From patchwork Wed Jul 24 16:34:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13741174 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 34020C3DA61 for ; Wed, 24 Jul 2024 16:34:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C04F26B0089; Wed, 24 Jul 2024 12:34:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BB4D26B0092; Wed, 24 Jul 2024 12:34:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A7C586B0093; Wed, 24 Jul 2024 12:34:23 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 83C286B0089 for ; Wed, 24 Jul 2024 12:34:23 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id F04C71A07CE for ; Wed, 24 Jul 2024 16:34:22 +0000 (UTC) X-FDA: 82375193964.05.E29C52E Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by imf10.hostedemail.com (Postfix) with ESMTP id 12F5AC0025 for ; Wed, 24 Jul 2024 16:34:20 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="kJuno9u/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf10.hostedemail.com: domain of jannh@google.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721838822; a=rsa-sha256; cv=none; b=8c3j0+FEECylqqUtYealGhgDMX+zSnZDLVvCbnt/+ONqynyqH0nYBinD1oselKWUkG43r7 Wv98qRQys7xqf1RKqRnHQah+8EP/lDV38VzNL2l+ep3k7HVcGcs4FDsnbKSnvPbWyqJNA8 Mx6Db+w/8BZBeJ7sdeWAnRQ2JVLpgcw= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="kJuno9u/"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf10.hostedemail.com: domain of jannh@google.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1721838822; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=BIn9I8OgB+Zl6a/4DmM7/3n8midQ/Rf950bAiHb/5Tg=; b=QJzy44d2qSI13w9GsH+MVv2+Ih5Lsjajj4d7xqK/rlaDuDrVt+DukgCNOu38gjqDwdqjjq XlyXqxNVKK+ZxcTZofkvhj/watQCsU8tci6Bth/54S8inZn1RuizLr38JrzoUwoGz0dXAw xpKBj1AF8jxmq18jcdNekXYJK0T+m/0= Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-42725f8a789so44485e9.1 for ; Wed, 24 Jul 2024 09:34:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1721838859; x=1722443659; darn=kvack.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=BIn9I8OgB+Zl6a/4DmM7/3n8midQ/Rf950bAiHb/5Tg=; b=kJuno9u/auUJCeat5Cke9efDfJ9DzGbEzdKsD2kDj4idT/5Qajbgt//oQsVe8pacrT p4Pi3c5wLPOBfjhaqUSIMwD5zpBjSZR0qZZq+SmbboFOBdM8jmQcXVsJ2IgimJT/n5Ae kVP5YGADtlm+c7xti8MTFvUtHcOmBdefOj4SxGJ3Urw/cxbGT2gVqS++zWXhCQmt5f+5 DO29CwZSrwW7bqgLugX7VMbBhBbUxtn+VRUvJauRpfLezzKaKI//2sTbaO+ZZKDwXBfP qMk3rywWuwmUOeawc3ZBINGBxVY8UB4uzuW1fCoEARigvjjY1zdO58wj96cOjHXHob/q q4Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721838859; x=1722443659; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BIn9I8OgB+Zl6a/4DmM7/3n8midQ/Rf950bAiHb/5Tg=; b=iFUMt632+c41Ni33grPYkeWRvHmDubaLl5ZPOOlvU9OZkpVzQtVN57pbQcHxQ7HIzu 0Pidf7iQ/40dr3yJ6oAWmeux7HnhNsw4l5f2eB5A/eXIrOhP8XeaPgp+O5RIdKLnDadz 4T6DK/CHNTfJd0f8ZVgKJaaisdpW0wrcmmVKGO22eUlH90LX7bTbWD9JbJK6pJd0JGSp TEDuZnnA1uxKEtfmBRnlZWK46oStX/I+TEZ36rrNmykvn8AWD83XVDPK+RzG25wtbYbl Deo6RmXjAFNrrI9JdYUCxYu0hwkr/DcLqtJnMBkEYM9d/gRiZ/aM8d7tO+bIdzWrJk3x 5Zuw== X-Forwarded-Encrypted: i=1; AJvYcCVdBeB/MxtIX2Sw7+yCGeho50dVmi1ZE2lycPTIctl5EiL0P1wwlO8oSx9J4BX4giGAW4KgjAXCazAkTqMpkUg0LwM= X-Gm-Message-State: AOJu0YwDdssEL0E8Cab1FkS2tDtwWW5CLnSAW9jzjyqtLUlhYM3ROGwL 757eILmVWlwbgUBx4DFPnrahfEeg8ZZNFrjgWcQlV3X1XT/HNjaGGHIzfz6evg== X-Google-Smtp-Source: AGHT+IFUq32k/v6xKrznqFulE1H8hzij3lXrZPymX6K6nlmp5ql94I5UcAr/tg+gIfy9BTIFR0DT1w== X-Received: by 2002:a05:600c:3b8e:b0:426:6413:b681 with SMTP id 5b1f17b1804b1-427f7c550a3mr1839245e9.6.1721838858696; Wed, 24 Jul 2024 09:34:18 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:7aec:12da:2527:71ba]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427fc95707esm11705295e9.0.2024.07.24.09.34.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 09:34:18 -0700 (PDT) From: Jann Horn Subject: [PATCH v2 0/2] allow KASAN to detect UAF in SLAB_TYPESAFE_BY_RCU slabs Date: Wed, 24 Jul 2024 18:34:11 +0200 Message-Id: <20240724-kasan-tsbrcu-v2-0-45f898064468@google.com> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAAMtoWYC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyjHQUlJIzE vPSU3UzU4B8JSMDIxMDcyNj3ezE4sQ83ZLipKLkUt0kc0PTREsDwzRzczMloJaCotS0zAqwcdG xtbUAu8f5PF4AAAA= To: Andrey Ryabinin , Alexander Potapenko , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Christoph Lameter , Pekka Enberg , David Rientjes , Joonsoo Kim , Vlastimil Babka , Roman Gushchin , Hyeonggon Yoo <42.hyeyoo@gmail.com> Cc: Marco Elver , kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Jann Horn X-Mailer: b4 0.15-dev X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 12F5AC0025 X-Stat-Signature: m67qqmfx7koch83xhe57nqc7gw3ywmkm X-Rspam-User: X-HE-Tag: 1721838860-206829 X-HE-Meta: U2FsdGVkX18h/hU605UDOYq7CGVCm4SRPO1CVGR8WxyQOOKDETGdNGzYD3wgOqugN/IvViMgJTa9euDI8CbjWrR8imGQEXUYPfszoXtABbwo77lYOSMau8OQ6gOl8Og1+fbDwDpgBETls4vvDDLvn9DRFZqvsAa3xTAkLPvbO0lSn3/TJqmKYnmA52RZ3wG+m32kNXpKOpSbgxgLsH0YF6TJMdlNnGQ+jf9avD6bCK7yGiIeEXQJHBSFbw12UqBOzlwGwYrnFi9JwnS2jy0qLgSSy3HYjlXgnvo66YWcsEaqVNtc6jHIEJKIJjY6jyPd9KyyLK44Ze1aeKCzRe1RMS6OSgkwz8+VRmSrGinveOPKkSf0TMV+rQaW6HrnQ9s7d7l/D6ksvFT5glDwEF1rN2AGXKV4VKRqQt/aiB6zIprQ+dmHaDhE7WmB0+FDWHRX6qOF1IG5pLlhRl96pq2dLqsjKOkpJUyuAiessczFxF3QO9YbKp3Lt4YWHvMAKBCJn7a/mhlh3Y92z7y0CJsz8w0gPirJPTwiYllqifgWYxPRJA9hrJq1T/UCT0d2/E3p/IQ02M3g1Ok4dpkQyEX1N8lW6px8Sotn4Xkoveni94OJW3F7ZiCrSZPUIv61l3wEohWH5q0g3lh3gKKkTnm2du0iA1I3aVpPdA7jgdBC0PIEECIv4hU1jFFscgpLmBKv0l9OiWPWwSafbG/+fYbYftcUYv/TBjm6P/61oJgffsH23yyeFxxSPk9wdkli+XjF5Uy9JlyiBJ6EfmLM1Any52YM1v8llwO2GPajcC7IZXUa7aCNm5pyP7EpJYwMixo79DPpqCzSHnG9RO+9o5QyCAHiWT/4xYjHgdORXHA8/xQxw1s6nVTiK6R1yHm4Rd571A+6MKAoTmVU/KVS1Y0Gds1XhGpotCDnZ57KaeLzo0rQAI8GC2061SzhNHZOn8bZa58CwFa+9kbQiJ+Zhkp AkIhjZXL bMQd2ZsK0cKLD6rSbDl/In8QiijAK4bSGKttxcR3D9tZ6Hri1flYG7hXdinKXN09/gYcfU1SSeGrqKTCgbAOZk1pPpMqi9QmkI/FXhQz3EpBDGVxHmsuRtyUJJJJ4Cju25NTdzZCiKGr78EoPaRT9vR+/bvls5L9fMXItKmqmyClJc4xtYxv1WnR5B6/nK/C/4y9IN7hXC7GpRan14ct0oXyYGj/6xQyd4iGCBhwXoMkrJaCgKaUmgO4ihk51QA23j3BAfql5CcqsJ9dUZbs4JFLVrKCGD64Ru4EVlNm8r+Zz4Mvt8Bcqq/K4/AYE6cI0fwMiyQCMp66wwV/bi2uzQtehp0gbOukDTtc9l9mV1YqQs1FI9LS2kGfsqmtdzIxd3QNLJsZ4XLAYcgp9xVgOEzkIpF6W5xjBXBeSkfnj9R6oxvPJ8YC2FVW7bwrVirTfQqaQToh4/Y1oOx0WKdfjLRbfo41oW+ksVfnsKvhJyT0fT9idgoClA9bG19GPUtrnApYy X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi! This is v2 of a series that I started, uuuh, almost a year ago. (Sorry...) v1 was at: https://lore.kernel.org/lkml/20230825211426.3798691-1-jannh@google.com/ The purpose of the series is to allow KASAN to detect use-after-free access in SLAB_TYPESAFE_BY_RCU slab caches, by essentially making them behave as if the cache was not SLAB_TYPESAFE_BY_RCU but instead every kfree() in the cache was a kfree_rcu(). This is gated behind a config flag that is supposed to only be enabled in fuzzing/testing builds where the performance impact doesn't matter. Patch 1/2 is new; it's some necessary prep work for the main patch to work, though the KASAN integration maybe is a bit ugly. Patch 2/2 is a rebased version of the old patch, with some changes to how the config is wired up, with poison/unpoison logic added as suggested by dvyukov@ back then, with cache destruction fixed using rcu_barrier() as pointed out by dvyukov@ and the test robot, and a test added as suggested by elver@. Output of the new kunit testcase I added to the KASAN test suite: ================================================================== BUG: KASAN: slab-use-after-free in kmem_cache_rcu_uaf+0x3ae/0x4d0 Read of size 1 at addr ffff88810d3c8000 by task kunit_try_catch/225 CPU: 7 PID: 225 Comm: kunit_try_catch Tainted: G B N 6.10.0-00003-gf0fc688e25ed #422 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x53/0x70 print_report+0xce/0x670 [...] kasan_report+0xa5/0xe0 [...] kmem_cache_rcu_uaf+0x3ae/0x4d0 [...] kunit_try_run_case+0x1b3/0x490 [...] kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 [...] ret_from_fork+0x34/0x70 [...] ret_from_fork_asm+0x1a/0x30 Allocated by task 225: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xef/0x2b0 kmem_cache_rcu_uaf+0x10d/0x4d0 kunit_try_run_case+0x1b3/0x490 kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 0: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x47/0x70 slab_free_after_rcu_debug+0xee/0x240 rcu_core+0x676/0x15b0 handle_softirqs+0x22f/0x690 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6a/0x80 asm_sysvec_apic_timer_interrupt+0x1a/0x20 Last potentially related work creation: kasan_save_stack+0x33/0x60 __kasan_record_aux_stack+0x8e/0xa0 __call_rcu_common.constprop.0+0x70/0xa70 kmem_cache_rcu_uaf+0x16e/0x4d0 kunit_try_run_case+0x1b3/0x490 kunit_generic_run_threadfn_adapter+0x80/0xe0 kthread+0x2a5/0x370 ret_from_fork+0x34/0x70 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88810d3c8000 which belongs to the cache test_cache of size 200 The buggy address is located 0 bytes inside of freed 200-byte region [ffff88810d3c8000, ffff88810d3c80c8) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d3c8 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x200000000000040(head|node=0|zone=2) page_type: 0xffffefff(slab) raw: 0200000000000040 ffff88810d3c2000 dead000000000122 0000000000000000 raw: 0000000000000000 00000000801f001f 00000001ffffefff 0000000000000000 head: 0200000000000040 ffff88810d3c2000 dead000000000122 0000000000000000 head: 0000000000000000 00000000801f001f 00000001ffffefff 0000000000000000 head: 0200000000000001 ffffea000434f201 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88810d3c7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810d3c7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810d3c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810d3c8080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff88810d3c8100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ok 38 kmem_cache_rcu_uaf Signed-off-by: Jann Horn --- Jann Horn (2): kasan: catch invalid free before SLUB reinitializes the object slub: Introduce CONFIG_SLUB_RCU_DEBUG include/linux/kasan.h | 20 +++++++++++++ mm/Kconfig.debug | 25 ++++++++++++++++ mm/kasan/common.c | 63 +++++++++++++++++++++++++++++++-------- mm/kasan/kasan_test.c | 44 +++++++++++++++++++++++++++ mm/slab.h | 3 ++ mm/slab_common.c | 12 ++++++++ mm/slub.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++----- 7 files changed, 229 insertions(+), 20 deletions(-) --- base-commit: 0c3836482481200ead7b416ca80c68a29cfdaabd change-id: 20240723-kasan-tsbrcu-b715a901f776