					\
+	kmsan_check_memory(&(__pun_val), size);			\
 	__put_user_size(__pu_val, __pu_ptr, __pu_size, __pu_label);	\
 	__pu_err = 0;						\
 __pu_label:							\
diff --git a/include/asm-generic/cacheflush.h b/include/asm-generic/cacheflush.h
index a950a22c4890..707531dccf5e 100644
--- a/include/asm-generic/cacheflush.h
+++ b/include/asm-generic/cacheflush.h
@@ -4,6 +4,7 @@ 
 
 /* Keep includes the same across arches.  */
 #include <linux/mm.h>
+#include <linux/kmsan-checks.h>
 
 #define ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE 0
 
@@ -72,10 +73,14 @@  static inline void flush_cache_vunmap(unsigned long start, unsigned long end)
 
 #define copy_to_user_page(vma, page, vaddr, dst, src, len) \
 	do { \
+		kmsan_check_memory(src, len); \
 		memcpy(dst, src, len); \
 		flush_icache_user_range(vma, page, vaddr, len); \
 	} while (0)
 #define copy_from_user_page(vma, page, vaddr, dst, src, len) \
-	memcpy(dst, src, len)
+	do { \
+		memcpy(dst, src, len); \
+		kmsan_unpoison_shadow(dst, len); \
+	} while (0)
 
 #endif /* __ASM_CACHEFLUSH_H */
diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
index e935318804f8..508ee649aeef 100644
--- a/include/asm-generic/uaccess.h
+++ b/include/asm-generic/uaccess.h
@@ -142,7 +142,11 @@  static inline int __access_ok(unsigned long addr, unsigned long size)
 
 static inline int __put_user_fn(size_t size, void __user *ptr, void *x)
 {
-	return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0;
+	int n;
+
+	n = raw_copy_to_user(ptr, x, size);
+	kmsan_copy_to_user(ptr, x, size, n);
+	return unlikely(n) ? -EFAULT : 0;
 }
 
 #define __put_user_fn(sz, u, k)	__put_user_fn(sz, u, k)
@@ -203,7 +207,11 @@  extern int __put_user_bad(void) __attribute__((noreturn));
 #ifndef __get_user_fn
 static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
 {
-	return unlikely(raw_copy_from_user(x, ptr, size)) ? -EFAULT : 0;
+	int copied, to_copy = size;
+
+	copied = raw_copy_from_user(x, ptr, size);
+	kmsan_unpoison_shadow(x, to_copy - copied);
+	return unlikely(copied) ? -EFAULT : 0;
 }
 
 #define __get_user_fn(sz, u, k)	__get_user_fn(sz, u, k)
diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index d4ee6e942562..7550d11a8077 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -5,6 +5,7 @@ 
 #include <linux/sched.h>
 #include <linux/thread_info.h>
 #include <linux/kasan-checks.h>
+#include <linux/kmsan-checks.h>
 
 #define uaccess_kernel() segment_eq(get_fs(), KERNEL_DS)
 
@@ -58,18 +59,26 @@ 
 static __always_inline __must_check unsigned long
 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
 {
+	unsigned long to_copy = n;
+
 	kasan_check_write(to, n);
 	check_object_size(to, n, false);
-	return raw_copy_from_user(to, from, n);
+	n = raw_copy_from_user(to, from, n);
+	kmsan_unpoison_shadow(to, to_copy - n);
+	return n;
 }
 
 static __always_inline __must_check unsigned long
 __copy_from_user(void *to, const void __user *from, unsigned long n)
 {
+	unsigned long to_copy = n;
+
 	might_fault();
 	kasan_check_write(to, n);
 	check_object_size(to, n, false);
-	return raw_copy_from_user(to, from, n);
+	n = raw_copy_from_user(to, from, n);
+	kmsan_unpoison_shadow(to, to_copy - n);
+	return n;
 }
 
 /**
@@ -88,29 +97,39 @@  __copy_from_user(void *to, const void __user *from, unsigned long n)
 static __always_inline __must_check unsigned long
 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
 {
+	unsigned long to_copy = n;
+
 	kasan_check_read(from, n);
 	check_object_size(from, n, true);
-	return raw_copy_to_user(to, from, n);
+	n = raw_copy_to_user(to, from, n);
+	kmsan_copy_to_user((const void *)to, from, to_copy, n);
+	return n;
 }
 
 static __always_inline __must_check unsigned long
 __copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+	unsigned long to_copy = n;
+
 	might_fault();
 	kasan_check_read(from, n);
 	check_object_size(from, n, true);
-	return raw_copy_to_user(to, from, n);
+	n = raw_copy_to_user(to, from, n);
+	kmsan_copy_to_user((const void *)to, from, to_copy, n);
+	return n;
 }
 
 #ifdef INLINE_COPY_FROM_USER
 static inline __must_check unsigned long
 _copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-	unsigned long res = n;
+	unsigned long res = n, to_copy = n;
+
 	might_fault();
 	if (likely(access_ok(from, n))) {
 		kasan_check_write(to, n);
 		res = raw_copy_from_user(to, from, n);
+		kmsan_unpoison_shadow(to, to_copy - res);
 	}
 	if (unlikely(res))
 		memset(to + (n - res), 0, res);
@@ -125,10 +144,13 @@  _copy_from_user(void *, const void __user *, unsigned long);
 static inline __must_check unsigned long
 _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+	unsigned long to_copy = n;
+
 	might_fault();
 	if (access_ok(to, n)) {
 		kasan_check_read(from, n);
 		n = raw_copy_to_user(to, from, n);
+		kmsan_copy_to_user(to, from, to_copy, n);
 	}
 	return n;
 }
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 639d5e7014c1..f038676068b2 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -137,18 +137,24 @@ 
 
 static int copyout(void __user *to, const void *from, size_t n)
 {
+	size_t to_copy = n;
+
 	if (access_ok(to, n)) {
 		kasan_check_read(from, n);
 		n = raw_copy_to_user(to, from, n);
+		kmsan_copy_to_user(to, from, to_copy, n);
 	}
 	return n;
 }
 
 static int copyin(void *to, const void __user *from, size_t n)
 {
+	size_t to_copy = n;
+
 	if (access_ok(from, n)) {
 		kasan_check_write(to, n);
 		n = raw_copy_from_user(to, from, n);
+		kmsan_unpoison_shadow(to, to_copy - n);
 	}
 	return n;
 }
diff --git a/lib/usercopy.c b/lib/usercopy.c
index cbb4d9ec00f2..abfd93edecba 100644
--- a/lib/usercopy.c
+++ b/lib/usercopy.c
@@ -1,4 +1,5 @@ 
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/kmsan-checks.h>
 #include <linux/uaccess.h>
 #include <linux/bitops.h>
 
@@ -7,11 +8,12 @@ 
 #ifndef INLINE_COPY_FROM_USER
 unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n)
 {
-	unsigned long res = n;
+	unsigned long res = n, to_copy = n;
 	might_fault();
 	if (likely(access_ok(from, n))) {
 		kasan_check_write(to, n);
 		res = raw_copy_from_user(to, from, n);
+		kmsan_unpoison_shadow(to, to_copy - res);
 	}
 	if (unlikely(res))
 		memset(to + (n - res), 0, res);
@@ -23,10 +25,12 @@  EXPORT_SYMBOL(_copy_from_user);
 #ifndef INLINE_COPY_TO_USER
 unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n)
 {
+	unsigned long to_copy = n;
 	might_fault();
 	if (likely(access_ok(to, n))) {
 		kasan_check_read(from, n);
 		n = raw_copy_to_user(to, from, n);
+		kmsan_copy_to_user(to, from, to_copy, n);
 	}
 	return n;
 }

[RFC,v3,27/36] kmsan: hooks for copy_to_user() and friends

Commit Message

Comments

Patch